CyTRAP Labs, Roentgenstrasse 49, 8005 Zurich, Switzerland --- +41 (0)44 272-1876
providing tools and services helping clients in achieving better information security and risk management for fostering greater profitability
To ensure you receive your copy of ReguStand from CyTRAP Labs, please add newsletter@cytrap.eu to your address book NOW.
What others have to say about CyTRAP Labs Compliance demystified - ReguStand this Week:
home of Urs+Nahum's Security Checklist - ISBN 978-0-9783768-0-2
If you cannot view this newsletter properly or want to get the online version of this newsletter? Go here:
http://cytrap.eu/radio_show/regustand/newsletter114.htmlIf you missed an issue of the newsletter why not visit the ReguStand archives - since 2007 onward
ReguStand from CyTRAP Labs
is a registered online serial publication
ISSN 1600-2423
stay vigilant - do the right things for the right reasons
Compiled, published, edited and written every two weeks by Urs E. Gattiker
October 12, 2007 Vol. 1 No. 14
TO RECEIVE FUTURE ISSUES OF THIS FREE NEWSLETTER: Please register OR CHANGE your subscription at CyTRAP Labs Subscription Portal -- http://CASEScontact.org/subscribe_all.php
Have a comment for us mail it to: Comments at CyTRAP.eu
Table of Contents:
- Regulation that matters: What is the difference between a standard, policy, guideline and a procedure?
- 3 Banking bail-out - moral hazard or should we have thrown Northern Rock to the wolves?
- 4 protecting the ecosystem - Microsoft ends support for Windows XP ...
- waste electrical and electronic equipment (WEEE) - resell, upgrade recycle
1. Regulation that matters: What is the difference between a standard, policy, guideline and a procedure?
Earlier we brought you:
-
Why Microsoft’s Office Open XML is not an open standard-
Trend - France’s public
administration beginning to embrace Open Source Software and the Open Document FormatRegulation matters in the IT security business and every organization is expected to put up an
IT security policy (Please click on the link, Login as guest - click on this link again and voila free access). But
things can be confusing so we thought we outline and link to some explanations regarding terms you come across.
PolicyA policy is usually made-up of a set of rules (see below). A policy may also stipulate that legal compliance and
adhering to certain standards (e.g., ethical ones and ISO standards) is implied and must be demonstrated in all
activities undertaken on behalf of the enterprise which, of course, include IT security efforts and risk management.
Standards (Please click on the link, Login as guest - click on this link again and voila free access)- industry standards - try to improve campatability of technology and facilitate globalisation,
- international standards - are a result of ever increasing globalization that require that countries work together in
harmonising legislation to make conducting business across boarders a bit easier.
Often a firm's policy may refer to some standards. The philoosphy or idea behind standard can also differ (you must or
you may), such as:
-
principles-based
standards - usually based on common sense, and
- rules - these
govern the acceptable use of computing resources, security practices, and operational procedures in an
organization.
Rules may be written as:
-
prescriptive rules
These prescriptive rules outline what must be followed - in turn, IT security pros must be able to demonstrate that
they have followed these rules to achieve
legal
compliance. The set of rules can also be called the policy since the latter is made-up of a set of rules.
GUIDELINES AND PROCEDURES
Management may also issue
guidelines that must be followed, for instance, when issueing biometric access cards to building
facilities. Guidelines are suggestions for best practice.
Guidelines, in turn will result in
standard
security procedures that make it easier for an employee to implement and follow guidelines in his or her daily
work
TREND
Globalisation has resulted in the
convergence of standardsHowever, other things considered to be equal, while Europe may use and prefer
principles-based
standards, the U.S. tends to prefer
prescriptive rules that are much more specific and easier to follow by auditors and others. Hence,
prescriptive rules tend to be prefered by corporate lawyers.
This difference is also illustrated by ISO 17799 that is principle-based and sometimes rather open to interpretation.
Cobit also strives to be principle-based, however, sometimes its specificity borders on becoming an explicit and
extensive set of rules that one must follow, see also:
-
How do ISO 17799 and Cobit complement each other?
WHAT IT MEANS FOR it PROS
For an IT pro the choice of standards, guidelines and much more can be confusing. However, ultimatly it all depends on
the corporate policy and reaching
legal
compliance to avoid liability issues that could result in a big financial fall-out.
SUBSCRIPTION
To make it more convenient for you to take advantage of CyTRAP Labs' offerings, just provide us with your e-mail
address below. You can personalize your subscription to make it suit your needs.
2. 3 Banking bail-out - moral hazard or should we have thrown Northern Rock to the wolves?
Previously we brought:
-
2 Banking bail-out - Northern Rock - A
salutary tale of how confidence, once lost, is hard to restoreThe bail-out of Northern Rock by the Bank of England, which extended a large credit line to the bank, and the UK
Treasury, which guaranteed its deposits, has halted a run and restored a measure of confidence.
By going to the Bank of England for support, Northern Rock shareholders and managers are paying a hefty price.
2007-09-25 Northern rock decided to scrap its controversial dividend as the beleaguered mortgage lender revealed that
it was in early-stage takeover talks with several unnamed parties. The firm came under intense pressure from regulators
and MPs to drop the £ (pound) 59m pay-out, which it had announced before it was rocked by the financial crisis. As well
its share price has been dropping as the graph below shows.
If you cannot see the above figure, please click here:
Northern Rock - UK: NRK - share priceMany current Northern Rock managers and directors will have to find other employment within the next six months.
In the last posting:
2 Banking bail-out - Northern Rock - A salutary tale
of how confidence, once lost, is hard to restorewe raised the question if this was not a classical case of
moral hazard (click on this link - Login as Guest, click on this link
again and voila you have access to some nice definitions)?
The term
moral hazard (click on this link - Login as Guest, click on
this link again and voila you have access to some nice definitions) originally comes from the area of insurance.
It refers to the prospect that insurance will distort behavior, for example when holders of fire insurance take less
precaution with respect to avoiding fire or when holders of health insurance use more healthcare than they would if
they were not insured.
In financial markets the concept of moral hazard is invoked to oppose policies that reduce the losses of financial
institutions that have made bad decisions. In particular, some people use it to caution against creating an environment
were risks are simply taken because of the expectation that there will be future 'bail-outs.'
The question is if regulation can help limit the risk taking and
moral hazard. Our believe is that some regulation is needed because there are
contagion effects (e.g., fires can spread from one building to the next). In the presence of
contagion
there is reason to expet that an individual or an organizationwill under-insure or under-protect because it will not
feel obliged to take account of the benefits these efforts will have for others.
What is wrong, however, is when liquidity is added to the market without penalizing those that require access to
additional funds due to risky choice that were made in the past on behalf of investors or computer users:
-
1 Banking bail-out - does it reward the overconfident and sow seeds
of future crises?RELATED MATERIALChristina Öberg and Johan Holtström (November 2006). Are mergers and
acquisitions contagious? Jounal of Business Research, Vol. 59, Nr. 12, pp. 1267-1275).The above case study focuses on merger and acquisitions (M&As) as a driving force
for other M&As. It uses a Swedish data sample. The study reveals that dependence and keepin a power balance
(amongst suppliers of a firm that did an M&A) are found as key explanations for parallel M&As = contagion
effects exist i.e. mergers and acquisitions are contagious.
See also:- 1 empowerment for end-usersSUBSCRIPTION
To make it more convenient for you to take advantage of CyTRAP Labs' offerings, just provide us with your e-mail
address below. You can personalize your subscription to make it suit your needs.
3. 4 protecting the ecosystem - Microsoft ends support for Windows XP ...
Previously we reported:
-
1 protecting the ecosystem - Apple secures Europe iPhone revenue deals-
2 protecting the ecosystem - iPhone free software unlock available-
3 protecting the ecosystem - Nokia launched music site
| Steve Ballmer's Financial Analyst meeting July 26, 2007 was interesting,
not least for this fact. |
| ...the install base of windows computers this coming 12 months will reach 1 billion. If you stop and just think
about that, parse that for a second, by the end of our fiscal year '08, there will be more PCs running windows in the
world than there are automobiles, which is at least to me kind of a mind-numbing concept. |
| By July 2009 there will still be about 400 - 600 mio people running Windows XP on their PCs. |
Generally, Microsoft offers a minimum of 10 years' support (5 years Mainstream plus 5 years Extended) for
business and developer products.During the Extended Support phase, Microsoft continues in providing security hot fixes
and paid support. However, it no longer provides complimentary support options, design change requests, and
non-security hotfixes.
| how Microsoft makes sure its ecosystem locks users in |
| date operating system was released | name of operating system | date security support ceased | number of PCs still running with legal copy of this system
installed |
| 1999-05-05 | Windows 98 Second Edition | 2006-07-11 | 2006-12 - 48 mio |
| 2000-06-19 | Windows Millennium Edition (ME) | 2006-07-11 | 2006-12 - 25 mio |
| Most PCs running on these versions of Windows are home PCs and the majority are located
in developing countries |
The Update Rollup for Windows 2000 Service Pack 4 (SP4) was released in November 2003 and was the final
release of Windows 2000.For this policy see for instance:
Windows 2000 Update Rollup 1 for Service Pack 4At what date the Microsoft Mainstream Support starts is unclear. In case of Windows XP it appears that it did not start
from the period when the product was sold (2001-08-24) because this would mean we are in the Extended Support phase by
now (2007-10). Neither would it be starting by the time the last Windows XP system was sold with hardware (for
simplicity's sake 2006-12). While Microsoft most certainly provides 10 years of support, when this period starts
exactly is unclear.
For Windows XP things look as follows:
| how Microsoft makes sure its ecosystem locks users in |
| date operating system was released | name of operating system | date security support will cease | number of PCs still running with legal copy of this system
installed |
| 2000-02-17 | Windows 2000 | 2010-11 | 2007-12 = 100 mio |
| 2001-08-24 | Windows XP | 2014-04 | 2007-12 = 500 mio |
| Most PCs running on these versions of Windows are home PCs and the majority are located
in developing countries |
On 2007-01-24 Microsoft announced that Windows XP Home Edition and Windows XP Media Center Edition will
include a total of five years of Mainstream Support (until April 2009) and five years of Extended Support (security
hotfixes until 2014-04):
Microsoft Announces Extended Support for Windows XP Home Edition, Windows XP Media Center EditionThe numbers of users we estimate for December 2007 in the above table are based on Steve Ballmers commens made during
his
Financial Analyst meeting (2007-07-26)
The Update Rollup for Windows XP Home Edition Service Pack 3 (SP3) and Update Rollup for Windows XP Home Edition
Service Pack 3 (SP3) has to happen before April 2009 when the Mainstream Support phase ends for these operating
systems. Thereafter until 2014-04, security hotfixes is all that will be delivered to users.
CONCLUSION
Latest data indicates that Microsoft will contintue to sell Windows XP until July 2008. Reason being that corporates
hesitate to change over to Windows Vista. Actually, in the U.S. large notebook and PC manufacturers have begun to sell
their latest computers offering clients the option to change over from Windows Vista to Windows XP. In some cases, the
XP Pro Recovery Disc has become part of the package one gets when purchasing a new PC.
What is clear from the above is that Microsoft is making a serious effort to maintain its dominant market position.
Hence, it is in the firm's better interest to become a bit flexible and allow some customers to stay with Windows XP,
intead of loosing them to open source software such as
- Open Office, or
- Lotus Notes - uses Open Office as well
that run on both, Windows or Linux operating systems and can be obtained from free or a fraction of the cost compared
to Microsoft Office.
Microsoft's approach makes certain that Windows Vista will ultimately rule the PC world:
-
3 Advanced Access Content System - protecting your
eco-system - scientific and economic realitiesunless the loosing the case against the European Commission will indeed make a difference - except for a few dollars on
the bottom line - we doubt it will change the PC operating system landscape:
-
CyTRAP Labs legislative
watch - European Court of First Instance rules on Microsoft vs. European Commission - Looser is …?ALSO OF INTEREST
-
Is Microsoft fiddling with system files without permission? Survey says
….PS. 1
All the numbers provided above are based on legal versions of Windows.
4. waste electrical and electronic equipment (WEEE) - resell, upgrade recycle
We have reported about the WEEE directive:
-
Regulation that matters - waste electrical and
electronic equipment (WEEE) - a greener approach
| Energy Analysis of End-of-life Options for Personal Computers: Resell, Upgrade, Recycle - reusing a PC is
20 TIMES MORE EFFECTIVE THAN recycling |
| 75 per cent of the greenhouse gas emissions released throughout the lifecycle of a typical PC are emitted before
the computer is plugged in |
| Reusing might be the most effectifve way to save energy - manufacturing a single memory chip requires
32,000 grams water - lots considering the million that we manufacture each year. |
| We show you some data that indicates, you may waste more energy through your work than you think! |
But the decommissioning of computers every year is becoming a serious enviornmental challenge. For instance,
in the UK about 3 million PCs are decommissioned every year.Eric Williams and colleagues found that 75 per cent of the
greenhouse gas emissions released throughout the lifecycle of a typical PC are emitted before the computer is plugged
in.
As a result, power-saving technologies and turn-off campaigns can only ever address a quarter of the emissions
associated with each PC and the most effective way of limiting a PC’s carbon footprint is to extend its productive
life to ensure extra PCs do not need to be built.
If you cannot view the above image click here:
reusing a whole computerNaturally, when you bring your PCs back to the store you bought them, you have to make sure, of course, that all
confidential data were removed beforehand, securely and safely:
-
CyTRAP Labs - CASEScontact.org security guide - protecting data confidentiality and privacy by disposing
of an old notebook, iPod, smartphpone & memory stick the smart wayBut even then, as experience has shown, much of this equipment ends up in dumps:
-
Africa used as Europe’s digital dumpWilliams and colleagues concluded that re-using an unwanted PC is up to 20 times better for the environment than
breaking it up and recycling it.
While the amount, say, of fresh water that is required to produce a single 2-gram memory chip is arguably not that
significant (about 32,000 grams), consider that Germany, Taiwan, Japan, Korea, the US and other countries are producing
hundreds of millions of these chips annually. That's a lot of water:
Eric D. Williams, Robert U. Ayres, and Miriam Heller
(October 25, 2002). The 1.7 Kilogram Microchip: Energy and Material Use in the Production of Semiconductor Devices.
Environ. Sci. Technol., 36 (24), 5504 -5510.A free download of an earlier version of the above paper presented at a conference you can find here:
Eric. D. Williams and Zukihiro Sasaki (2003). Energy Analysis of
End-of-life Options for Personal Computers: Resell, Upgrade, Recycle. Proceedings of the 2003 IEEE
International Symposium on Electronics and the Environment, pp.187-192. Piscataway, New Jersey: IEEESUBSCRIPTION
To make it more convenient for you to take advantage of CyTRAP Labs' offerings, just provide us with your e-mail
address below. You can personalize your subscription to make it suit your needs.
Enjoy your weekend!
END of NEWS - Important Info BelowRead our privacy promise. This newsletter DOES NOT contain ANY cookies or other software enabled mechanisms to collect data about reader behavior WHATSOEVER.
==> We DO NOT send ATTACHMENTS with our newsletter.
NO WARRANTY
Any material furnished by CyTRAP Labs and WebUrb is furnished on an 'as is' basis.
CyTRAP Labs or CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. WebUrb, writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Here you can read our full DISCLAIMER
SERVICE POWERED BY:
Flashcable - INNOVATION AND EXCELLENCE IN ISP Services