Best practices for IT security management

The nuts and bolts of an information risk management (IRM)
framework are best put in place long before you install the technology.
But it's never too late to mitigate business risk by working out the
mechanics of functions, requirements and controls. Discover and report
on the right priorities, and you can construct a framework for making
well-informed decisions.

Read Five steps to building information risk management frameworks and Developing Controls for People, Processes and Technology by Forrester analyst Khalid Kark who details how to build a sound IRM solution in your organization, including:

Defining domains for your IRM framework
Three questions to ask when assessing the criticality of IRM requirements
Overcoming two significant challenges in defining security metrics programs
Converging physical and logical security through process collaboration

Kark is a principal analyst at Forrester Research. His research focuses
on information risk management strategy, governance, best practices,
measurement and reporting.

This expert advice is part of a continuing series on
IBM best practices for IT security management. IBM security services
and solutions such as Tivoli®, Internet Security Systems™, and
Rational® enable customers to better manage their infrastructure,
operations and IT processes.


PCI compliance drives identity management spending, says IBM's GRC chief

Great interview with Kristin Lovejoy, the director of IBM Governance and Risk Management Strategy over at Information Security Magazine.

When Consul was acquired, how difficult was the technology integration?
Lovejoy: There was a good bit of integration work that had to occur.
Most of it was around assuring that the product offering met the
scalability requirements that had to be defined by IBM. IBM's
acquisition of the technology undergoes a blue-washing process. The
blue washing process assures that the technology sold to IBM customers
are not packaged with any kind of code that is not documented—no open
source components. Also the database infrastructure had to be reworked
and released for DB2.

You've been viewed as a leader in driving the implementation of
auditing as a required step in identity and access management. Talk
about the importance of auditing.

Lovejoy: Of course it was
Sarbanes Oxley where the concept was initiated. Section 404 required
organizations to not only look at their business controls but also
their IT controls. It points to a requirement that organizations adopt
a control framework within the finance, accounting organization, making
sure there's no conflict of interest. Sarbanes Oxley made people say
trust is ok but now I have to verify. We saw a lot of companies want to
be able to monitor privileged users such as database administrators and
developers. They wanted to ensure that those that were working in the
preproduction environment were only working in the preproduction

In addition to Sarbanes Oxley, there have been over time lots
of requirements like PCI DSS and HIPPA that requires you to do audit
logging. These requirements, which always said you need to maintain the
logs, are now beginning to indicate that it's not simply collecting
logs, but you also have to be able to review the activity in logs and
identify areas potentially anomalous activity.

Read More.

New IBM Redbook – Deployment Guide Series: IBM Tivoli Compliance Insight Manager

In order to comply with government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, enterprises have to constantly detect, validate, and report unauthorized change and out-of-compliance actions on their IT infrastructure.

The Tivoli Compliance Insight Manager v8.0 solution allows organizations to improve the security of their information systems by capturing comprehensive log data, correlating this data through sophisticated log interpretation and normalization, and communicating results through a dashboard and a full set of audit and compliance reporting.

We discuss the business context of security audit and compliance software for organizations, and we show a typical deployment within a business scenario.

This is the second IBM Redbook covering IBM Tivoli Compliance Insight Manager – the first book being the Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530.

This IBM Redbooks publication is a valuable resource for security officers, administrators, and architects who wish to understand and deploy a centralized security audit and compliance solution.

Download the Deployment Guide Series: IBM Tivoli Compliance Insight Manager
Publish Date:   February 15, 2008     ISBN Number:   0738485705

TSOM and TCIM Integration! (TSIEM)

Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) today are focused on prioritizing security initiatives to support their business goals, and on managing technical risk and governance.  Their organizations are challenged to both minimize security-based business disruptions and ensure and demonstrate compliance with privacy regulatory requirements, with a limited set of resources.   Security information and event management (SIEM) technology can provide a solution to these challenges, and provide greater leverage of people and greater visibility of their existing security infrastructure.

IBM offers two SIEM complementary capabilities for the security information and events:

  • A real-time, network event-oriented management dashboard that facilitates attack recognition and incident management
  • An information analysis dashboard to assess how well an organization adheres to its security and governance policies

IBM Tivoli Security Information and Event Manager V1.0 (TSIEM) is comprised of two products:  IBM Tivoli Security Operations Manager V4.1 (TSOM) and IBM Tivoli Compliance Insight Manager V8.5 (TCIM). These products, working together, help you realize the full promise of enterprise SIEM. By centralizing log collection and event correlation across your enterprise, you can leverage an advanced compliance dashboard to link security events and user behavior to your corporate policies.

Tivoli Security Information and Event Manager delivers a comprehensive foundation to help address your SIEM requirements.  As a result, IT organizations can reduce their exposure to security breaches; collect, analyze, and report on compliance events; and manage the complexity of heterogeneous technologies and infrastructures.  TSIEM provides support for numerous applications, operating systems, security products, and network infrastructures, as well as desktop and mainframe systems.

Using TCIM and TSOM together provides the benefits of both products, through their complementary user-centric and network-centric perspectives.  Integration between TSOM and TCIM can provide additional unique capabilities:

  • Identify important audit and administrative events from the network/security infrastructure for privileged user monitoring and compliance reporting.   This leverages the broad network and security product support of TSOM and its correlation capabilities to provide added value auditable events for use in the TCIM privileged user monitoring and audit and compliance reports.
  • Identify network-centric policy violations with TSOM, and forward these high level correlated events to TCIM for consolidated compliance dashboard and reporting and views.  

The integration described in this document provides the foundation to accomplish these two general use cases.  It describes the specific of configuring TSOM to send events to TCIM.

Dowload the Tivoli Security Information and Event Manager: Tivoli Security Operations Manager and Tivoli Compliance Insight Manager Integration Guide

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit v1.2 is available.

What is Pass-The-Hash Toolkit?

Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions maintained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged in
thru Remote Desktop/Terminal Services), and also change in runtime the
current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on

Direct download links:
source code:

More info:

what's new:

From Hexale.