U.S. CIO Kundra bets on SOA, cloud computing, agile, data-based policy

U.S. CIO Vivek Kundra, appearing Friday as the keynote speaker at the University of Maryland’s CIO Forum, touched on a number of topics affecting both public- and private-sector CIOs. Some of his comments follow:

“We found that the role of CIOs in the federal government is very much focused on data centers, networking and technology, not on how we can transform the function of the public sector itself.” He explained that he wants to “leverage tech to fundamentally change the way the public sector operates.” Now, as the federal government works to account for each of the $787 billion in spending from the American Recovery and Reinvestment Act of 2009 and publishes more data from its agencies, Kundra said, “we’re shifting away from democratizing data to thinking about how public policy can be powered by that information.”

In tracing the path of technology from agrarian to industrial to the current information revolution, Kundra noted the transformative effect of both cell phones and social networking platforms like Facebook, YouTube and Twitter. “We’re seeing the impact that Twitter has on the geopolitical climate of the world,” he said. “Information is far more liquid than it has been in the history of civilization.” The disruptive effects of the online revolution in user-generated content are steadily filtering into government. The “Darwinian pressures” exerted upon real estate, real estate, consumer products and the automotive industry haven’t hit government yet, Kundra observed. “It’s easy to go online and compare consumer products, but it’s very difficult, if not impossible, to get information to make intelligent decisions.” In launching the contest Apps for Democracy, in fact, Kundra found a way to introduce an element of competition and innovation into an government IT ecosystem that was underserved in both areas.

Kundra has been a proponent of cloud computing for years, going back to his position as the CTO of the District of Columbia, where he signed a contract with Google for business services. Today, he emphasized the need for security, interoperability and data portability in federal government use of cloud computing. “As we make the shift towards cloud computing, security threats need to be addressed. Solutions cannot be bolted on afterwards. Data portability is central, so that as we move from Vendor A to Vendor B we architect this with interoperability and standards so that we don’t spend billions later.”

Questioned on whether service-oriented architecture still is an emphasis in a federal cloud computing paradigm, Kundra said SOA “absolutely” still matters. “Look at the Social Security Administration and what it’s done with SOA and local government,” he said. “They can build lightweight applications to interact with databases elsewhere.” That embrace of modern development practices extends beyond just SOA or upgrading programmers’ skills from COBOL. “How do we move towards an agile procurement or agile development methodology?” asked Kundra. “

In some areas, the government is moving to make systems more interoperable. Kundra pointed to what what’s happening between the IRS and Department of Education in student aid. “Before, if you wanted to apply and get aid, you had to fill out a FAFSA,” said Kundra. “That form is more complex than a 1040.” Starting in January, there will be a brand new online way to fill out a Free Application for Student Aid, according to Kundra, which will eliminate 70 questions and 20 Web screens. “Students will be able to get IRS data and autopopulate it in the form for student aid.”

As he grows into the U.S. CIO role, Kundra has continued to add to the areas where government IT spending and management has been and where he’d like it to go. IT systems were “not invested where they should be, which is at the intersection of the American people and government,” he said. As he put it, it’s a “simple change in default setting to being that of secretive, opaque and closed to transparent, open and participatory.”

The old mode involved the management of $70 billion of federal IT investments through a “closed, opaque, checklist-driven process,” Kundra said. Now USAspending.gov, the federal IT dashboard, tracks spending. The website has received more than 56 million hits since launch, according to Kundra. In the old way of thinking, there was a “presumption that the government has a monopoly on the best ideas,” said Kundra. Now, Data.gov provides machine-readable data for developers to mash up. Historically, there’s been a “complex, time-consuming, paper-based acquisition process,” said Kundra. Now, there’s Apps.gov.

Kundra sees the same transition toward more flexible systems in cybersecurity. “We’re moving from a manual, reporting-based, compliance-focused approach to a real-time measurement of actual cybersecurity,” said Kundra, referring to the new “Cyberscope” system for online reporting of cybersecurity threats that launched in October. “You cannot address real-time threats with a solution that’s focused on reporting requirements on a quarterly basis.”

Improve public and private cybersecurity partnerships, says Hathaway

Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, spoke of the need for better public-private cooperation at a cybersecurity panel in Washington last week.

Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.

Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.

Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.

Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”

“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”

Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”

Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”

New rules for cyberwar being defined as cybersecurity risks grow

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, soberly assessed the risks to national security that lie ahead in cyberspace. “It’s primarily an espionage problem,” he said. “This is the easiest way to be a spy that has ever been invented … there’s zero chance of being caught and prosecuted if you’re smart about it.”

Lewis made that observation speaking on a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

Citing cyberattacks on Estonia, Lewis, the project director for the Commission on Cybersecurity for President Obama, said he anticipated more advanced attacks in future cyberwars, either by militaries or by non-state entities in the distant future.“All advanced militaries now include cyberattack capabilities.” As he put it, “you can send missiles, commando teams — or you can send hackers. And hackers are much cheaper.”

Lewis believes that those “attacks are not what we have to worry about,” however – it’s “those that disrupt critical infrastructure” that keep him up at night. “The challenge is that the Internet was built for scientists,” he said, which meant that it was built to assume trust. The U.S. has “built an exceptionally insecure environment that our military and economy now depend on.” As a result, Lewis said, “the U.S. is more vulnerable than any other country” because it has put the Internet to the best use for its economy, politics, research and military.

A central challenge in this new operational environment is that “the old Cold War notion of deterrence doesn’t work,” Lewis said. “We’ve put a lot of effort into the offensive side, but it hasn’t helped us on the cybersecurity side.” Moving forward with improving the nation’s exposure to cybersecurity risks is also challenging because of the traditional approaches to solving problems on a national scale in the U.S. “Do we wait for the market or wait for something that has a larger role for government,” asked Lewis. It’s difficult to discuss, he said, because “our ideology is to talk about a market solution, but we’re facing competitors who aren’t bound by that.”

There are also legal boundaries that must be considered in the context of new threat vectors and technologies. “The laws that we have to protect civil liberties and privacy were written 20 to 30 years ago,” said Lewis. “In the old days, you couldn’t look at traffic without understanding the content.”

Now, as he observed, the question is “How do you involve DHS? Or NSA? Some of this leads back to the FISA debate. To really defend cyberspace, you need better situational awareness. What we need to know for cybersecurity, you need to look at all the traffic coming into the U.S.” When Lewis, however, asked how many in the audience supported such a move from DHS, few hands went up, reflecting the complexity of such electronic filtering.

Peer-to-peer file sharing exposes Congressional secret investigations

The Washington Post broke a story last night that should prick up the ears of information security and compliance officers. The names of more than 30 lawmakers under scrutiny by the highly secretive House ethics committee for possible ethics violations were leaked when a “low-level” staffer working from home put them on a peer-to-peer file sharing network.

The security breach brought swift action. The staffer was fired, and a lot of Congressional leaders were embarrassed. Statements came flying from all parties involved. The ethics committee does not make the names public (of their colleagues, no less!) until an official investigation is announced, for the obvious reason that these secret probes could unfairly damage a lawmaker’s reputation.

The leak does not appear to be politically motivated in any obvious way. The source who tipped off the reporters is not connected to the congressional investigations, according to the story. Which makes this security breach all the more scary.

The incident should add a big jolt to the Committee on Oversight and Government Reform hearings under way on inadvertent file sharing over P2P networks. And serve as another reminder to CIOs to revisit their P2P policies. As we reported in a story in August on the P2P hearings, research shows that 73% of companies take some kind of stance on P2P, but only 18% ban it outright. Companies tend to view P2P file sharing as more of a bandwidth issue than a security risk. Think again, and check out the story for peer-to-peer file-sharing tips.

Schwarzenegger vetoes California data breach notification bill SB 20

In case you missed it, California Gov. Arnold Schwarzenegger vetoed Senate Bill 20, which would have added a few more requirements to the state’s existing data breach notification law.

Sponsored by state Sen. Joe Simitian, the additions to the landmark data breach law would require holders of personal information to reveal the type of information that was lost and details of the actual breach incident, in addition to notifying data owners of the event.

In his veto letter, Schwarzenegger called the bill “unnecessary … because there is no evidence that there is a problem with the information provided to consumers.”

In an interview with SearchCompliance.com in September, Sen. Simitian said that final negotiations had eliminated any opposition to SB 20, and said the purpose of the bill was to provide consumers with more information. “My argument was, you want to let the state know, so we can get some sense of the scope of the problem,” he said. “And also so consumers have some sense. If I communicate to you that you are one of three files that were compromised, then you are probably a little more anxious and a little more likely to take some steps to protect yourself then if you were one of 500,000.”

In reacting to the veto, Sen. Simitian said, “I’m surprised as well as disappointed by the governor’s veto,” said Simitian in a statement. “This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen. But when it happens, people are entitled to get the information they need to decide what to do next. This bill would have made one of California’s key consumer protections even better.”

What happens next is not clear. Simitian said in the interview that if SB 20 was passed he would not foresee any additional changes, arguing that the “light touch” of the existing law was enough to keep data holders responsible and proactive, rather than mandating encryption and other technologies like Massachusetts and Nevada have done.

White House launches GreenGov Challenge: Carbon compliance at hand?

On Monday, the White House announced a “bottom up” initiative to “green government,” launching a new initiative for federal employees to contribute ideas for energy efficiency. The GreenGov Challenge follows up on an Executive Order that President Barack Obama signed on Oct. 5 that directed federal agencies to appoint a sustainability officer and set emissions reductions targets for 2010.

Watch: Video of President Obama signing the Executive Order

In other words, so-called “carbon compliance” is now officially on the horizon line for the IT staff at federal agencies. If Congress decides to move forward with regulation of greenhouse gas emissions, CIOs at businesses in the private sector will also be faced with meeting new requirements.

Asking more than 1.8 million civilian employees and armed service members for their ideas on saving energy is bound to yield a good idea or three. Larger questions around implementation and measurement of enforcement of carbon emissions will be thornier and may not lend themselves to crowdsourcing.

As I wrote in today’s story, the role of sustainability software in carbon compliance is likely to be substantial. Another issue to be aware of is nascent competition in the market for electric metering in the smart grid. Google PowerMeter might run right up against the entrenched leader in smart metering software, a certain business software company located in Germany: SAP. As reported last year by SearchSAP.com, SAP is positioned for utility transformation as the smart grid develops. To be fair, Google is positioned at the consumer and small business level, while SAP is the definition of an enterprise software provider.

Given the pressure for homeowners, businesses and data center operators to become more sustainable in the years ahead, however, there’s likely to be room in the carbon compliance software market for both companies for some time to come.

OpenID pilot project for identity management starting up at NIH

As I reported last month, the U.S. federal government will try using OpenID as a federated identity framework for .gov authentication.

“The OpenID and .gov project’s goal is to make government more transparent to citizens,” said Don Thibeau, executive director of the OpenID Foundation at the OASIS Identity Management 2009 conference, referring the audience to IDManagement.gov.

There are now more than 1 billion OpenID-enabled accounts, according to Thibeau, with more than 40,000 websites supporting the framework, including technology companies Google, Yahoo, Facebook, AOL, MySpace, Novell and Sun Microsystems.

The OpenID identity management pilot at the National Institutes of Health (NIH) will be limited to conference registration, wiki authorization and library access, which require only Level of Access (LOA) 1 authentication.

Debbie Bucci, the integration services center program lead at the Center for Information Technology at NIH, talked about the success of existing identity management frameworks for authentication at the institute.

Bucci is cautious about implementing OpenID but sees utility in federated identity, given the success of InCommon, an identity framework at NIH. She expressed support for the “idea that you could take the same username and password and spread it around the business units.”

According to Bucci, NIH’s systems have more than 35,000 users, 250 service-level agreements and handle over 1 million transactions every day, 83% of which are external. Current user participation for InCommon is 21%, focused on higher education and research. The NIH’s electronic research administration supports more than 9,500 institutions and agencies, according to Bucci. By contrast, InCommon includes 165. More information about these identity management programs can be found at Federatedidentity.nih.gov.

According to Peter Alterman, senior advisor for strategic initiatives at NIH, the institute is continuing to work toward implementation of the Electronic Signatures in Global & National Commerce Act, also known as E-SIGN.

According to Thibeau, the core design principle for the trust framework is “openness,” meaning it will be open to all identity providers, qualified auditors, provider certification and evolution. He says that both the OpenID and Identity Card Foundations are working to collaborate with Harvard University’s Berkman Center and the Center for Democracy and Technology (CDT) to further expand the open trust framework.

That latter relationship may be important, as the CDT’s Schwartz said that “at Level 3 [access], we have a lot of concerns. If you don’t have limitations there, there will be a drive to ask for as much information as you can get.” Many high-priority citizen-to-government transactions are classified as LOA 3 or higher, including IRS tax filing, Social Security and Medicare. Given that limitation, there may be some roadblocks to address before government agencies that must address compliance under the Privacy Act implement this federated identity management framework.

Questioned about time frames and implementation metrics, Thibeau said in an email interview to “remember the effort under way is a pilot; a very deliberate beta test of new technology protocols, new integration and interoperability task. We don’t know when we will finish, but we do know we will make mistakes and wrestle with usability and security issues.

”Given all the players involved, it’s hard to say what will be completed and when. The most valuable new piece is how many people and many organizations are coalescing around a practical and far-reaching solution set for the challenges of identity from a user perspective. This goes beyond the tired truisms that often characterize privacy versus security debates. There is a real hunger for real solutions in identity authentication. Whether you frame it as open government, open source or open identity, there are powerful political, public and commercial drivers at work involving identity on the Web. The legal and policy discussions around open identity trust frameworks are a leading-edge indication that practical solutions are in play and
pragmatic (private and public sectors) organizations are involved.”

Thibeau was clear about the stage that the pilot is currently in. “We are at the beginning of a shakedown cruise on two tracks,” he said, referring to both the open source identity technologies and the open trust framework itself. “Both are parts of the GSA ICAM schema and both are on the agenda of the OpenID Foundation and Identity (IDF and ICF) boards to consider. They still have a review of and decision making around certification requirements, operations and strategy. As we begin technical testing of government pilots, we are also finalizing the certification of a trust framework process that is a critical element in government adoption and seen by some industry leaders as applicable for high value commercial applications.

Thibeau went on to explain that “the U.S. government is still finalizing requirements for credible, independent and industry standards-based identity certification.” The process holds interest beyond the borders of the U.S. as well, according to Thibeau. “Many international governments as well as U.S. state and local governments are studying the U.S. ICAM test of its ‘schema’ of technology protocols combined with industry self certification models. Identity provider certification of Open Trust Framework models have gained momentum after recent meetings with the Center for Democracy in Technology and feedback from various government agencies, including the GSA ICAM leadership, NIST, NIH and the national security staff in the White House.”

John Bradley, the chief security officer at ooTao Inc, serves on the OASIS XRI, XDI and ORMS Technical Committees and fielded questions about the details of the OpenID pilot at NIH. For more information, Bradley’s blog includes many useful links on the OpenID in government project.

Bailey on the role of the CIO in innovation, PKI in cloud computing

Last week at the OASIS Identity Management Conference, Gregg “Skip” Bailey, director of technology integration for the federal practice at Deloitte, suggested that agencies looking to leverage the power and scale of cloud computing should use the Identity, Credential and Access Management Subcommittee’s (ICAM) framework.

Bailey says embracing that framework may solve some of the federated public key infrastructure (PKI) management challenges involved in securing personally identifiable information (PII). Bailey said that a useful resource, a cloud standards wiki for proposed and ratified cloud computing standards, is available at the (aptly entitled) Cloud-Standards.org.

Bailey, a former CIO at the Bureau of Alcohol, Tobacco and Firearms, defined the role of a CIO simply in this context to conference attendees: “reduce the cost of commodity technologies and increase innovation in applying those technologies to mission goals.”

“Private clouds are the predominant focus in large enterprises,” said Bailey. “Single-purpose SaaS offerings are most widely adopted.” In his assessment, cloud computing “probably provides the ability to apply to both areas,” with “enterprise flexibility and time to value are significant drivers.”

NIST, smart grid privacy and social networking for security pros

Last month, the National Institutes of Standards and Technology (NIST) outlined a framework for building more intelligence and interoperability into the electrical system of the United States. Such a system is generally known as the “smart grid.” Commerce Secretary Gary Locke released a plan for smart grid interoperability that’s meant to lead to a “secure, more efficient and environmentally friendly” system. A draft of the report from NIST is available for download as a PDF: “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0″

Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.

These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”

As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:

1. Identity theft.
2. Determining personal behavior patterns.
3. Determining specific appliances used.
4. Performing real-time surveillance.
5. Revealing activities through residual data.
6. Targeted home invasions.
7. Providing accidental invasions.
8. Activity censorship.
9. Decisions and actions based upon inaccurate data.
10. Revealing activities when used with data from other utilities.

Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.

Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:

1. Enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions.
2. State utility commissions currently lack formal privacy policies or standards related to the smart grid.
3. The lack of consistent and comprehensive privacy policies throughout the entities that will be involved with the smart grid creates a privacy risk.
4. Comprehensive and consistent definitions of personally identifiable information do not typically exist.

The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).

Social networking and distributed collaboration sped up report writing for infosec team

One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:

1. Ensuring adequate input from each of the 50 state NARUC energy commissions and other sources in a very short time frame.
2. Aligning recommendations with the plethora of existing laws.
3. Documenting concrete privacy risks.
4. Separating privacy risks from security and other risks.

According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.

“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.

Cortes also said NIST involved Twitter users from the start.

UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”

“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.

”All meetings were organized by conference call, and drafts of the Smart Grid Privacy policy documents and project plans were exchanged by email. In between meetings, members interacted informally on Twitter, similar to running into colleagues in the hall when everyone works physically in the same building. These informal Twitter dialogues facilitated relationship-building among the team and problem-solving between meetings.”

According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:

1. If you’re in IT and you’re not comfortable with Twitter, you are lacking a basic technical skill.
2. Twitter enables members of the IT community to check out each other’s static Web pages and credentials, but then get to know members of their own industry over time through their communications streams. How professional and informative is this person, over a period of time? How respected are they by other well-respected professionals, apparent through the interlocking web of followers? How many others respect this person, apparent from absolute numbers of followers, quality of followers, and mentions by others?
3. Twitter communication allows personality to come through and thus enables people to feel comfortable with each other much more quickly than other mediums.
4. It allows for a combination of private and public messages, allowing swift reaction to breaking industry developments.
5. It allows professionals to get a quick response to a technical question.
6. It enables professionals to know at a glance whether they are up to date on developments on our field or out to lunch, a constant problem in this field. What are other respected IT professionals talking about each day? What are they not talking about?”

If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.

Information security and compliance resources from around TechTarget

The laws and regulations that CIOs and CISOs must understand and reflect in their operations are by nature applicable to many different areas of information technology. As a recent study on the privacy profession showed, privacy policy success lies in collaboration with IT. Finding good compliance resources to keep abreast of news and technologies is crucial.

The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.

At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.

At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.

Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”

PCI DSS compliance

Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.

Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.

For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.

Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.

Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.

Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.

And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.

Healthcare compliance

SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”

Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.

We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.

We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’

Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.