Your article ("Suite Spot," February 2007) makes some valid points on the advantages of using product suites versus best-of-breed products. However, should that product, or vendor, have a significant vulnerability that requires removal or disabling of the suite, then your organization is completely unprotected.
There is better protection value in using products from multiple vendors that would produce a more robust protection plan.
David M. Hamsik
Network integration engineer
NCI Information Systems
For Your Information (Security)
While your article ("Fad or For Real," February 2007) more or less ended up in the right place, I think you're missing the big picture. The precise reason that we call it "information security" and not "computer security" represents a more mature view of what it is.
Information is not always on a computer. Computer security is one component of information security, but it is only one component.
The larger risk management discipline has been very instrumental in taking the profession to the next level by building broader institutional awareness, getting more business-level engagement and fostering infinitely better assessment and mitigation strategies.
In short, we are now approaching information security correctly--as a business issue, not an IT issue. If you are observing bureaucratic or superfluous elements of someone's risk management program (which rightly should include information security), then that's just a bad program, not a bad concept.
VP, director of risk management,
Information security officer
Advanta Bank Corp.
Encryption Isn't Always Mobile
I want to add my two cents on the article "Encrypt It" (February 2007). Source encryption is a good solution, but one point could be misunderstood in your article: With Windows EFS, the file transfer over a network is done unencrypted. If you want to keep your data EFS encrypted up to the backup, you must have your backup application on the same server as the data, or you implement an encrypted protocol on the network (IPsec for example). Microsoft states: Encrypted data is not encrypted when in transit over the network, but only when stored on disk. The exceptions to this are when your system includes IPsec or Web Distributed Authoring and Versioning (WebDAV). IPsec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.
Jean Marcel Häberli
A comparative review in the March issue ("Gone in a Flash") reported the incorrect final grades for some participants. The correct final grades are as follows:
ControlGuard Endpoint Access Manager 3.0, A-;
SmartLine DeviceLock 6.0, B+;
CentennialSoftware DeviceWall 4.5, B+;
Safend Protector 3.1, A-;
Securewave Sanctuary Device Control 4.0, A-;
Workshare Protect Mobile, B.
See the PDF online for the updated report card. http://informationsecurity.techtarget.com/informationsecurity/images/vol3iss3/ism_v313_f1-grade.pdf
Send your e-mails to email@example.com.