editing disabled

wikiheader.jpg

Utah Architecture Review Board

Agenda
May 4

  1. 4300-0004 Laptop and Email Encryption (Boyd Webb)
Laptop Encryption Report and Recommendation
Analysis of the PGP full disk encryption product, currently used by the Department of Technology Services demonstrates a disk corruption rate of nearly 10%. This number may be reduced through careful implementation of the product on new and existing computers, but the fragile nature of the product is unacceptable.
The Enterprise Information Security Office recommends that DTS initiate a Request for Information to discover alternate solutions that can be compared with the current PGP product. If superior technologies are identified through the RFI an RFP may be initiated to replace the disk encryption product used by DTS at the end of the current contract.

  • PGP status report (Boyd Webb)
  • PGP installed on 4,500 machines
  • Encrypted email users: 320
  • Remedy report: PGP-related help tickets (1376 tickets or 77 tickets per month, last 18 months)

  • 4300-0005 Antivirus - Spyware Standard
Anti-Virus Report and Recommendation
Careful analysis of the Symantec Endpoint Anti-Malware product, currently used by the Department of Technology Services demonstrates a significantly lower detection rate for zero day malware than alternate solutions. Multiple tracking organizations including shadowserver.org report an average detection rate for zero day exploits by the Symantec Endpoint product at less than 20%. Statistics compiled by DTS related to the Symantec Endpoint Product compared to numbers of malware recorded on the Intrusion Detection System demonstrate a detection rate consistently less than 50%. The Enterprise Information Security Office recommends that DTS initiate a Request for Information to discover alternate solutions that can be compared with the current technology found in the Symantec Endpoint product. If superior technologies are identified through the RFI an RFP may be initiated to replace the malware product used by DTS at the end of the current contract.


  • Symantec Status Report (Boyd Webb)
  • Symantec installed on 18,479 machines
  • SEP Summary Reports
  • Current Discovered Product List (ZEN - 6246 devices surveyed)
  • Shadow Server AVIS Software Effectiveness Summary
  • Anti Virus Comparative 2010
  • Forrester Malware Report

  • PCI Security Standard Update (Virtualization)
    PCI Compliance in a Virtual Environment Report and Recommendation
    PCI policy compliance objectives require that applications implemented in a virtual environment be segmented from non-PCI applications and segmented from other PCI applications “as if they were on separate hardware.” DTS hosting objectives to meet PCI scope objectives by creating a PCI segment in the virtual environment are on track for completion within the next three weeks. The Enterprise Information Security Office recommends that DTS perform a search of applications currently implemented in the virtual environment to identify those requiring PCI compliance. All identified applications should be moved into the PCI segment as soon as the special segment is established. Existing policy for PCI compliance should be updated to ensure that appropriate applications are implemented in the specially designed segment.
  • Hosted Email (status)

  • Strategic Plan: Discussion, are there any architectural reviews needed relative to the updated strategic plan?

  • Security Review of Web Conferencing Options (Boyd Webb - Request by Greg Mead) - Recommendation: Recognize "Go to Meeting" as a secure web conferencing solution that can be used by agencies when needed.
    Web Based Meeting and Collaboration Report and Recommendation
    The EISO has evaluated the Citrix GoToMeeting and Cisco WebEx online meeting applications for security requirements and found that both products meet a level of security acceptable for sensitive information in a web based environment. The Enterprise Information Security Office recommends that DTS accept currently implemented security standards in the Citrix GoToMeeting and Cisco WebEx products and adopt both products as acceptable tools for hosting online meetings and group collaboration. Policy for online meeting and group collaboration should be established to reflect an acceptance of the security standards implemented in both products and should encourage the use of either product for online meetings and group collaboration.


  • Request: Document Management

  • Standard Reviews for May
  • Version Control Software (guidelines/policy) Version ControlPolicy 5.4.11.pdf