IT WEEK • 6 DECEMBER 2004 36 COMMENT Legal challenges for 2005 36 INTERVIEW Oracle’s chief security officer explains how companies will benefit from its quarterly patching regime MANAGEMENTWEEK WHERE TECHNOLOGY BECOMES BUSINESS REALITY Editor: Madeline Bennett Good steering stops crashes Claire Pope ecent failures of high-profile government IT systems have highlighted the need for improved project management and proper planning processes for technology upgrades. Last month, a routine desktop software upgrade at the Department of Work and Pensions (DWP) left approximately 80 percent of employees unable to access critical payment processing systems. This was caused by an incompatible system being downloaded onto the entire network, according to reports. The Child Support Agency (CSA) also recently experienced problems, with its £456m IT system developed by EDS, which apparently passed two official reviews despite the lack of a contingency plan. In a hearing last month, MPs were told that over the past 18 months almost half a million applications for support had been made. However, only 13 percent had resulted in a successful payment. A lack of efficiency in the new IT system was implicated. Doug Smith, the CSA’s chief executive, R said that he was disappoint“The plan they went STEPS TO STOP FAILURE ed with the performance of through took just under a his department’s technology year,” he said.“They planned Consider business impact of upgrades system, and subsequently it properly and put processannounced his resignation. es in place to make sure they Phase the delivery These recent problems phased the upgrade over a of patches or apps show the dangers of firms period of time. This allowed Implement a rollnot fully understanding the them to make sure the imback mechanism impact of changes to their pact of any errors would be Source: LanDesk Software technology. Paul Arthur of minimal on the organisabusiness service managetion,” he added. ment firm BMC Software said the DWP Comprehensive planning is vital to the upgrade would not have caused such havoc smooth rollout or upgrade of IT systems, if correct processes had been in place. according to Baldin. “Firstly, companies These processes should have come from should put together a project plan that will the IT department properly aligning itself allow the IT department to phase the delivto organisational goals, he added. ery of both operating systems and applicaAndy Baldin, operations director of tions or just patches across the network. management software vendor LanDesk This enables the IT department to mainSoftware, said it was probably the scale of tain control,” he added. the DWP’s upgrade that caused systems to Baldin said upgrades should then be fail. “Migrating up to 80,000 [PCs] in a rolled out across controlled subsets of the weekend is asking for trouble,” he said. environment. “Firms must design a rollBaldin cited the example of the Uniback mechanism to ensure that should anyversity Hospital of Birmingham that sucthing untoward occur there is a very simple cessfully upgraded 2,500 PCs and 500 way of getting back the state the PCs were servers from Windows 95, 98 and 2000. in before the upgrade took place,” he added. IT jobs to remain in UK Martin Courtney he threat to UK jobs caused by outsourcing more IT roles abroad may be less severe than many critics have suggested, according to some experts, even though two recent studies point to further growth in outsourcing. A poll conducted at last month’s National Outsourcing Association (NOA) summit found 72 percent of companies and 82 percent of suppliers believe IT departments will look to outsourcing to cut operational costs and increase organisational flexibility. But although specific roles such as software development and helpdesk support are prime candidates for offshoring T Roxburgh: minimal loss itweek.co.uk to countries with lower costs and larger pools of labour, certain jobs may never leave the UK, or even the in-house IT department. NOA founding member Nigel Roxburgh said IT professionals in the UK would not lose their jobs as long as the economy is growing. He believes that there are three things – standards, security and strategy – that should never be outsourced, and the outsourcing trend merely indicates a changing corporate business model. “Outsourcing rarely results in redundancies in organisations that grow, though things might be different if there is a downturn,” said Roxburgh. “Those in growing organisations will find more than enough work to do, if not in IT then with the user interface side of things.” A separate report released by the British Computer Society (BCS) indicates that the growing trend to offshore IT skills could cause 12 percent of current UK IT jobs to be lost by 2010. OUTSOURCING TRENDS survey found 72 percent • ofA recent firms and 82 percent of suppli- • ers see outsourcing as a way to cut operational costs and increase organisational flexibility. The British Computer Society says 12 percent of IT jobs may go offshore by 2010 but most will stay. Elisabeth Sparrow, chair of the BCS offshoring working party that produced the report, predicted that though 12 percent of UK IT professionals may end up losing their jobs by the end of the decade, most roles would be safe. “We have identified a lot of specific opportunities,” said Sparrow. “There will be a lot of work remaining onshore for those working in trusted computing and security, project and programme management, technical architects dealing with the whole organisation’s [IT] requirements, and those pulling in and managing services from different suppliers.” www.noa.co.uk www.bcs.org.uk CONTENTS 36 COMMENT New regulations on software patents, computer crime and the disposal of electronic equipment could alter firms’ priorities in the coming year, says John Barker 37 INTERVIEW Oracle’s chief security officer, Mary Ann Davidson, explains how quarterly patch releases will give organisations better-tested fixes in a more convenient form Firms ignore green issues when buying Madeline Bennett Environmental issues have little bearing on companies’ IT purchasing decisions, new research has found.This is despite the current emphasis on corporate social responsibility and forthcoming IT recycling laws. Only two percent of UK firms cited environmental friendliness as a deciding factor when purchasing equipment such as printers and copiers, according to a study by printer manufacturer Ricoh. Fifty-seven percent said running costs were the top concern when choosing new devices, while functionality was an important factor for just over a fifth of the 612 respondents. Ricoh’s Tom Wagland said firms’ purchasing criteria meant green issues had a low priority.“Although businesses claim to be environmentally friendly, only a small number are actively implementing green procurement practices,” he said. Ricoh promotes the use of the EU’s Energy Star logo – a quality stamp for environmentally-friendly goods. But the study indicated almost two-thirds of UK firms do not have equipment with this stamp, while 24 percent were unsure on the matter. The lack of focus on green issues could soon backfire on firms. Next year, the UK will introduce IT recycling laws as directed by the EU, to enforce the environmentally-friendly disposal of junked electrical goods. Wagland added that environmentally-friendly goods could also be friendly to firms’ bank balances.“By opting for an energy-efficient device, firms can dramatically reduce running costs and prolong the life of machines through power-management features.” Legal challenges, p36 Last Word, p38 www.ricoh.co.uk/environment www.eu-energystar.org 35 MANAGEMENTWEEK IT WEEK • 6 DECEMBER 2004 What legal challenges lie in wait? New laws on software patents, computer crime and the disposal of electronic equipment could alter the priorities of firms and IT managers in the coming year, says John Barker interpret them widely. The courts have shown a willingness to do this, and most judgements have interpreted the act in a sensible way. The technology world might also be shaken up by new software patent legislation next year. In June 2004, the European Council of Ministers approved a controversial draft Software Patents Directive, which may open the way for the patenting of software in Europe. Currently, in the UK, developers can protect their proprietary rights over software by relying on the law of copyright. There is no defined registration system as protection is deemed to arise automatically. The directive’s stated purpose is to harmonise patent regulations for computer-related inventions across the EU, while steering away from a US-style patent free-for-all. However, critics of the proposals say the European Commission and the European Council are ignoring those aims in favour of the interests of large firms. They say the wording of the directive would let large firms build up software patent arsenals, and so lock out smaller firms from developing similar products. Things came to a head late last month, as the Polish government blocked the passage of the directive. The final vote should occur before the end of the year, and 2005 may see the death of the directive. IT equipment recycling will also pose problems for firms from next year, with the introduction of European Waste Electrical and Electronic Equipment (WEEE) laws. This October, the DTI released a consultation paper, draft regulations and guidance for the recycling of commercial electrical and electronic equipment. The WEEE regulations are due to come into force on 13 August 2005, and they will force manufacturers and distributors of electrical kit to ensure that systems are in place for the collection, treatment, recovery Oracle eases patch control Oracle’s chief security officer, Mary Ann Davidson, argues that a transition to quarterly patch releases will provide firms with better-tested fixes in a more convenient form PATCHING INTERVIEW BY BRIAN FONSECA IT Week: As Oracle’s security chief, can you explain the decision behind the dates for the new quarterly patch bundles – 18 January, 12 April, 12 July and 18 October? Mary Ann Davidson: We picked the dates based on trying to optimise around most people’s calendars, [and to avoid] blackout periods. If there are multiple security issues that affect different products, all those patches will come out at the same time. That way, you don’t have to take your system down this month for the database, and next month for the application server. Customers say that they will have a meltdown [if it Davidson: less disruption 36 it necessary to apply patch bundles] once a month, but once a quarter seemed something they could live with. Do you anticipate that any patches will be released outside of those dates? There perhaps still may be occasions where we will do traditional security alerts but only in cases of high security issues if there’s a patch available. Generally speaking, we are going to try to adhere to regular schedules. It’s better for us and better for our customers. How will you help organisations with their planning for patches? We’ll send out reminders. As part of this effort, we are also looking at how we can provide better information to customers, which includes, which patches do I apply first, be it a database or application server. We will also try to anticipate questions that customers will ask us and provide FAQs [with the bundles]. What you don’t want is to have people call you for information [they] should have had in the first place. How do you respond to recent criticism from some people in the security research community that Oracle has been too slow in rolling out patches? From a researcher’s standpoint, their definition is, “I told you about [a vulnerability] on Tuesday, and you should have a patch ready in two days.” But from a customer standpoint, that doesn’t solve their problem. A customer’s problem isn’t fixed until they have something in their hands that has the version they’re running on, and applying [the patch], isn’t going to break what they have installed. Do you agree with security vendors who say that firms need additional third-party protection to secure their databases? There’s a lot that goes into securing your database, like instructive testing. That’s something a third party cannot help you with. It’s our code. If we can’t do that, there’s nothing a third-party database vendor can help with. Also, in terms of the and environmentally-friendly disposal of computer hardware. Businesses classified as “producers” of electrical and electronic equipment will have obligations to finance the eventual treatment of collected waste equipment. Although they are in the news, I have not focused on Basel II or the Data Protection Act, as there will be no new compliance requirements for 2005. The US Sarbanes-Oxley Act, which imposes corporate governance rules on multinationals, will affect firms in 2005, but that particular law would need a whole column and more to itself. ITW Last Word,p38 [email protected] • John Barker is an IT specialist at law firm Last Cawthra Feather ABOUT MARY ANN DAVIDSON Ann Davidson is chief security • Mary officer at Oracle, where she is • • responsible for security assessments and incident handling. Davidson also represents the database giant on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC). Davidson has also served as a commissioned officer in the US Navy Civil Engineer Corps. [database] security features and functions, it’s our product, and we feel that we do a better job with our customers. We don’t lose business on security. What are some of your customers’ biggest concerns for database security? I think a lot of [fears] are driven by regulatory compliance, in a way forcing them to do good things they may have not done before. I have had discussions with customers that are using products that have not been supported for 10 years, and they have never applied patches. The assumption is that nothing bad happened and nothing ever will. Now they want you to do security analysis to tell them if they’re at risk – especially for mission-critical systems. ITW www.oracle.com www.eweek.com itweek.co.uk © eWeek USA 2004 he Computer Misuse Act (CMA) came into force in 1990, specifying offences of attacks against computer systems or data. It was designed to provide protection for systems and data, and to help maintain their confidentiality, integrity and availability. There is a widely-held view that the CMA is now deficient because technology has moved on. After substantial lobbying by various pressure groups, the government has decided that the legislation should be updated to deal with new technologies, and reforms are planned for 2005. The changes to the law are likely to cover denial-of-service attacks and adjust penalties for the offence of unauthorised access. However, I am not sure that these changes are required. The CMA is technologically neutral, and its terms – such as “computer” – are deliberately undefined to provide flexibility for the courts to T
© Copyright 2024 Paperzz