IBM Global ServicesJune 2004

Choosing the right managed security service provider for your company’s security needs.

Edward M. Salm, GSEC

IBM Business Continuity and Recovery Services

Managed security services, Development Manager

Choosing the right managed security service provider for your company’s security needs.Page 2

2 Introduction

3 Main services

10 MSSP selection

14 Why IBM Business Continuity

and Recovery Services -

managed security services?

15 IBM value

18 Appendix A

18 Appendix B

ContentsIntroduction

Consultants have been around for a very long time. They have expertise to assist us in any area where we either lack the skill to do it ourselves, don’t want a direct long-term hire or simply need to pay for headcount out of some bucket other than the information technology (IT) budget. Companies that provide security services, particularly managed security service providers (MSSPs), take this outsourcing model one step further, as the management, administration, monitoring, reporting and alerting are all done remotely with tools the customer may never touch and people the customer may never meet. MSSPs bring a unique set of strengths to the customer. IBM Business Continuity and Recovery Services - managed security services is rich in skill, technology and capability, and has the offering portfolio to mitigate a wide variety of customer risk situations.

“Defense in depth,” or implementing security in layers to mitigate the risk of both internal and external attack, should be the goal (please see Appendix A for an illustration of IBM’s in-depth approach to information security). MSSPs can help companies attain this posture in a very short amount of time. It is important to note, however, that outsourcing security services needs to be a partnership. For this reason, many MSSPs will use the word augment in refer-ence to how they fit into the customer’s company and IT staff. The company and security provider must be in sync on network changes, new applications, new systems, migrations and the business goals of the customer. An MSSP needs several contacts at the customer’s business, ranging from those who can make major decisions to the very technical network engineer. A good MSSP, backing a good IT staff that appreciates the importance of security, will take you a long way down the defense-in-depth road.

HighlightsThere are multiple reasons to augment your IT staff by outsourcing security services. These include lower cost, expert skills, access to technology and advanced infrastructure, and the due diligence of an outside view. This powerful combination shows stockholders, customers and business partners that you are serious about protecting your intellectual capital, other assets and information. This paper will examine managed security service provider offerings and what to look for when contracting with an MSSP for these services. It will also identify why IBM is a good choice for a managed security partner.

Main services

VPN and firewall services

The MSSP should provide customers with installation, rule base and interface configuration, management, administration, monitoring and log analysis services for firewalls and virtual private networks (VPNs). The MSSP may provide the hardware and software as a bundle with the services, act as a reseller so the customer owns the licenses or simply provide services when the hardware and software are already in place. Verify that your MSSP can do all of these for you: it can increase your options now and in the future.

Find out what firewall vendor service certifications the MSSP has (not the people, but the service itself). Examples are the Cisco Powered Network Provider and Check Point Software Technologies’ Check Point Certified Managed Service Providers (CCMSP) certifications. You want to outsource to an MSSP that has strong vendor relationships, and you want to know that representatives of the firewall technology company have given their seal of approval to the MSSP you choose. In other words, verify that the MSSP has an appropriate number of certified people and the infrastructure to be allowed into the program.

An MSSP should provide installation,

rule base and interface configuration,

management, administration, monitor-

ing and log analysis services for

firewalls and virtual private networks.

Choosing the right managed security service provider for your company’s security needs.Page 4

HighlightsWhen looking to outsource this activity, it is important to understand the limitations of what the vendor can do for you. These gateways are often the choke points that control access to all the value-adds (e.g., e-mail, Web sites, e-business applications, remote clients, field office connections, etc.) that make it worthwhile for you to be Internet-connected in the first place. How extreme can the MSSP’s solutions get? In an emergency, can the MSSP help you rebuild your Domain Name Server (DNS)? At some point, can you upgrade your services to include uniform resource locator (URL), spam or malicious code scanning? Verify that the vendor has expertise for the day-to-day activities, as well as the occasional consulting or project assistance you may need in the future. It is critical to understand what you are buying and also how you can grow with this MSSP for firewall offerings.

Intrusion detection

The MSSP should provide installation, configuration, management, admin-istration, monitoring and event analysis services for intrusion detection (ID) technologies for the customer. The MSSP may provide the hardware and software as a bundle with the services, act as a reseller so the customer owns the licenses or simply provide services when the hardware and software are already in place. When looking to outsource this activity, it is important to understand the methodology the MSSP uses to provide ID services. False positives are a huge problem in the event data of network ID, so ascertain that custom configuration to your environment and constant tuning are performed. Verify that the MSSP offers network (sniffer) and host (software installed on systems) intrusion detection.

It is also good if the MSSP has the ability to support more than one vendor’s ID technology (e.g., ISS RealSecure, Cisco Secure IDS, Enterasys, NFR). This leaves you the option of switching out your ID technology if a given vendor solution does not seem to be meeting the requirements of your enterprise, without having to worry about breaking a contract with your MSSP.

In an emergency, can the MSSP

help you rebuild you Domain Name

Server (DNS)?

Verify that the MSSP offers network

(sniffer) and host (software installed

on systems) intrusion detection.

HighlightsThere are many considerations for ID monitoring and how an MSSP can best accomplish the task. You must understand this, or you will not be able to distinguish a comprehensive ID solution that spans many customers and industries from one that simply sets up a default vendor monitor in a network operations center (NOC). There are a few ways to determine the sophistica-tion of the provider’s solution. First, any MSSP worth its weight will have a dedicated operations center for security services, staffed with various levels of analysts and engineers who specialize in security. This is typically called a security operations center (SOC). This is key, because to maintain a realtime security monitoring function staffed with folks who are concentrating on network device uptime, rather than on system security, would be a disaster waiting to happen.

Once you’re certain that the MSSP has a dedicated SOC, available in realtime, you must establish how all the data from the customer base is handled. How does the provider communicate with the sensors? Is the data integrated across the customer base, or will your ID sensors be by themselves? Intrusion detec-tion outsourcing is one of the few areas where it really pays to take advantage of folks you don’t know, namely the other customers! Wouldn’t you rather your MSSP is able to apply knowledge learned from another customer’s experience to your own security situation? This is true at least as long as the MSSP can take all incoming event data and integrate it across regions (obviously, globally is best), and across different vendors’ ID technologies using tools and automa-tion, so realtime monitoring and analysis are preserved. When this integration is performed with pattern matching, event grouping, heuristics and tracking, this is generally referred to as “correlation.” Correlation of security events is a huge improvement over the older visual method of reviewing data on a con-sole and provides a much more powerful solution to the customer.

An MSSP should have a security

operations center (SOC) staffed

with various levels of analysts

and engineers who specialize

in security.

When intrusion detection data

integration is performed with pattern

matching, event grouping, heuristics

and tracking, it is generally referred

to as “correlation.”

Choosing the right managed security service provider for your company’s security needs.Page 6

HighlightsVulnerability scanning/penetration testing/ethical hacking

The MSSP should provide scanning assessment (audits for open ports, the services available on those ports, vulnerabilities based on configuration error or old software levels and even attacks, such as buffer overflows and denial of service tests) services for the customer. There are a few different ways to accomplish this with varying degrees of intensity. Let’s look at vulnerability scanning first. Vulnerability scanning usually means scheduled, automated, tools-based audits on a system or entire network (these tools can discover hosts by using reconnaissance techniques that attackers might use). This can be done over the Internet (external hackers view) or via a system located inside the company (internal threat view). These automated, scheduled, tools-based scans are often very reasonably priced and a good way to verify that your systems are open to as little risk as possible and that vulnerabilities are not introduced into your environment. There are many tools an MSSP can use in a vulnerability scanning offering. Some use commercially available tools (with default report generation), others use proprietary tools and automation with their own twist on reporting. Many MSSPs will demonstrate their vulner-ability scanning service to you by offering a free scan and report.

But don’t stop there: find out if the service gives you access to real people who understand the detail and impact of the more complex vulnerabilities identi-fied in the reports. Penetration testing takes this scanning further in that a human targets specific systems using various techniques, known backdoors, or even a standard user account on the system, simply to see how much damage could be done or information harvested by someone who really knows what he or she is doing. A penetration test will have a specific target and goal as part of the exercise.

Vulnerability scanning usually

includes scheduled, automated,

tools-based audits on a system

or entire network.

With penetration testing of security,

a human targets specific systems

using various techniques, known

backdoors or even a standard user

account on a system.

HighlightsAn ethical hack is the most extreme form of security system (or network) assessment. Ethical hackers will approach a customer network, often blind. They use the same techniques an elite hacker would use (e.g., stealth, footprinting, packet manipulation, social engineering, enumeration) to gain access to your systems. In purchasing any of these services, verify that the MSSP understands your goals and requirements. For example, if your goal is to scare the life out of your executives so you get a bigger security budget, you may want an ethical hack. If you want weekly or monthly system/network scanning to help limit the number of exposures, you may only need a vulnera-bility scanning offering. MSSP scanning with IT remediation of vulnerabilities goes a long way toward due diligence and defense in depth.

Incident response and management

The MSSP should provide immediate and expert security incident response and management help to the customer in the event of an attack (e.g., denial of service, malicious code, compromised systems). There are two keys to purchasing this service from an MSSP: skill and size. The MSSP must have the skill and experience to respond to security incidents for any network type, operating system and hardware platform with an understanding of the applications that you use on those systems and why (your business goals). You must also consider where you may have an incident. Where are your offices? Are they located in other countries? If this is the case, you want an MSSP with global reach, including incident response employees who can speak and read the language in the area they are deployed. Finally, ensure that you are a pri-ority to the MSSP. Should the next great worm hit the Internet and the MSSP get flooded with incident response requests, you don’t want to be in a bidding war for its attention.

An ethical hacker will use

techniques such as stealth,

footprinting, packet manipulation,

social engineering and enumera-

tion to evaluate security.

The MSSP must have the skill and

experience to respond to security

incidents for any network type,

operating system and hardware

platform.

Choosing the right managed security service provider for your company’s security needs.Page 8

HighlightsAntivirus services

The MSSP should provide installation, configuration, administration, moni-toring and notification services for the malicious code scanning and filtering technologies on the customer’s systems. In the past, malicious code services were only available as part of firewall or gateway offerings. This is because perimeter malicious code scanning is done on a system that receives all traf-fic from the firewall for the configured protocol (e.g., File Transfer Protocol [FTP], Hypertext Transfer Protocol [HTTP], Simple Mail Transfer Protocol [SMTP]) before sending the traffic on its way. This no longer has to be the case, as MSSPs have become more creative in their solutions, and software vendors have recognized the need to leverage security technologies off each other, allowing solutions that reach deeper into the customer enterprise.

In addition, the major antivirus software vendors have developed centralized consoles to control the antivirus client software. This software can force scans on the clients, push configurations and receive alert information when malicious code is detected. These technologies often plug very nicely into the MSSP’s own infrastructure, allowing the MSSP to provide end-to-end (gateway-server-desktop) malicious code solutions for the customer.

False positives are also a problem with virus scanners. This is because they use signature pattern matching. Every IT professional who has performed antivirus administration work knows firsthand that pushing out a virus signa-ture update can lead to false detection in operating system or application files. The only way to reduce the risk of detecting and deleting (or quarantining) legitimate system and application files is to provide more exhaustive testing of new signatures specific to the customer’s standard desktop configurations. The MSSP can test images of the customer’s systems in a lab to provide this additional custom quality assurance without adding a tremendous amount of time to an overall push of an update.

The MSSP you choose should

provide installation, configuration,

administration, monitoring and

notification services for the malicious

code scanning and filtering

technologies on your systems.

Antivirus client software can

force scans on the clients, push

configurations and receive alert

information when malicious code

is detected.

False positives are a problem with

virus scanners.

HighlightsPolicy enforcement services

The MSSP should provide consulting, management and administration of security policy enforcement and technology solutions for the customer. There is a wide variety of MSSP services that cover policy. They range from policy authoring and assessments to workshops to improve the company’s written security policies to the management of software components on the customer’s systems. All of these tools, policy, audit and vulnerability scanning technolo-gies, combined with host-level intrusion detection, are designed to provide a comprehensive defense for virtually any system. In selecting a proper policy offering, verify that the MSSP has the skills to really help you and make best-practice recommendations.

Information and intelligence services

The MSSP should provide security information services for the customer. This can cover a variety of sources, from vendor alerts and notification of software or operating system (OS) patches to monitoring underground hacker activity and rogue or imposter Web sites. Some MSSPs offer these services through a Web portal; others use e-mail, phone and paging technology to deliver the information.

Data mining, or log file analysis, is another information service that will often show trends and patterns in large quantities of data collected over longer periods of time. For example, data mining of a month’s worth of your firewall logs can show both attacks that were never detected as well as the network usage of your customers or business partners (provided your firewall is set to log this activity). MSSPs bring tools, skills and automation to the table when providing these services. In fact, many MSSPs will deliver this information to the customer with any other service purchased (e.g., intrusion detection, vulnerability scanning). By providing this security-related information, the MSSP is able to have a better-informed customer base.

Policy enforcement services

range from policy authoring and

assessments to workshops to

improve the company’s written

security policies to the management

of software components on the

customer’s systems.

Data mining, or log file analysis,

will often show trends and patterns

in large quantities of data collected

over longer periods of time.

Choosing the right managed security service provider for your company’s security needs.Page 10

HighlightsIBM recognizes the importance of information in its managed security ser-vices offerings. Many technologies and solutions attempt to transform data into information. All too often, interfaces, reports and even conversations center around data, not real information. What good does it do to pay for these products if all you end up with is more data? In terms of a person’s ability to interpret and comprehend, too much data can be just as damaging as too little. Managed security services from IBM utilizes correlation, trending and expert analysis to transform data into useful information for our clients.

While on the surface it may not seem like a large task for someone inside a company to perform, information gathering and analysis is the type of activity that can quickly be forgotten when other tasks, projects or responsibilities arise. For this reason, as well as the quality of the analysis and best-practice methodologies, information services should be a strong candidate to outsource to IBM.

MSSP selection

Managed security services can be obtained from a variety of sources. Many product companies have started MSSP groups that specialize in their specific product suite. Internet service providers (ISPs) usually offer some security services, though what they offer is usually directly related to whatever other products or services are also being provided. For example, an ISP providing bandwidth or multiple network connections may also offer firewall manage-ment services for those networks. Finally, some MSSPs are service-oriented organizations that operate on a best-of-breed technology basis. They will have experience supporting multiple products or software vendor technologies.

Managed security services from

IBM utilizes correlation, trending

and expert analysis to transform

data into useful information for

our clients.

Some MSSPs are service-oriented

organizations that operate on a

best-of-breed technology basis.

HighlightsThere are several factors that can point a company in the direction of an MSSP. Evaluate how well threats have been dealt with in the past. Does your internal security management staff work on a reactive basis? Can you claim to have defense-in-depth solutions working to mitigate your risks and lower your overall annual loss expectancy? If you don’t have a security report that contains event statistics, suspicious traffic, vulnerability listings, analysis and recommendations, then outsourcing security is something you should think about.

There are many benefits to outsourcing security services. The most important factors for customers seem to be the skills and technology available through the vendor and the reduced cost over doing it themselves. It should be noted at this point that not everything is for sale as a standalone product. Many MSSPs have built the technology and infrastructure they utilize to deliver service in such a way that they can do advanced trending, data mining and correlation. An elite MSSP will service a large enough customer base to have a global, cross-industry view. This is extremely powerful and something the average company cannot accomplish itself.

There are also management-level motivations to outsource security. With an MSSP, companies can experience lower overall cost, including lower annual loss expectancy, and lower overall risk (risk mitigation, improved security, defense in depth). Customers can avoid capital expense by having the provider own the security devices. Many companies have a hard time training and retaining security skill in-house. An elite provider’s team of analysts and engineers will be much larger than the group a customer would need to maintain. There are fewer than 12,000 Global Information Assurance Certification (GIAC)- or Certified Information Systems Security Professional (CISSP)-certified profes-sionals available in the global market. These folks are expensive and in demand. In contrast there are nearly 220,000 Microsoft® Certified Professionals available. An MSSP can relieve the company of the burden to recruit, train, compensate and retain the right people.

An elite MSSP will service a large

enough customer base to have a

global, cross-industry view.

An MSSP can relieve your company

of the burden to recruit, train,

compensate and retain the right

people.

Choosing the right managed security service provider for your company’s security needs.Page 12

HighlightsThe MSSP can also provide access to technology that is not available in a shrink-wrapped package. The scale at which elite security providers operate will make it necessary for them to improve technology and infrastructure far beyond the scope of even enterprise level deployments. At this service provider level of execution, there are efficiencies that can be passed on to the customer as well as a much larger and more comprehensive view.

Another potential benefit of working with an MSSP is a shortened imple-mentation time. There is often significant pressure on IT staff to design and implement new IT services to support business goals. An MSSP often can implement security around these initiatives in a shorter amount of time.

Many MSSPs have Service Level Agreements or Objectives (SLAs/SLOs) with their customers. These agreements typically go beyond standard contract language to guarantee the MSSP’s response time and quality. SLAs/SLOs, if nothing else, are an act of good faith and show of confidence on the part of the MSSP. Here are some examples of the kinds of commitments that may be included in an SLA:

• All standard firewall change requests will be evaluated and completed in

48 hours; all emergency requests will be responded to within 2 hours

• All intrusion detection signature updates will be tested, applied and tuned

to the customer’s environment within 72 hours of their release from the

vendor, unless authorization is obtained from the customer for a longer test-

ing period

• All security reports will be posted to the Web portal for customer retrieval no

later than noon for daily reports, Monday for weekly reports and by the 15th

of the month for monthly reports

An MSSP often can implement

security around business initiatives

in a shorter amount of time than

internal IT staff can.

Service Level Agreements or

Objectives (SLAs/SLOs) typically

go beyond standard contract

language to guarantee the MSSP’s

response time and quality.

Highlights• All incident response customers, when declaring emergencies, will receive

a phone call from an incident management professional within 15 minutes

and onsite assistance within 4 hours

• When the security operations center receives traffic patterns and signature

events indicating high-risk activity, it will analyze and begin the customer

callout procedure within 10 minutes.

Outsourcing can vary in its scope and mission. Options range from compre-hensive outsourcing of the entire security solution to contracting specific functions. The first step in the outsourcing process is to determine the specific solutions for which you need the assistance of your security partner. Again, the goal is to have in place multiple layers of security to mitigate risk and deter attackers (please see Appendix A for an illustration of IBM’s in-depth approach to information security). Once you’ve identified where you need help (or have at least identified solutions that you’re curious about), you must think about the guidelines, frequency, length of contract and budget you have to spend on the outsourcing. Also, compile information on your network archi-tecture and business that will be critical for the provider to understand how best to help you.

Once these items are known and documented, it is time to identify your partner. Security companies in the marketplace differ greatly in their skills, technology, infrastructure and business operations. Ask for proposals from different providers and compare their services, portfolios, backgrounds and pricing. Meet with your short list of MSSP candidates, ask them questions and find out how they do business.

The goal is to have in place

multiple layers of security to

mitigate risk and deter attackers.

Choosing the right managed security service provider for your company’s security needs.Page 14

HighlightsWhy IBM Business Continuity and Recovery Services - managed security services?

Managed security services from IBM can help you to identify and solve your realtime security risks using best-of-breed technologies, a comprehensive infrastructure and proven security methodologies. We work with our clients to plan, design, construct and operate a security-rich environment, providing a comprehensive security plan that can evolve in step with business goals.

Whether our clients are looking for protection from attackers, malicious software (malware) or even user mistakes, managed security services from IBM can provide broad, yet cost-effective, solutions to help safeguard their businesses. We offer deep experience and a proven track record of successful engagements.

IBM security specialists have experience gained from working in the intelligence agencies of the U.S. government, as well as from performing security functions in many different industries. IBM security professionals carry a wide array of industry-recognized professional certifications and advanced degrees. IBM has extensive skills in computer forensics and in all of the areas listed in ISO 17799.

We have expertise deploying and managing current security technologies from a wide variety of vendors, and we utilize IBM’s proprietary tools as well as IBM Research to enhance our capabilities and offer our clients one of the most comprehensive security portfolios available.

Managed security services from

IBM can help you identify and

solve your realtime security risks

using best-of-breed technologies,

a comprehensive infrastructure and

proven security methodologies.

IBM security professionals carry

a wide array of industry-recognized

professional certifications and

advanced degrees.

HighlightsIBM value

Flexibility of offerings to meet a wide range of client requirements—IBM offers all of the core services discussed in this white paper and has many service levels and options within each service. IBM has options for clients around asset deployment, ownership of capital and licensing. This allows us to meet client needs and requirements, as well as target prices, while providing some of the best security outsourcing possible. Your choice of technology and who owns an asset should not interfere with your system security.

A comprehensive security portfolio—IBM offers incident management, firewall management, monitoring and log analysis, intrusion detection and management, antivirus and content management, vulnerability scanning and assessments, policy and threat analysis, as well as advisory and information services.

High level of data correlation and in-depth analysis of suspicious activity—Managed security services from IBM runs on a comprehensive infrastructure of both commercial and proprietary tools. Assets such as IBM Tivoli® software and IBM Research allow us to create infrastructure best suited to deliver security solutions. We offer both realtime and post-event correlation and trending. Because of this, our services tend to leverage each other, and when purchased together, raise the overall value exponentially. For example, a client of both IBM intrusion detection and vulnerability scanning offerings experiences the added benefit of cross-service correlation. The IBM security operations center will know if a given client system is vulnerable to the exploit that the intrusion detection sensor is detecting in realtime. This has clear advantages for prioritizing which vulnerabilities need to be closed promptly, as well as for increased validity of event escalations.

IBM provides clients with a flexible,

comprehensive security portfolio

that offers a high level of data

correlation and analysis.

Choosing the right managed security service provider for your company’s security needs.Page 16

HighlightsClient-configurable options—Managed security services from IBM recognizes the extreme value of allowing clients to tailor service elements to their IT environments. For example, our information services allow clients to maintain e-mail lists for security advisories and pager notifications specific to operating system, application or notification type categories. This verifies that only information relevant to a given client contact is sent. Of course, if some clients want to see all information across all categories, that is available as well.

Account manager assigned to assist with client satisfaction and project

management—Service quality is as important to IBM services as it is to IBM hardware or shrink-wrapped products. IBM Account Managers provide clients with a point of contact, in addition to our security operations center and help desks, that can assist with anything from information inquiries to contract assistance.

Availability of skilled IBM resources for incident management—Helping our subscribers manage attacker or malware response is a key component of what managed security services from IBM has to offer. This activity can be a virus attack, an internal or external hack attack, a denial-of-service or Web page vandalism. Managed security services from IBM will respond 24x7x365 via our Computer Emergency Response Team, which will assist you in handling your incident. This involves technical phone consultation and often onsite cov-erage, working with your technical staff to assist and resolve the incident.

The security team that IBM entrusts with its own systems—The same teams that provide clients with managed security services from IBM security out-sourcing services also execute security for IBM.

You will have access to client-

configurable options, skilled

IBM resources for incident

management and an assigned

account manager.

HighlightsStrong vendor partnerships and support, and offering certifications—Managed security services from IBM has very strong vendor relationships. The offering portfolio holds certifications for firewall management and intrusion detection from both Check Point Software Technologies and Cisco Systems. IBM works closely with all of its technology partners on product roadmaps, support, new features and enhancements.

Robust data and information reporting in an online environment—IBM provides clients with usable information and real analysis. We are not an MSSP that sees value as throwing more data at our clients; however, raw data is available to clients, generally in comma-separated values (CSV) format. We try very hard to meet client reporting requirements and implement client suggestions. Our reporting capability includes a short-term trending graphical security console as well as daily IT threat radar reports (please see Appendix B for sample screen shots).

For more information

To learn more about IBM Business Continuity and Recovery Services - managed security services, contact your IBM sales representative, or visit:

ibm.com /services

IBM provides strong vendor

partnerships, support and offering

certifications, along with robust

data and information reporting in

an online environment.

Choosing the right managed security service provider for your company’s security needs.Page 18

Appendix A

Appendix B

Sample reporting screenshots

IBM managed security servicesInformation security defense in depth illustration

Firewall management,

monitoring and log analysis

Information and threat analysis

Vulnerability scanning and assessments

Intrusion detection and management

Policyworkshops education

Malicious code and content management

Incident management and

response

Reporting

Monitoring

Correlation

Escalation

Scheduled Realtime

Summary test results

Was target penetrated? The finding denotes whether the analyst was able to successfully bypass any of the protections of the system. Penetration may be complete (i.e. anywhere on the system) or only partial (i.e. in certain unauthorized areas).

Yes

Was confidential information obtained?

This finding denotes whether the analyst uncovered any information that could lead directly to the compromise of a system on the customer network or that has been previously identified as confidential by the customer.

Yes

Was administrative authority obtained?

This finding denotes whether the analyst was able to gain administrative access to the target(s).

No

Was unauthorized remote access obtained?

This finding denotes whether the analyst was able to gain any form of unauthorized access from a remote networked location.

Yes

Category Description Finding

© Copyright IBM Corporation 2004

IBM Global ServicesRoute 100Somers, NY 10589 U.S.A.

Printed in the United States of America06-04All Rights Reserved

The e(logo), the e(logo) business on demand lock-up, IBM, the IBM logo and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or available in all countries in which IBM operates.

G510-3777-00