Over the past 13 years, Sun Microsystems' Java language has become one of the computer industry's best known brands—and underappreciated assets.

The tension wasn't lost on Sun's new owner, Oracle (ORCL), which on Apr. 20 said it will purchase Silicon Valley pioneer Sun (JAVA) for $7.4 billion in cash. If Oracle has its way, Java will emerge not only as a strong revenue source but also a key component of plans to keep customers loyal for years to come.

During a conference call with analysts on Apr. 20, Oracle CEO Larry Ellison called Java "the single most important software asset we have ever acquired." It's a bold statement from a chief executive who has spent in excess of $40 billion to buy more than 50 software companies since 2005.

Powering PCs and Cell Phones

Ellison is willing to make that call because the Java programming language, widely used to write much of the world's business software, is a key ingredient in Oracle's recipe for ensuring the many products it has already acquired work smoothly together. Java also runs on 800 million PCs and 2.1 billion mobile phones. PC makers and cell-phone vendors, including Nokia (NOK), pay royalties to license the software. "When you look at those numbers, they're enormous," Citigroup (C) analyst Brent Thill says of Java's potential. "Oracle looks at this and says, 'This could be a $1 billion business.'" Yet Java supplied just $220 million of Sun's $13.9 billion in 2008 revenue. "Java is the most valuable brand in software that has no value," says Joshua Greenbaum, principal of industry analysis firm Enterprise Applications Consulting.

Oracle hopes to wring value from the deal in part by cutting costs to make Sun's hardware and software businesses profitable. Oracle also wants to sell Sun's Solaris operating system and servers in tandem with its market-leading database software. Citigroup's Thill estimates Oracle could cut between 40% and 70% of Sun's roughly 33,000 employees. Excluding restructuring costs, Oracle expects Sun to add $1.5 billion in profit during the first year after the acquisition closes this summer, and another $2 billion the following year. Oracle executives declined to say how many jobs would be eliminated.

Buying Sun gives Oracle access to popular software it can wield against its competitors. In addition to Java, Oracle gains Solaris, widely used in industries including telecom and finance. Oracle also picks up the MySQL database, which is available free under an open-source licensing arrangement, and could help Oracle check sales of Microsoft's SQL Server database to smaller companies. "Sun is not a well-managed company," says one industry executive familiar with its business. "But it does have assets that can become lethal weapons for the one owning them."

Little Hardware Experience

But to gain those assets, Oracle also has to take on a hardware business, something it has little experience running. Ellison will have to make a success of Sun's server business, which has been losing money. Oracle has made its own forays into the hardware business, striking a deal with Hewlett-Packard (HPQ) last year to produce servers designed to provide a performance boost to Oracle databases that run on them.

O'Reilly talks about the lessons learned by its foray into e-book publishing.

Many people, both inside and outside of the publishing and media industry, are skeptical about the potential of paid content on mobile phones, especially given the troubled history of e-books. I beg to differ. In December 2008, O'Reilly's "iPhone: The Missing Manual" was published as an iPhone app. Since its release, the app has outsold the printed book, which is a best seller in its own right. We're learning a lot from the experience. Here our some of the questions that we're starting to answer.

Was the iPhone app for the "Missing Manual" an anomaly? After all, iPhone owners are the most likely audience for the "Manual."

O'Reilly: Conventional wisdom suggests that when choosing pilot projects, you pick ones with a high likelihood of success. This was a best-selling author on a red-hot topic. We're gearing up to release about 20 more books as iPhone apps, but realistically we don't expect any of those to sell as well as this first one.

Is the iPhone the most convenient place to get content about problems you're trying to solve on a computer?

For many of our readers, a first or second pass through one of our programming books is mainly about orienting to the landscape and getting a sense of the platform and what's possible, not about solving a particular problem at hand. The iPhone is a perfectly suitable environment for that kind of reading.

Won't you make less money selling iPhone apps than books? The computer book market is the computer book market, period. It has a certain size, and that's it. If you convert that market into iPhone app buyers instead of book buyers, say good-bye to your publishing business.

It would be economically bad news to sell a $5 product to someone who would otherwise pay $50. But it's good to sell a $5 product to someone who would not otherwise be a customer (provided, of course, that the marginal revenue exceeds marginal cost). For Safari Books Online, for direct sales of our e-books and now for this (single) iPhone app, the data suggests that they have created growth without sacrificing print market share. For example, our market share for printed computer books sold at retail was 14% in 2004, and is now 16%. According to Nielsen Bookscan data, the print version of iPhone: The Missing Manual has sold nearly as many copies as the next two competing titles combined in the time period since the app version went on sale in December.

This data only goes back to mid-January, but the 90-, 30- and seven-day averages on Amazon sales rank for the printed book have been steadily improving, suggesting that sales of the iPhone app version are not cannibalizing print sales--and may even be helping them.

Shares of some top computer companies are mixed at 10 a.m.:

Apple (nasdaq: AAPL - news - people ) Inc fell $1.90 or 2.1 percent, to $86.94.

Dell (nasdaq: DELL - news - people ) Inc rose $.14 or 1.7 percent, to $8.53.

Hewlett Packard (nyse: HPQ - news - people ) fell $.36 or 1.3 percent, to $26.72.

IBM (nyse: IBM - news - people ) fell $.77 or .9 percent, to $86.71.

Lexmark rose $.10 or .6 percent, to $15.90.

Copyright 2009 Associated Press. All rights reserved. This material may not be published broadcast, rewritten, or redistributed

Why Tech Can't Cure Medical Inflation

Computers in medicine aren't a cure. They might even make the system sicker.

Whenever President-elect Obama is asked how he'll pay for his ambitious health care reform plans, he invariably talks about the $80 billion in annual savings he'll get from bringing computerized recordkeeping to doctors' offices and hospitals.

If only that were true. While there are benefits that might be had from using computers more widely in medicine, doing so won't save us any money and, in fact, will likely make things more expensive. There's even a chance that the quality of care might get worse along the way.

That's probably counterintuitive to anyone contemplating the wall of file drawers in a typical doctor's office. Medicine clearly has yet to join the rest of the world in going digital; no wonder, the thought goes, that U.S. health care is so expensive.

But while paper records certainly have their inconveniences--filling out your thousandth questionnaire, say--they play a very minor role in galloping health care inflation.

Instead, the heart of the problem is the U.S. fee-for-service system, in which doctors get paid to do things to people. The more technical and invasive the procedure, the more money they make. Doctors have responded in the expected Pavlovian manner, collectively shifting away from basic primary care toward expensive specializations that run up costs without necessarily improving medical outcomes.

As any chief information officer can tell you, adding computers to this sort of inefficient process only makes the inefficiency happen more quickly.

Much of what doctors or policymakers know about technology comes from vendors, who are busy guilt-tripping the medical sector about being slow to get with it. But more quietly, health care economists have been studying the actual impact of these systems. Their findings should disturb those who look to information technology for an easy fix.

Since computers are, if nothing else, starkly logical, for as long as they have been around, there have been people who have hoped that the machines might serve as an example to their human overlords, helping to make certain human affairs--politics, say--a little more logical too.

One of them is Scott Aaronson, a computer scientist at M.I.T. with an idea for a program designed to help people appreciate that the logical path they have just traveled in a political or other discussion might not have been entirely straight and narrow.

Despite being just 27 years old and in only the second year of his professorship, Aaronson is widely known in his field, quantum computing.

Quantum computers work in ways utterly different from conventional ones, and can do some tasks--breaking encryption, say--unimaginably quickly. So far, only small-scale, prototype quantum computers have been built, and it's not yet clear whether one big enough to be useful will ever be technically possible.

Aaronson's work involves quantum software, meaning, as members of his field like to say, that he spends his time thinking about programs for machines that might never get built.

One of his side projects, though, is a work-in-progress political program called the Worldview Manager. It has nothing to do with quantum machines or, indeed, of advanced computing of any sort. In fact, it's so simple and straightforward an idea that you could write it with macros in Excel.

The goal of Worldview Manager, explains Aaronson, is to help people appreciate the inconsistencies and contradictions that might crop up in their social and political beliefs.

The Chinese government is stirring trade tensions with Washington with a plan to require foreign computer security technology to be submitted for government approval, in a move that might require suppliers to disclose business secrets.

Rules due to take effect May 1 require official certification of technology widely used to keep e-mail and company data networks secure. Beijing has yet to say how many secrets companies must disclose about such sensitive matters as how data-encryption systems work. But Washington complains the requirement might hinder imports in a market dominated by U.S. companies, and is pressing Beijing to scrap it.

"There are still opportunities to defuse this, but it is getting down to the wire," said Duncan Clark, managing director of BDA China Ltd., a Beijing technology consulting firm. "It affects trade. It's potentially really wide-scale."

Beijing tried earlier to force foreign companies to reveal how encryption systems work and has promoted its own standards for mobile phones and wireless encryption.

Those attempts and the new demand reflect Beijing's unease about letting the public keep secrets, and the government's efforts to use its regulatory system to help fledgling Chinese high-tech companies compete with global high-tech rivals. Yin Changlai, the head of a Chinese business group sanctioned by the government, has acknowledged that the rules are meant to help develop China's infant computer security industry by shielding companies from foreign rivals that he said control 70 percent of the market.

The computer security rules cover 13 types of hardware and software, including database and network security systems, secure routers, data backup and recovery systems and anti-spam and anti-hacking software. Such technology is enmeshed in products sold by Microsoft Corp. (nasdaq: MSFT - news - people ), Cisco Systems Inc. (nasdaq: CSCO - news - people ) and other industry giants.

Giving regulators the power to reject foreign technologies could help to promote sales of Chinese alternatives. But that might disrupt foreign manufacturing, research or data processing in China if companies have to switch technologies or move operations to other countries to avoid the controls. Requiring disclosure of technical details also might help Beijing read encrypted e-mail or create competing products.

Shares of some top computer companies are down at 10 a.m.:

Apple (nasdaq: AAPL - news - people ) Inc fell $2.61 or 2.8 percent, to $90.06.

Dell (nasdaq: DELL - news - people ) Inc fell $.72 or 6.4 percent, to $10.45.

Hewlett Packard (nyse: HPQ - news - people ) fell $1.28 or 3.6 percent, to $34.00.

IBM (nyse: IBM - news - people ) fell $2.34 or 2.9 percent, to $79.26.

Lexmark fell $.47 or 1.8 percent, to $25.71.

Creating a Computer Security Incident Response Team: A Process for Getting Started

Introduction
What are the questions?
What are some of the best practices for creating a CSIRT?
     Step 1: Obtain management support and buy-in
     Step 2: Determine the CSIRT strategic plan
     Step 3: Gather relevant information
     Step 4: Design the CSIRT vision
     Step 5: Communicate the CSIRT vision and operational plan
     Step 6: Begin CSIRT implementation
     Step 7: Announce the operational CSIRT
     Step 8: Evaluate CSIRT effectiveness
Remember that patience can be a key
Resources and more information on creating a CSIRT

Keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool. Most organizations realize that there is no one solution or panacea for securing systems and data; instead a multi-layered security strategy is required. One of the layers that many organizations are including in their strategy today is the creation of a Computer Security Incident Response Team, generally called a CSIRT.

Motivators driving the establishment of CSIRTs include

• a general increase in the number of computer security incidents being reported
• a general increase in the number and type of organizations being affected by computer security incidents
• a more focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies
• new laws and regulations that impact how organizations are required to protect information assets
• the realization that systems and network administrators alone cannot protect organizational systems and assets

As organizations begin to build their incident response capability, they are looking to determine the best strategy for putting such a structure in place. They not only want to know what has worked well for others, but also want some guidance on the process and requirements they must follow to establish an effective incident response capability.

CSIRTs and their parent organizations have numerous questions they want answered to help them design their response capability. They are also interested in knowing what other teams in similar industry sectors are doing. Typical questions being asked include but are not limited to the following:

• What are the basic requirements for establishing a CSIRT?
• What type of CSIRT will be needed?
• What type of services should be offered?
• How big should the CSIRT be?
• Where should the CSIRT be located in the organization?
• How much will it cost to implement and support a team?
• What are the initial steps to follow to create a CSIRT?

There is not a standard set of answers to these questions. CSIRTs are as unique as the organizations they service, and as a result, no two teams are likely to operate in the exact same manner. It is important for the organization to decide why it is building a CSIRT and what it wants that CSIRT to achieve. Once this is determined, then the unique set of answers to these questions can be formulated.

This document is the first in a series of articles that will discuss the issues and decisions to be addressed when planning and implementing a CSIRT. This first article will focus on an overview of the basic high-level steps to be taken by organizations as they design and build a CSIRT. The article is written as a general guideline for any organization that is thinking about undertaking such an endeavor or for any individuals who are members of a project team that is working to establish a CSIRT.

Although CSIRTs will differ in how they operate depending on the available staff, expertise, budget resources, and unique circumstances of each organization, there are some basic practices that apply to all CSIRTs. We will discuss some of those practices as they relate to creating a CSIRT. (For more information on what a CSIRT is, see the CSIRT FAQ.) Although these actions are presented as steps, the process is not sequential; many steps can occur in parallel.

The steps are as follows:

Step 1: Obtain management support and buy-in

Step 2: Determine the CSIRT strategic plan

Step 3: Gather relevant information

Step 4: Design the CSIRT vision

Step 5: Communicate the CSIRT vision and operational plan

Step 6: Begin CSIRT implementation

Step 7: Announce the operational CSIRT

Step 8: Evaluate CSIRT effectiveness

Our experience shows that without management approval and support, creating an effective incident response capability can be extremely difficult and problematic. This support must be shown in numerous ways, including the provision of resources, funding, and time, to the person or group of people who will act as the project team for implementing the CSIRT. This also includes executive and business or department managers and their staffs committing time to participate in this planning process; their input is essential during the design effort.

It is important to elicit management's expectations and perceptions of the CSIRT's function and responsibilities. Without this information, a team may be built whose services and authority are not understood or appropriately used by the rest of the organization.

Along with obtaining management support for the planning and implementation process, it is equally important to get management commitment to sustain CSIRT operations and authority for the long term. Once the team is established, how is it maintained and expanded with budget, personnel, and equipment resources? Will the role and authority of the CSIRT continue to be backed by management across the various constituencies or parent organization? Without this continued support the CSIRT's long-term success may be in jeopardy.

Think about how to manage the development of the CSIRT. What administrative issues must be dealt with, and what project management issues must be addressed?

• Are there specific timeframes to be met? Are they realistic, and if not, can they be changed?
• Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented. Some may not be on the team for the whole project, but brought in to provide subject matter expertise and input as needed. You also want to incorporate best practices in project management, organizational behavior theory, and communications theory into your plan. If anyone has a background in these areas, consider having them participate on the team.
• How do you let the organization know about the development of the CSIRT? A memo sent from the CIO, CEO, or other high-level manager announcing the project and asking each key stakeholder and area to provide assistance in any way possible is a good way to start. Letting the organization know about the plan for a CSIRT in the early stages of development can help staff feel they are part of the design process.
• If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed?

Gather information to determine the incident response and service needs that the organization has. Take a look at the types of incident activity currently being reported within your constituency. This helps determine not only what type of services to offer but also the types of skills and expertise the CSIRT staff will need. For example, if your organization has been the victim of computer virus or worm activity, you will need staff with virus experience to handle the response. You will also need virus scanning, elimination, and recovery procedures, along with the appropriate anti-virus tools. You may want people with good training and documentation skills to help develop user awareness programs as a proactive step in dealing with virus activity.

Identify what information you need to know to plan and implement the CSIRT. Determine who has that information and how best to elicit that information, either through general discussions or interviews or by making them part of the project.

Meet with key stakeholders to discuss not only their incident response needs, but to achieve an initial consensus on the expectations, strategic direction, definitions, and responsibilities of the CSIRT. Your definition of what a CSIRT is and does may be very different from your manager's definition or the definition of another part of your organization. Use these discussions with the stakeholders to outline and identify how each group will need to interact with the CSIRT. The stakeholders could include but are not limited to

• Business managers. They need to understand what the CSIRT is and how it can help support their business processes. Agreements must be made concerning the CSIRT's authority over business systems and who will make decisions if critical business systems must be disconnected from the network or shut down.
• Representatives from IT. How does the IT staff and the CSIRT interact? What actions are taken by IT staff and what actions are taken by CSIRT members during response operations? Will the CSIRT have easy access to network and systems logs for analysis purposes? Will the CSIRT be able to make recommendations to improve the security of the organizational infrastructure?
• Representatives from the legal department. When and how is the legal department involved in incident response efforts? Legal staff may also be needed to review non-disclosure agreements, develop appropriate wording for contacting other sites and organizations, and determine site liability for computer security incidents.
• Representatives from human resources. They can help develop job descriptions to hire CSIRT staff, and develop policies and procedures for removing internal employees found engaging in unauthorized or illegal computer activity.
• Representatives from public relations. They must be prepared to handle any media inquiries and help develop information-disclosure policies and practices.
• Any existing security groups, including physical security. The CSIRT will need to exchange information with these groups about computer incidents and may share responsibility with them for resolving issues involving computer or data theft.
• Audit and risk management specialists. They can help develop threat metrics and vulnerability assessments, along with encouraging computer security best practices across the constituency or organization.
• General representatives from the constituency, who can provide insight into their needs and requirements.

Stakeholders should also include anyone who will be involved in the incident-handling or notification process. Think about who will need to be notified during different types of incidents. Are there people in other parts of the organization or constituency who can provide information or input to the CSIRT or with whom the CSIRT will need to share or obtain information? These may include other parts of the IT or security departments, including any groups doing vulnerability assessments, intrusion detection, or network monitoring. Knowing what the CSIRT will need to do can help you identify the right people to be involved in developing the procedures.

Find out if anyone else is currently performing any of the services that the CSIRT may be looking to provide. Determine if those services should stay with the current group or move to the CSIRT over some agreed-to period of time. Addressing these types of issues in the planning stages can help identify what responsibilities will need to be delineated and what information will need to be gathered.

There may also be some resources available for review that will help in your information gathering. These may include

• organization charts for the enterprise and specific business functions
• topologies for organizational or constituency systems and networks
• critical system and asset inventories
• existing disaster-recovery or business-continuity plans
• existing guidelines for notifying the organization of a physical security breach
• any existing incident-response plans
• any parental or institutional regulations
• any existing security policies and procedures

Reviewing these documents serves a dual purpose: first, to identify existing stakeholders, resources, and system owners; and second, to provide an overview of existing policies to which the CSIRT must adhere. As a bonus, these documents may contain text that can be adapted when developing CSIRT policies, procedures, or documentation. They may also include general notification lists of organizational representatives who must be contacted during emergencies. Such lists may be adapted for CSIRT work and processes.

In addition, investigate what similar organizations are doing to provide incident handling services or to organize a CSIRT. If you have contacts at these organizations, see if you can talk to them about how their team was formed. Take a look at other CSIRTs' web sites, and check their missions, charters, funding scheme, and service listing. This may give you ideas for organizing your team. Review any books or other publications about incident handling or CSIRTs. An initial list of resources can be found at the CERT CSIRT Development web page.

Attend courses or conferences that include sessions for developing incident response strategies or creating CSIRTs. These venues can provide you with opportunities to exchange ideas and interact with others in the incident response field. A good place to start may be to attend the annual FIRST conference.

Step 4: Design your CSIRT Vision

As the information gathered brings to the forefront the incident response needs of the constituency and as you build your understanding of management expectations, you can begin to identify the key components of the CSIRT. This allows you to define the vision for the CSIRT and its goals and functions. You need both management and constituent buy-in and support of these goals and functions for the CSIRT to be successful.

It is important to achieve clear agreement on the definition and expectations for the CSIRT being formed. What the CSIRT staff thinks the team will do and what the managers and general constituency think the CSIRT will do may be completely different. A number of people have the perception that a CSIRT is a "cyber cop" for an organization or constituency. While this may be true for a small number of teams, it is not generally the main focus of a CSIRT. The main focus is to prevent and respond to incidents. The vision for the CSIRT must include a clear explanation of where these CSIRT functions fit into the current organizational structure and how the CSIRT interacts with its constituency. The vision explains what benefits the CSIRT provides, what processes it enacts, who it coordinates with, and how it performs its response activities.

In creating your vision, you should

• Identify your constituency. Who does the CSIRT support and service?
• Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified constituency?
• Select the CSIRT services to provide to the constituency (or others). How does the CSIRT support its mission?
• Determine the organizational model. How is the CSIRT structured and organized?
• Identify required resources. What staff, equipment, and infrastructure is needed to operate the CSIRT?
• Determine your CSIRT funding. How is the CSIRT funded for its initial startup and its long-term maintenance and growth?

Communicate the CSIRT vision and operational plan to management, your constituency, and others who need to know and understand its operations. As appropriate, make adjustments to the plan based on their feedback.

Communicating your vision in advance can help identify process or organizational problems before implementation. It is a way to let people know what is coming and allow them to provide input into CSIRT development. This is a way to begin marketing the CSIRT to the constituency and gaining the needed buy-in from all organizational levels.

You may receive information that was missed or not available during the information-gathering stage. Use this information and input to make any final adjustments to the CSIRT organizational structure and processes.

Once management and constituency buy-in is obtained for the vision, begin the implementation:

• Hire and train initial CSIRT staff.
• Buy equipment and build any necessary network infrastructure to support the team.
• Develop the initial set of CSIRT policies and procedures to support your services.
• Define the specificiations for and build your incident-tracking system.
• Develop incident-reporting guidelines and forms for your constituency.

A main resource you will need for your constituency is your incident-reporting guidelines. These guidelines define how your constituency interacts with your CSIRT, what constitutes an incident, what types of incidents to report, who should report an incident, why an incident should be reported, the process for reporting an incident, and the process for responding to an incident. They should be clear and understandable by the constituency being served.

The process for reporting an incident includes a detailed description of the mechanisms for submitting reports: phone, email, web form, or some other mechanism. It should also include details about what type of information should be included in the report.

The process for responding to an incident details how the CSIRT prioritizes and handles received reports. This includes how the person reporting an incident is notified of its resolution, any response timeframes that must be followed, and any other notification that occurs.

For an example of incident reporting guidelines, see the CERT/CC Incident Reporting Guidelines.

Step 7: Announce the CSIRT

When the CSIRT is operational, announce it broadly to the constituency or parent organization. It is best if this announcement comes from sponsoring management. Include the contact information and hours of operation for the CSIRT in the announcement. This is an excellent time to make available the CSIRT incident-reporting guidelines. You may also want to develop information to publicize the CSIRT, such as a simple flyer or brochure outlining the CSIRT mission and services, which can be distributed with the announcement. Some teams have held an open house or special celebration to announce the operational CSIRT.

Once the CSIRT has been in operation for a while, management will want to determine the effectiveness of the team and use evaluation results to improve CSIRT processes and ensure that the team is meeting the needs of the constituency. The CSIRT, in conjunction with management and the constituency, will need to develop a mechanism to perform such an evaluation.

Information on effectiveness can be gathered through a variety of feedback mechanisms, including

• benchmarking against other CSIRTs
• general discussions with constituency representatives
• evaluation surveys distributed to constituency members on a periodic basis
• creation of a set of criteria or quality parameters that is then used by an audit or third party group to evaluate the team

It may be helpful to review previously collected information on the state of the constituency or organization before the implementation of the team. This information can be used as a baseline in determining the effect of the CSIRT on the constituency. Information collected for comparison may include

• number of reported incidents
• response time or time-to-live of an incident
• number of incidents successfully resolved
• information reported to the constituency about computer security issues or ongoing activity
• attentiveness to security issues within the organization
• preventative techniques and security practices in place

See section 2.2.4 of the Handbook for Computer Security Incident Response Teams for more information on evaluating the quality of CSIRT services.

The length of time it will take to design, plan, and implement a team will vary with each organizational situation. We have seen CSIRTs become operational across a wide range of times, from two months to two years. It is important to realize that it can take about 12-18 months to work out the processes and procedures, especially for a large, distributed enterprise. After the team is operational, it can take another 12-18 months to obtain a good level of trust and comfort with your constituency. Many teams show a large growth in the number of incidents reported over their first year of operation. The longer you are in operation, the more your constituency will understand the work you are doing and the more likely that they will report to you.

The components discussed above are more fully discussed in the following:

• Creating a CSIRT Workshop (CERT/CC one-day workshop)
• Handbook for Computer Security Incident Response Teams (pdf)

These resources may provide additional insight:

• Forming an Incident Response Team
  A paper examining the role a response team may play in the community and the issues that should be addressed both during the formation and after commencement of operations. This paper was written by a former member of the Australian Computer Emergency Response Team.

• Expectations for Computer Security Incident Response (RFC 2350)
  This is a best practices document, which recommends general requirements and behaviors that a CSIRT should follow when establishing or operating a team. It focuses on methods for letting the CSIRT constituency know about the team's services and processes.

• Avoiding the Trial-by-Fire Approach to Security Incidents
  This article discusses the importance of having an organized and defined process for detecting and responding to computer security incidents.

• The CERT® Guide to System and Network Security Practices
  The CERT security practices have been compiled in this book published by Addison-Wesley and available at walk-in and online bookstores. Using a practical, phased approach, the book shows administrators how to protect systems and networks against malicious and inadvertent compromise based on security incidents reported to the CERT/CC

Defying investors' fears that its earnings would fall victim to slumping tech demand, Dell turned in a surprisingly profitable third fiscal quarter by taking a big ax to costs.

Although Dell's (DELL) sales were more than $1 billion short of Wall Street estimates for the quarter that ended Oct. 31, a combination of job cuts, a hiring freeze, and lower materials costs helped earnings reach 37¢ per share, beating analysts' modest expectations of 31¢ per share. Shares of Dell gained more than 5% in extended trading. Earlier, the stock had lost 54¢, or 5.2%, to close at 9.81, amid a market slump.

Revenue and net income declined from a year earlier, but investors said Dell was successfully protecting profit amid a global economic slowdown that's sapped business and consumer demand for new computers and other tech gear. "In previous quarters it looked like the company was willing to grow share at any cost," says Bill Kreher, a technology analyst at Edward Jones who has a buy rating on Dell. That's what happened in the second quarter, when profit fell 17% on overly aggressive price cuts (BusinessWeek.com, 8/29/08). "In this environment they're aware that investors are more concerned with the bottom line," Kreher says.

Tough Act to Follow

For now, Dell may need to keep running the cost-cutting play, one of its few options in an environment that's forced other tech bellwethers, including Intel (INTC) and Cisco Systems (CSCO), to issue dour forecasts. Dell sliced 2,200 jobs and took advantage of lower PC component prices, analysts said. "Can they continue to cut costs like this?" says Jayson Noland, an analyst at Robert W. Baird, who has a neutral rating on Dell shares. The company may have to do so to boost its stock performance, since "nobody expects the economy to be a benefit to anyone."

From a cost-cutting perspective, the third quarter will be a tough act to follow. Sales declined 3%, to $15.16 billion, missing analysts' consensus expectation for $16.22 billion in sales. Net income fell 5%, to $727 million. But operating expenses fell 11%, and operating income rose 22%, the biggest gain in two-and-a-half years. Dell's consumer PC business, which it's counting on for future growth, posted an operating profit of $112 million, more than the last six quarters combined, according to Baird's Noland.

During a conference call with analysts, CEO Michael Dell said the company would continue to emphasize profit over market share. "Given the choice between profits and growth, we're going to go for the profits," he said. That's in large part because of "deteriorating demand" for tech products, Chief Financial Officer Brian Gladden added. "We had a stronger August than we had September or October," he told analysts. Cutting costs "is the one lever we can control."