tagged w/ Enterprise Risk Management
-
Companies buy these so called certified products thinking they have the magic bullet to solve their ITIL project, and they’ll skip the hard part, which is designing the processes for their organization.
So instead of a magic bullet they’ll just shoot themselves in the foot with a real bullet.
ITIL isn’t about specific products but instead about putting in processes that bring efficiency to the organization.Companies buy these so called certified products thinking they have the magic bullet... more
-
-
Nielsen Online reported that by the end of 2008 social networking had overtaken email in terms of worldwide reach. Sites such as Facebook, Twitter, Myspace and Linkedin provide users with a way to build and interact with a community in real time on a familiar platform at a very low cost.Nielsen Online reported that by the end of 2008 social networking had overtaken email... more
-
-
ISA has been designated to lead the development of industry based SCAP checklists for these key technologies.
OMB has already mandated to federal CIO’s that “Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter the Federal Desktop Core Configurations, and agencies must use these tools when monitoring use of these configurations.”ISA has been designated to lead the development of industry based SCAP checklists for... more
-
-
Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable state.
If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate.
But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later?Auditors definitely need to be more exacting and tougher when evaluating a company’s... more
-
-
The decision to outsource information security isn’t the right approach for every business; the choice of provider and which services to farm out to a 3rd party are unique to each organization and set of circumstances.
Furthermore, while the responsibility for information security’s daily care and feeding can be outsourced, the accountability for compliance, information protection, and assurance will still reside within the organization usually in the CISO’s office.
There are several things the CISO will need to focus on and ways to not only influence the security outsourcing decision but also take ownership of assessing the risk inherent in the outsourcing relationship...The decision to outsource information security isn’t the right approach for every... more
-
-
Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.Michael Xie is CTO of Fortinet and drives all of their development of true “Next... more
-
-
Having been an active participant in the mobile industry for roughly ten years, I often get asked what I believe is the most difficult challenge to overcome when considering mobile device management.
The question is a simple one, and the answer is simple too - it depends.
When I receive this question from engineering, it’s usually with the purpose of determine which feature to add or not add in the next version of the product. When it’s from sales, the objective is to find a compelling argument to further an opportunity in the sales cycle. And when it’s from customers, it’s usually about creating policies or best practices to avoid pitfalls that they may encounter. With that in mind…Having been an active participant in the mobile industry for roughly ten years, I... more
-
-
The rules and requirements for auditors reveal a number of potential conflicts of interest that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.The rules and requirements for auditors reveal a number of potential conflicts of... more
-
-
There are an amazing number of parallels between The Art of War and the information security business. In its very basic form – knowing your enemy – knowing how cyber vandals, miscreants, criminals, and even nation-state actors use cyber attack and cyber exploitation for their various objectives.There are an amazing number of parallels between The Art of War and the information... more
-
-
Over 2.7 billion vulnerable programs installed on U.S. computers; Jackson, Fawcett spur Internet fraud; Pro-Iranian regime hackers invade U.S. computers, Xero taken offline by massive U.S. data center failure; Zeus Trojan variant steals FTP login details; ‘Mafiaboy’: cloud computing will cause Internet security meltdown; McAfee glitch causes havoc for IT admins…Over 2.7 billion vulnerable programs installed on U.S. computers; Jackson, Fawcett... more
-
-
Massachusetts is taking data encryption regulation to the next level by actually defining what is meant by “encryption”, and this definition includes all data that is in transition, in storage, and on portable devices.Massachusetts is taking data encryption regulation to the next level by actually... more
-
-
We’ve been developing a way of detecting and blocking spam that analyses not just content and IP address, but by applying learning from email user behaviour and relationships, to understand which emails the recipient actually wants, and which are spam.We’ve been developing a way of detecting and blocking spam that analyses not just... more
-
-
We need to reduce the risk of accidental or malicious and criminally-funded access to confidential and private information by inside sources such as employees, consultants or business partners that can be used for extortion or other illegal purposes.We need to reduce the risk of accidental or malicious and criminally-funded access to... more
-
-
If the form is “neutral,” is that good enough for you or are you more interested in using a document that provides your company with as much protection as possible? Do you have the experience to know whether the form agreement is missing any key elements?If the form is “neutral,” is that good enough for you or are you more interested... more
-
-
Compounding the problem for the consultant CISO in the shorter term is that budgets are under downward pressure while the risk of fraud, insider theft and 3rd party exposure is going up. Longer term the financial crisis has forced firms to re-focus on systemic risk resulting in a revival of top-down Enterprise Risk Management efforts.Compounding the problem for the consultant CISO in the shorter term is that budgets... more
-
