Your Policies Can Hurt You, Part 1: The Importance of Well-Tailored Instructions
Managers often think about compliance in terms of policies. There is something concrete, achievable and finite about them. And they are required by laws and regulations for protecting information and systems. But too often managers think of policies as a finish line for compliance. Need to be compliant? Then write a (more…)
Why are Hackers Heckling the Director of the NSA?
The Hackers Heckling. The Black Hat convention is under way today in Las Vegas, and there, before a group of information-security-minded individuals, stood General Keith Alexander, Director of the NSA, getting heckled by conference attendees. Their complaints were targeted at the NSA’s surveillance activities and Director Alexander’s dubious testimony to Congress about those activities. (more…)
While Technological Security Risks Are a Possibility, Management Security Risks are a Certainty
Most of my information security focus these past few years has concentrated on managing risks and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security it also moved from technology (more…)
Risk Acceptance Levels: Managing the Lower Limits of Security Costs
Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable (more…)
Has The OWASP Top 10 Been Effective For Web Applications?
OWASP just released a new Top 10 for 2013, updating the list of key web application security weaknesses to reflect the evolution of the highest risk vulnerabilities. While everyone loves a good top 10 list, the fundamental question I wrestle with is, has the OWASP Top 10 been effective? (more…)
The Hand Rule: Managing the Upper Limits of Security Costs
While presenting a talk at CAMP IT last week I got into a number of conversations with attendees about the Hand Rule and security costs. At HALOCK Security Labs we talk about the Hand Rule a lot. Also known as the Calculus of Negligence, it is a way that an organization can mathematically estimate what a “reasonable” (more…)
Summary of the 2013 IP Commission Report
Last month the IP Commission Report was published by The National Bureau of Asian Research. This report chronicles the theft of American Intellectual Property and is a great read. The world of InfoSec tends to focus on vulnerabilities and infamous hacks. (more…)
We Need a Risk Management Tipping Point
While preparing for a keynote talk at CAMP IT that is rapidly coming up I was struggling to find the main point of my talk. I had been puzzling for several weeks, asking myself what single message I wanted to leave my audience with. I’ve been speaking for some time now about information security and information risk management and have always provided (more…)
Are iPads HIPAA Compliant?
I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we have not assessed (more…)
If HIPAA Compliance Seems Too Hard … Then You’re Doing it Wrong. Here are the Basics of Doing it Right.
In April of 2013 the Office of Civil Rights, the branch of the Department of Health and Human Services that oversees compliance with the HIPAA Security Rule, started releasing analysis from their (more…)
