Importance of doing a Risk Assessment
We often get calls to do diagnostic testing of some sort – Vulnerability Testing, Penetration Testing, Web Application Testing; these are all very good and should be done at least annually or more often, if the environment is undergoing changes – What about a Cyber Security Risk Assessment? Why do them, and what’s the correlation between the Risk Assessment and the various (more…)
Reasonable and Appropriate Data Security
Reasonable and Appropriate Data Security – An interesting case that the FTC filed recently (June 26, 2012) against a well-known hotel chain. (Names omitted for the purposes of this blog.) Notice the similarities to the PCI DSS requirements. (more…)
Security Awareness training is required by PCI DSS
I often write about security awareness training, but it bears repeating periodically. Cyber security awareness training is required by some standards – the PCI DSS is pretty specific about requiring it. Security awareness training for the general employee population on at least an annual basis is a good idea. More technical training for IT (more…)
Google Drive, SkyDrive and DropBox: You Are the Product, Not Them
Google Drive, SkyDrive and DropBox: You Are the Product, Not Them. There is a great little cartoon I’ve seen on the Internet in which two pigs are marveling at the free barn and free food they get to enjoy. The message of the cartoon is that they are not the customer; they are the product. (more…)
Mobile Device Management
Mobile Device Management – What was once the primary strength of Blackberry, enterprise-grade security and manageability features are now available across the majority of mobile operating systems. If your organization is considering the implementation of mobile technologies into your environment, you may find following comparison of mobile security and management capabilities from Infoworld to be very helpful: (more…)
When Security Interferes with Business . . . Business Trumps Security
Does Security Interfere with Business? In a mad dash toward security compliance or to plug known vulnerabilities, IT professionals have a tendency to implement security controls without thinking through what could go wrong with them. (more…)
Where to Begin?
Sometimes we’ll talk with clients and they feel like they don’t know where to begin in managing information security. A great first step would be a Risk Assessment. A risk assessment recommends treatment of discovered risks and then manages remediation of gaps in risk controls. (more…)
Security Implications of Leveraging Cloud Computing
Cloud computing is rapidly evolving into a service model that has the potential to save money and create efficiencies for organizations large and small. This new model can help achieve significant cost savings, reduce IT complexity, and increase flexibility in adapting to a changing business environment. (more…)
Governance of Enterprise Security
Governance of Enterprise Security. Just read a interesting survey finding. The 2012 survey was done by Carnegie Mellon CyLab, sponsored by RSA. They surveyed how boards and senior executives are governing the privacy and security of their organizations’ digital assets. They used the Forbes Global 2000 list – respondents included: CEO/Presidents (52%), Corporate Secretaries (15%) and Board Chairs (24%). (more…)
Your Nerds Don’t Understand Compliance Either.
Don’t Understand Compliance? On January 18th, Jon Stewart of The Daily Show teased U.S Representative Mel Watt for failing to understand a bill that he was trying to pass. (more…)
