Practical Compliance Discussions

Wired Magazine ran a great article in their blog section today on a recent case where a network administrator had set himself up as the top level administrator on their network and locked everyone else out.

Wired Magazine - San Francisco Held Cyber-Hostage

This article illustrates two key points that have been a common topic lately:

• The first is that the impact of an insider threat can be extremely high
• The second is that insider events are less frequent

The combination of these two things makes things challenging for security management teams. It makes overcoming the 'That will never happen to us' perception difficult and makes driving internal security more important.

The key is to focus on point 1. Impact. From a risk manager's viewpoint, the trade off on reducing millions of dollars of risk in comparison to adding one or two IT salaries is a good decision. As IT and security managers, we need to continue to improve on our ability to profile risk in terms of impact and business dollars.

A question was asked in my ISACA Internal Threats was are there any standards out there for an Information Security program. In this post I'll highlight a few of the common standards and how they apply.

Click to read more ...

Verizon's Business Risk Team has released their 2008 Data Breach Investigations Report.In this post I will provide an overview of some of the things I found interesting and my analysis of what this information means for today's business. It is a lengthy paper, I've tried to pull out the most interesting points.

Click to read more ...

How do you educate the users/consumers to risks and security when they believe it is the responsibility of the IT department?

Click to read more ...

We have cases where one person is doing multiple tasks. What would be your advice in such situation where management is not really ready to invest in people yet need proper data security.

Click to read more ...