Practical Compliance and Security Blog

Policies not effective? Maybe less is more.

Practical Andrew — Wed, 28 Oct 2009 13:23:40 +0000

Where are policies most effective? In organizations that deliver them to their users by the pound or where the policies are simple and straightforward.

Microsoft Predicts Increasing 'Malicious Insider Attacks'

Practical Andrew — Wed, 11 Feb 2009 13:08:54 +0000

In the following article from BBC news, Microsoft points to the economic downturn as a driver for an increase in internal threats to an organization's information.

More Insider Threat Info - San Francisco Held Cyber-Hostage

Practical Andrew — Thu, 17 Jul 2008 13:25:41 +0000

Wired Magazine ran a great article in their blog section today on a recent case where a network administrator had set himself up as the top level administrator on their network and locked everyone else out.

Wired Magazine - San Francisco Held Cyber-Hostage

This article illustrates two key points that have been a common topic lately:

The first is that the impact of an insider threat can be extremely high
The second is that insider events are less frequent

The combination of these two things makes things challenging for security management teams. It makes overcoming the 'That will never happen to us' perception difficult and makes driving internal security more important.

The key is to focus on point 1. Impact. From a risk manager's viewpoint, the trade off on reducing millions of dollars of risk in comparison to adding one or two IT salaries is a good decision. As IT and security managers, we need to continue to improve on our ability to profile risk in terms of impact and business dollars.

Information Security Standards in Brief

Practical Andrew — Tue, 15 Jul 2008 18:26:07 +0000

A question was asked in my ISACA Internal Threats was are there any standards out there for an Information Security program. In this post I'll highlight a few of the common standards and how they apply.

Are We Over Estimating Internal Threats - Analysis of Verizon Data Breach Report

Practical Andrew — Wed, 25 Jun 2008 12:28:23 +0000

Verizon's Business Risk Team has released their 2008 Data Breach Investigations Report.In this post I will provide an overview of some of the things I found interesting and my analysis of what this information means for today's business. It is a lengthy paper, I've tried to pull out the most interesting points.

Insider Threats - Educating the User Community

Practical Andrew — Tue, 17 Jun 2008 17:01:07 +0000

How do you educate the users/consumers to risks and security when they believe it is the responsibility of the IT department?

Internal Threats - Business Problem of Separation of Duties

Practical Andrew — Tue, 17 Jun 2008 16:52:39 +0000

We have cases where one person is doing multiple tasks. What would be your advice in such situation where management is not really ready to invest in people yet need proper data security.

Insider Threats - USB Device Issues

Practical Andrew — Tue, 17 Jun 2008 16:46:00 +0000

In places like Africa where web connectivity can be very poor USB devices are a very handy means of transferring data between machines but they can be easily mis-placed or stolen, with serious implications for data protection/security. Could you kindly give some practical guidelines for protecting data on such devices without losing their convenience?

ISACA Insider Threats Presentation - Follow Up Questions

Practical Andrew — Wed, 04 Jun 2008 13:56:00 +0000

Thank you to everyone who attended the live ISACA presentation on Data Security and all those who sent in questions on my presentation on Insider Threats. I have received the list of follow up questions from the session and will be working to respond to all of them. We will be posting all of the questions to our Discussions forum so our team and everyone participating in our forum can respond and discuss each issue. There are a lot of great questions that represent many significant issues to today's Information Security practice.

Responding to Major Disaster - A Customer's View

Practical Andrew — Mon, 02 Jun 2008 16:18:17 +0000

On Saturday night I got a message that our website was unreachable. Being the ever diligent business owner, I immediately checked and verified that yes the IP address was unreachable. Gone. Yikes! The experience provided some good observations on how a disaster can impact a business and more importantly how the business responds impacts its business (and customers) going forward.