Unethical Security Professional is a contradiction in terms
This is a post I never thought I would write. That I never thought I would have to write. Let me start with a quote from the CISSP Code of EthicsCode of Ethics Canons:Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession ... Read More
Something different: An information security parable
Usually, when we write about risk management, we talk about money. Lots of risk has to do with money, so that makes sense. But there's something lost, as well. This occurred to me this morning:Death is the only promise we have in this life. Many religions make promises about life ... Read More
PCI III: Addressing the Criticisms of the PCI DSS – Scope of Protection
In Part II of my PCI series, I listed the criticisms of the PCI DSS I’ve heard to date and asked for readers to add to the list. Nothing’s been added to date, so I’m going to address the list I have. If more criticisms are raised later, I’ll address ... Read More
Governance Part 4: Standards
We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.The relationship between a policy and a standard is ... Read More
PCI II: Criticisms of the PCI DSS
Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard. Let me begin by stating ... Read More
Compliance: PCI in a very small nutshell
DisclosureI am certified as a Payment Card Industry (PCI) Qualified Security Assesor (QSA). I am frequently paid to perform PCI audits, to advise people on how to fill out their Self Assessment Questionnaire (SAQ), and how to identify and remedy gaps in security that would prevent them from complying.Previously, I’ve ... Read More
Managing Risk Through Acceptance and Assignment
Last week, we looked at risk mitigation. If you do something to reduce your vulnerability to a threat, or the impact of that threat, the risk goes down. Your personal firewall, your anti-virus system, the lock on your front door, and the umbrella you carry when it looks cloudy out ... Read More
Risk Management: Risk Mitigation
Last week, I started talking about risk management by talking about how it relates to something as mundane as forgetting your car keys. I’m going to stick with that analogy as we discuss how to use risk assessment to understand whether you’re happy with the risk you have or if ... Read More
Governance Part 3: Policies
In Part 2, we discussed the Missions, Visions, and Charters, which define a task, lay out an overall strategy for accomplishing that task, and authorize someone to do it. Today, we’ll discuss how policies tell everyone to execute the charter to accomplish the mission that realizes the vision. (If I ... Read More
Risk management example: my tire
I was going continue the governance series today by writing about policies, but I had the idea to use my last few days to show how theory turns into practice. In particular, how I think about and do risk management in day-to-day life. I’m sure you do the same thing, ... Read More
