In Part 2, we discussed the Missions, Visions, and Charters, which define a task, lay out an overall strategy for accomplishing that task, and authorize someone to do it. Today, we’ll discuss how policies tell everyone to execute the charter to accomplish the mission that realizes the vision. (If I ... Read More

I was going continue the governance series today by writing about policies, but I had the idea to use my last few days to show how theory turns into practice. In particular, how I think about and do risk management in day-to-day life. I’m sure you do the same thing, ... Read More

Risk management. Assessment, Vulnerabilities, threats, and impact. Mitigation, assignment, acceptance. If you don’t do security for a living, or do it as a purely technical activity, these can sound like terms from some arcane art practiced by Wizards, Sorcerers, Actuaries, and Mutual Fund managers. Today we start taking the mystique ... Read More

I’ve written previously about “Spycamgate,” wherein a school administrator tried to hold a student accountable for perceived behavior at home based on images taken from a camera on the student’s school-issued laptop. The school’s defense is that the webcams are a security feature to track down lost or stolen machines ... Read More

In plugging this blog, for which I’m grateful, Avedon Carol mentioned that my subtitle “Security without apology or tears” doesn’t necessarily make immediate sense. I thought I’d spend some time talking about that.Every time I tell someone I do information security for a living, I get an awestruck, impressed kind ... Read More

Whichever side of the infosec coin one is on, a jargon we use to refer to the control of a system is ownership. We refer to a system as “compromised” or “owned” or “pwned” if the person who owns it isn’t also the person who owns it in the legal ... Read More

In my Introduction I listed charters, visions, and missions as the documents that state what you’re trying to accomplish when you set out to do security. I’m going to expand on that here.In information security, a charter is a statement from management to whatever body it is that is tasked ... Read More

Governance is the foundation that effective security is built on. It’s a big word for a common-sense idea: things work better if you know what you’re trying to do and how you’re willing to do it than if life is an endless flailing reaction of whatever the latest situation drops ... Read More

People already blog about information security – just look at my short but growing blog roll. Does the world really need one more? I think so, and my inaugural post is to make the case for it.Information Security is big business. The U.S. federal government alone spent 7.1 billion dollars ... Read More