Getting Security Buy-in from Everybody
Buy-in of Information Security projects / initiatives / “we should just be doing it” is a tricky thing. While support from senior leaders in the organization is key for resources (i.e. $$$$) and using their name in vain (i.e. “this is a top priority of Mr. Big Pants” or “this ... Read More
Getting Security Buy-in from Everybody
Buy-in of Information Security projects / initiatives / “we should just be doing it” is a tricky thing. While support from senior leaders in the organization is key for resources (i.e. $$$$) and using their name in vain (i.e. “this is a top priority of Mr. Big Pants” or “this ... Read More
What Should Information Security Be Responsible For?
In the Enterprise environment it seems there is always a battle around who should be responsible for what in IT. And there is always some manager or director that complains (or his people do it for him / her) that Information Security seems to be over-stepping their bounds. Where is ... Read More
What Should Information Security Be Responsible For?
In the Enterprise environment it seems there is always a battle around who should be responsible for what in IT. And there is always some manager or director that complains (or his people do it for him / her) that Information Security seems to be over-stepping their bounds. Where is ... Read More
Is the problem local admin or change?
Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the Blues Brothers). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where ... Read More
Is the problem local admin or change?
Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the Blues Brothers). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where ... Read More
Threat Modeling and Security Assessments
Over the last several months, in creating a threat evaluation model / process and performing a security evaluation, I have come to several conclusions. In creating a threat model, you must create a process that is repeatable, yet has some flexibility in it to meet different situations. For example, evaluating ... Read More
Threat Modeling and Security Assessments
Over the last several months, in creating a threat evaluation model / process and performing a security evaluation, I have come to several conclusions.In creating a threat model, you must create a process that is repeatable, yet has some flexibility in it to meet different situations. For example, evaluating threats ... Read More
Creating an Action Plan from a Security Review
After all the work of performing a security review of an organization, it is time to create an action plan. This plan must be something the client can use, so it must be.…..actionable. How do you classify the threats and vulnerabilities that need to be addressed? Do you do it ... Read More
Threat & Vulnerability Mitigation – Asset Identification
No matter what you all your program (I call mine Vulnerability Management) to manage threats and vulnerabilities as they apply to your network and processing environment you must know what you have for assets. Assets ---equipment, operating systems, virtual environments, applications, infrastructure parts and pieces --- need to be identified ... Read More
