How an enterprise decides to manage patch administration probably varies based on who is doing it, the maturity of the Vulnerability Management program, and the business’ tolerance of maintenance windows.  In my opinion patching should be broken into four categories: (1)  Infrastructure.  This would be servers, devices, applications that are ... Read More

Several weeks ago I posted a list of sites and links where threat and vulnerability information can be gathered from.   Since then I have again had the privilege of running a number of scenarios through my threat process model and want to up you on the applicability of the links ... Read More

First, I define privileged access as anything above what the standard user would get?  How do you control privileged access?   Do you allow your Linux system administrators to have the root password?   Do you Windows administrators have the password for a system account with admin privileges?  Or maybe they have ... Read More

We all know that we need to protect the employee and customer data from unauthorized access.  We also are aware that there are many rules around the storing and transmitting healthcare and credit card data.  Most of us have went to great lengths to put security controls in place on ... Read More

As all Information Security professionals, I have my favorite feed, blogs, and sites I visit for my security news. Before I conclude this blog I will share mine.   However, where do you go for your intelligence related to threats and vulnerabilities?   This would be the sources that give you the ... Read More

With people being more connected with their job through laptops, tablets, smart phones, etc… it seems that more companies are worried about work life balance.  Some companies may define work life balance as giving employees more “privileges” with their company-owned computing assets.  By privileges I mean that they may allow ... Read More

So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.   Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.   Don’t try to ignore it and bury your ... Read More

When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.  Is there a wired network connection in the lobby that would ... Read More

What is the relationship between your Information Security department and the Internal Audit?  Is it a friendly work together relationship or is there resentment between the two teams?Both the Information Security and IT Internal Audit teams have similar goals.  Make sure the company’s data is properly protected from inadvertent disclosure, ... Read More

If you ask 10 security professionals that perform risk evaluations how that measure risk and what is important, you will probably get 9 different answers.   There is a slim change that 2 might agree.  Below are three possible approaches to risk evaluation: (1) Do you use a well defined methodology ... Read More