The InfoSec Blog

The InfoSec Blog

System Integrity: Context Is Everything

  • About The Author
  • Master Index
  • Presentations
  • System Integrity

Category: Policy

November 19, 2014

Should all applicable controls be mentioned in documenting an ISMS?

In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with…

August 25, 2013

The Truth About Best Practices

An article on Linked entitled ‘The Truth about Practices” started a discussion thread with some of my colleagues. The most pertinent comment came from…

May 14, 2013

Does ISO 27001 compliance need a data leakage prevention policy?

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…

April 5, 2012

An OP-ED by Richard Clarke on China

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have…

April 1, 2012

Managing Software

Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to…

March 23, 2012

Social Engineering and sufficency of awareness training

Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are…

March 18, 2012

About ISO 27001 Risk Statement and Controls

On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…

January 17, 2012

How to decide on what DVD backup software to use

You do do backups don’t you?  Backups to DVD is easy, but what software to use? – How are you managing the backup archives?…

November 30, 2011

On the HP Printer Hack

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a…

November 13, 2011

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I’m asking about a…

August 6, 2011

The Decline of the Physical Desktop

http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/ What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version)….

June 21, 2011

In praise of OSSTMM

In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/…

November 11, 2010

BCP or BIA

Image via Wikipedia A business might possibly choose not to have a BCP but they might be interested in doing a BIA After all,…

August 20, 2010

Open source and commercial support

In a discussion of Open Source vs Closed Source/Commercial … Voice 1: Maybe because they’re not customers? (in the paying for a service sense)…

July 14, 2010

IAM – Basics – Policy

If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I…

June 29, 2010

You don’t need a Firewall Security Policy

A member of a discussion list I subscribe asked for a Firewall Policy template. A usual, I was alarmed enough by this to want…

March 26, 2010

A Security Policy needs to be abstract not specific

Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…

January 25, 2010

About Social Networking policy

Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to…

October 6, 2009

About creating Corporate IT Security Policies

As I’ve said before, you should not ask yourself what policies to write but what you need to control.  If you begin with a…

April 6, 2007

Make your policy generic, not specific

Some of us security types were discussion policy, login notices and the like. Someone commetned on a badly written poicy about the use of…

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

  • The Classical Risk Equation
  • Separation of Duties: Infosec, IT and Audit
  • “Cybercrime” is still Crime and “Cyberfraud” is still Fraud
  • Risk Analysis makes no sense … Does it?
  • Are *you* ready to give up yet?
  • Why InfoSec Positions go unfilled
  • Security
  • Risk
  • ISO27K
  • Rants and Raves

Categories

Archives

Calendar of Posts

July 2022
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Sep    

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Security Links

  • Schneier on Security
  • Gary Hinson
  • Martin McKeay
  • The Security Team
  • DHS Daily Report
  • SANS Security Alerts
  • Brian Krebs
  • Stupid Security
  • Kill-HUP.com
  • Bruce Schneier
Copyright The InfoSec Blog. All rights reserved. | Powered by WordPress & Writers Blogily Theme