November 19, 2014 Should all applicable controls be mentioned in documenting an ISMS? In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with…
August 25, 2013 The Truth About Best Practices An article on Linked entitled ‘The Truth about Practices” started a discussion thread with some of my colleagues. The most pertinent comment came from…
May 14, 2013 Does ISO 27001 compliance need a data leakage prevention policy? On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…
April 5, 2012 An OP-ED by Richard Clarke on China http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have…
April 1, 2012 Managing Software Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to…
March 23, 2012 Social Engineering and sufficency of awareness training Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are…
March 18, 2012 About ISO 27001 Risk Statement and Controls On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…
January 17, 2012 How to decide on what DVD backup software to use You do do backups don’t you? Backups to DVD is easy, but what software to use? – How are you managing the backup archives?…
November 30, 2011 On the HP Printer Hack The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a…
November 13, 2011 Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA … What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a…
August 6, 2011 The Decline of the Physical Desktop http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/ What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version)….
June 21, 2011 In praise of OSSTMM In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/…
November 11, 2010 BCP or BIA Image via Wikipedia A business might possibly choose not to have a BCP but they might be interested in doing a BIA After all,…
August 20, 2010 Open source and commercial support In a discussion of Open Source vs Closed Source/Commercial … Voice 1: Maybe because they’re not customers? (in the paying for a service sense)…
July 14, 2010 IAM – Basics – Policy If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I…
June 29, 2010 You don’t need a Firewall Security Policy A member of a discussion list I subscribe asked for a Firewall Policy template. A usual, I was alarmed enough by this to want…
March 26, 2010 A Security Policy needs to be abstract not specific Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…
January 25, 2010 About Social Networking policy Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to…
October 6, 2009 About creating Corporate IT Security Policies As I’ve said before, you should not ask yourself what policies to write but what you need to control. If you begin with a…
April 6, 2007 Make your policy generic, not specific Some of us security types were discussion policy, login notices and the like. Someone commetned on a badly written poicy about the use of…
