February 18, 2016 Purpose unclear. Why are the FBI *really* trying to subvert encryption? Tim cook says Apple will fight a federal order to help the FBI hack an iPhone. An earlier version of this page has…
May 9, 2015 Tracking kids via microchip ‘can’t be far off,’ says expert http://www.kens5.com/story/news/2015/05/07/tracking-kids-via-microchip-cant-be-far-off-says-expert/70986060/ Dickerson said she though one day, “I microchip my dog, why couldn’t I microchip my son?” I think there’s something despicable about treating…
May 1, 2015 Cyber general: US satellite networks hit by ‘millions’ http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if…
November 19, 2014 Should all applicable controls be mentioned in documenting an ISMS? In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with…
April 22, 2014 Film or digital? Do you recall Alan Cooper‘s book “The Inmates are running the Asylum”? He makes the case that once you put a computer in something…
August 31, 2013 On ‘paranoia’ – revisiting “Paid to be paraoid” My fellow CISSP and author Walter Jon Williams observed that Paranoia is not a part of any mindset. It is an illness. Ah, Walter…
August 25, 2013 The Truth About Best Practices An article on Linked entitled ‘The Truth about Practices” started a discussion thread with some of my colleagues. The most pertinent comment came from…
May 30, 2013 Confusion over Physical Assets, Information Assets – Part Two So I need to compile a list of ALL assets, information or otherwise, NO! That leads to tables and chairs and powerbars. OK so…
May 30, 2013 Confusion over Physical Assets, Information Assets in ISO-27000 I often explain that Information Security focuses on Information Assets. Some day, on the corporate balance sheet, there will be an entry which reads,…
May 14, 2013 Does ISO 27001 compliance need a data leakage prevention policy? On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…
February 17, 2013 Information Gathering and Risk Assessment On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it…
October 2, 2012 How much Risk Assessment is needed? In many of the InfoSec forums I subscribe to people regularly as the “How long is a piece of string” question: How extensive a…
October 2, 2012 An “11th Domain” book. http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: Awareness training is important. I go slightly further and think that a…
July 2, 2012 Tight budgets no excuse for SMBs’ poor security readiness http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/ From the left hand doesn’t know what the right hands is doing department: Ngair Teow Hin, CEO of SecureAge, noted that smaller companies…
March 31, 2012 Help on ISO-27000 SoA This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000. The SoA should outline the measures…
March 23, 2012 Social Engineering and sufficency of awareness training Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are…
March 18, 2012 About ISO 27001 Risk Statement and Controls On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…
November 30, 2011 Doubts about “Defense in Depth” So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede…
November 30, 2011 On the HP Printer Hack The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a…
July 2, 2011 The Question of Residual Risk value People keep asking questions like If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value…
