March 18, 2012 About ISO 27001 Risk Statement and Controls On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…
November 30, 2011 On the HP Printer Hack The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a…
April 18, 2011 Requirements for conducting VA & PT – Take 2 Soe people ae under the mistaken impression that a Pen Test simulates a hacker’s action. We get ridiculous statements in RFPs such as: The…
January 31, 2011 IT AUDIT VS Risk Assessment – 2 We were discussing which should be done first and someone said: The first has to be risk assessment as it is foundation of information…
January 6, 2011 What drives the RA? Need or Fashion? A colleague in InfoSec made the following observation: My point – RA is a nice to have, but it is superfluous. It looks nice…
December 3, 2010 All Threats? All Vulnerabilities? All Assets? One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to…
September 16, 2010 Admin username/password clouds That’s a very interesting and pertinent presentation by a guy named Grubb from RedHat: http://www.redhat.com/promo/summit/2008/downloads/pdf/hardening-rhel5.pdf A few items caught my eye: Slide 7 points…
December 27, 2009 Throwing in the towel I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…
November 18, 2006 Encyclopedia of IT terms CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional…