November 8, 2015 The fatal flaw in IT Risk management Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow. Two points: In the ISO-27001 forum, my…
May 31, 2015 Misnomer I’ve written before how government agencies misuse terminology associated with information security but it seems to persist and continues to mislead. The latest is…
August 24, 2011 The real reasons for documentation – and how much he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to. Of course management has…
May 28, 2010 “Impact” is not a Metric I never like to see the term ‘impact’. Its not a metric. I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy…
December 27, 2009 Throwing in the towel I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…
October 26, 2009 The chief value of open source Now this is interesting! With code visibility, you and your vendors become partners in trying to make something work. The vendor can’t over-promise, but…