The InfoSec Blog

The InfoSec Blog

System Integrity: Context Is Everything

  • About The Author
  • Master Index
  • Presentations
  • System Integrity

Tag: Information security

July 2, 2016

Nobody wants to pay for security, including security companies

https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there’s no guarantee that…

April 21, 2014

Data on a Train

http://www.informationsecuritybuzz.com/daily-commute-mean-data/ The latest intelligence on Al-Qaeda, a high profile Child Protection report and plans for policing the London 2012 Olympics; three very different documents…

August 31, 2013

On ‘paranoia’ – revisiting “Paid to be paraoid”

My fellow CISSP and author Walter Jon  Williams observed that Paranoia is not a part of any mindset. It is an illness. Ah, Walter…

May 14, 2013

Does ISO 27001 compliance need a data leakage prevention policy?

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…

March 26, 2013

What is the goal behind calculating assets in ISO-27000?

My friend and colleague Gary Hinson said about asset valuation in ISO-27000 So, for instance, it’s hard to say exactly how much the HR…

March 15, 2013

“Paid to be paranoid”

Read the first four paragraphs of this: http://hollylisle.com/shoes-and-handbags/ Forget the rest, forget that its about ‘creative writing’, just answer that question. Bruce Schneier among…

October 2, 2012

How much Risk Assessment is needed?

In many of the InfoSec forums I subscribe to people regularly as  the “How long is a piece of string” question: How extensive a…

October 2, 2012

An “11th Domain” book.

http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm Gary Hinson makes the point here that Rebecca Herrold makes elsewhere:   Awareness training is important. I go slightly further and think that a…

August 9, 2012

How to build an asset inventory for 27001

How do you know WHAT assets are  to be included in the ISO-27K Asset Inventory? This question and variants of the “What are assets…

May 25, 2012

Why Info Sec Positions Go Unfilled

http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/ There are many holes in this, but I think they miss some important points. First is setting IT HR to look for Infosec….

March 23, 2012

Social Engineering and sufficency of awareness training

Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are…

November 13, 2011

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I’m asking about a…

August 4, 2011

Mistaken Thinking – Risk not threats

Via a LinkedIn posting in the Infosecurity magazine forum titled “Internet Threats Posed By Mobile Devices: How Can We Prevent Them?” I came to…

December 3, 2010

All Threats? All Vulnerabilities? All Assets?

One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to…

September 15, 2010

Career Insights from Stephen Northcutt, CEO of SANS

http://www.bankinfosecurity.com/articles.php?art_id=2914 Fascinating. I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see…

March 26, 2010

A Security Policy needs to be abstract not specific

Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…

December 27, 2009

Throwing in the towel

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…

October 6, 2009

About creating Corporate IT Security Policies

As I’ve said before, you should not ask yourself what policies to write but what you need to control.  If you begin with a…

August 18, 2009

8 Dirty Secrets of the IT Security Industry – CSO.com

Bill Brenner  wrote an article that covers some security consulting in general and PCI DSS in particular. Do make note of points 1,3, and…

June 19, 2009

Does the Certified Ethical Hacker add value to a CISSP

A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to…

Posts navigation

1 2 Next

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

  • The Classical Risk Equation
  • Separation of Duties: Infosec, IT and Audit
  • “Cybercrime” is still Crime and “Cyberfraud” is still Fraud
  • Risk Analysis makes no sense … Does it?
  • Are *you* ready to give up yet?
  • Why InfoSec Positions go unfilled
  • Security
  • Risk
  • ISO27K
  • Rants and Raves

Categories

Archives

Calendar of Posts

June 2022
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  
« Sep    

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Security Links

  • Schneier on Security
  • Gary Hinson
  • Martin McKeay
  • The Security Team
  • DHS Daily Report
  • SANS Security Alerts
  • Brian Krebs
  • Stupid Security
  • Kill-HUP.com
  • Bruce Schneier
Copyright The InfoSec Blog. All rights reserved. | Powered by WordPress & Writers Blogily Theme