November 8, 2015 The fatal flaw in IT Risk management Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow. Two points: In the ISO-27001 forum, my…
August 25, 2013 The Truth About Best Practices An article on Linked entitled ‘The Truth about Practices” started a discussion thread with some of my colleagues. The most pertinent comment came from…
May 14, 2013 Does ISO 27001 compliance need a data leakage prevention policy? On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…
May 25, 2012 Why Info Sec Positions Go Unfilled http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/ There are many holes in this, but I think they miss some important points. First is setting IT HR to look for Infosec….
March 31, 2012 Help on ISO-27000 SoA This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000. The SoA should outline the measures…
March 18, 2012 About ISO 27001 Risk Statement and Controls On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…
August 9, 2011 His Bipolar made him do it http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/ An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over…
January 6, 2011 What drives the RA? Need or Fashion? A colleague in InfoSec made the following observation: My point – RA is a nice to have, but it is superfluous. It looks nice…
August 20, 2010 Open source and commercial support In a discussion of Open Source vs Closed Source/Commercial … Voice 1: Maybe because they’re not customers? (in the paying for a service sense)…
October 21, 2006 The CISSP Forum FAQ Its one of those bootstrap problems – the new CISSPs who need to read the information can’t get at the FAQ on how to…
