Blog Posts Tagged with "Risk Assessments"
March 07, 2013 Added by:Stephen Marchewitz
While PCI DSS compliance has been a requirement for several years now, it’s been fairly subjective as to what a compliant program looks like and how an organization actually goes about it. While that can still look to be the case, here are a few things to consider.
August 28, 2012 Added by:Christopher Rodgers
Management sometimes assumes that when they have identified and summarized the top risks to their organization through a Strategic Risk Assessment, that they have implemented ERM. This is simply not the case. Strategic Risk Assessment is an important component of ERM and usually a starting point, but not a final destination...
July 18, 2012 Added by:Danny Lieberman
The Cloud Security Control model looks great, but it doesn’t mitigate core vulnerabilities in your software. Once you choose the right service model and vendor, put aside the security reference models and focus on hardening your application software. It’s your code that will be running in someone else's cloud...
July 03, 2012 Added by:Jared Pfost
Most IT organizations aren't equipped or supported to build a mature program. If our objective is to deliver an evidence driven investment road map aligned with the business, it's OK to plan a phased approach and demonstrate value while the culture, process, and necessary resources gain momentum...
June 20, 2012 Added by:Thomas Fox
As compliance programs become more mature, you can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. To create an effective risk management system, understand the qualitative distinctions among types of risk an organization faces...
April 23, 2012 Added by:Rafal Los
Is trust a binary decision? Can you trust something to varying levels? These are important questions for any security professional to have good answers to. Applying this logic to computing - can we ever really trust any computer environment, system, or application?
February 12, 2012 Added by:Neira Jones
Residual risk is inevitable, so incident response becomes a crucial part of managing it. As the risk assessment identifies the assets critical to a business - threats, vulnerabilities and controls - so should the incident response plan concentrate on critical assets...
February 02, 2012 Added by:Danny Lieberman
DR planning is not about writing a procedure, getting people to sign up and then filing it away somewhere. The disaster recovery plan is designed to assist companies in responding quickly and effectively to a disaster in a local office and restore business as quickly as possible...
January 31, 2012 Added by:Don Turnblade
How much did restoring, repairing, reimaging, improved firewall rules, down time, legal fines, or direct fraud cost per event? Asking what it is may be too close to that great low pressure system, and you do not need to be struck by lightning. I won't ask and you won't tell...
January 28, 2012 Added by:Bozidar Spirovski
Having a standardized method for risk assessment in infosec based on hard numbers would be great. But since the factors included in any incident are complex and varying, and consistent incident reporting is impossible, we will be sticking to the current qualitative methods...
January 23, 2012 Added by:Michele Westergaard
Certain tasks can be defined via policy as needed but are really the small part of the role. An overarching role is to understand the key issues facing the organization, creatively challenge business processes by asking what can go wrong, then working to plug the potential holes...
January 10, 2012 Added by:Drayton Graham
Simply put, a Vulnerability Assessment is a piece of code that will identify and report on known vulnerabilities, but a scanner will likely run into false positives. A Penetration Test goes a step further in that a human exploits vulnerabilities, but false positives do not exist...
December 22, 2011 Added by:Thomas Fox
Risk management must be linked to the organization’s purpose and goals. Your company must to be disciplined. It cannot simply develop a risk assessment and then not use it to look at risk generally. As important as systems are, they must be practical, and linked to what your company does...
December 13, 2011 Added by:Danny Lieberman
A client asked us to find a way to reduce risk exposure at the lowest cost. Using the Business Threat Modeling methodology and Practical Threat Analysis software, we were able to mitigate 80% of the total risk exposure in dollars at half the security budget proposed by the vendor....
December 12, 2011 Added by:Rafal Los
It's important to understand what your company does and then figure out what the critical bits are. Sometimes it's your customer lists, or a secret ultra-high efficiency engine design, or the next big thing in stealth bombers. The point is that you simply need to know your business...
December 12, 2011 Added by:Andrew Weidenhamer
The one that I am most interested in seeing is the results of is the Risk Assessment SIG. Although IT Risk Assessments has been a term that has been used for decades now, they are still rarely performed and almost always poorly when they are in regard to effectively considering threats...
PoS Malware Kits Rose in Underground in 2014... on 03-17-2015
New PCI Compliance Study... on 03-17-2015
PCI Security Standards Council Statement on ... on 03-17-2015