Blog Posts Tagged with "Risk Assessments"
Making an Intelligent, Defensible Trust Valuation
April 24, 2012 Added by:Rafal Los
Is trust a binary decision? Can you trust something to varying levels? These are important questions for any security professional to have good answers to. Applying this logic to computing - can we ever really trust any computer environment, system, or application?
Comments (0)
Conflict of Interest is the Root of Cheap Risk Assurance
March 19, 2012 Added by:Jon Long
When process owners and management challenge my audit findings and pressure me to suppress them, I am comforted in knowing that I ultimately work for the benefit of stakeholders who are interested in me doing my best even if it upsets management in the process...
Comments (0)
Incident Response and Risk Management Go Hand in Hand
February 13, 2012 Added by:Neira Jones
Residual risk is inevitable, so incident response becomes a crucial part of managing it. As the risk assessment identifies the assets critical to a business - threats, vulnerabilities and controls - so should the incident response plan concentrate on critical assets...
Comments (0)
Enterprise Disaster Recovery Planning
February 02, 2012 Added by:Danny Lieberman
DR planning is not about writing a procedure, getting people to sign up and then filing it away somewhere. The disaster recovery plan is designed to assist companies in responding quickly and effectively to a disaster in a local office and restore business as quickly as possible...
Comments (0)
Why Infosec Forced Me to Get an MBA
February 01, 2012 Added by:Don Turnblade
How much did restoring, repairing, reimaging, improved firewall rules, down time, legal fines, or direct fraud cost per event? Asking what it is may be too close to that great low pressure system, and you do not need to be struck by lightning. I won't ask and you won't tell...
Comments (0)
A Failed Attempt at Optimizing an Infosec Risk Assessment
January 29, 2012 Added by:Bozidar Spirovski
Having a standardized method for risk assessment in infosec based on hard numbers would be great. But since the factors included in any incident are complex and varying, and consistent incident reporting is impossible, we will be sticking to the current qualitative methods...
Comments (3)
On Enterprise-Wide Risk Management
January 24, 2012 Added by:Michele Westergaard
Certain tasks can be defined via policy as needed but are really the small part of the role. An overarching role is to understand the key issues facing the organization, creatively challenge business processes by asking what can go wrong, then working to plug the potential holes...
Comments (0)
On Vulnerability Assessments and Penetration Tests
January 10, 2012 Added by:Drayton Graham
Simply put, a Vulnerability Assessment is a piece of code that will identify and report on known vulnerabilities, but a scanner will likely run into false positives. A Penetration Test goes a step further in that a human exploits vulnerabilities, but false positives do not exist...
Comments (0)
Risk Management – More Than Just Risk Assessment
December 22, 2011 Added by:Thomas Fox
Risk management must be linked to the organization’s purpose and goals. Your company must to be disciplined. It cannot simply develop a risk assessment and then not use it to look at risk generally. As important as systems are, they must be practical, and linked to what your company does...
Comments (0)
Case Study: A Cloud Security Assessment
December 14, 2011 Added by:Danny Lieberman
A client asked us to find a way to reduce risk exposure at the lowest cost. Using the Business Threat Modeling methodology and Practical Threat Analysis software, we were able to mitigate 80% of the total risk exposure in dollars at half the security budget proposed by the vendor....
Comments (0)
Data Loss Prevention - Step 1: Know What's Important
December 13, 2011 Added by:Rafal Los
It's important to understand what your company does and then figure out what the critical bits are. Sometimes it's your customer lists, or a secret ultra-high efficiency engine design, or the next big thing in stealth bombers. The point is that you simply need to know your business...
Comments (0)
PCI DSS Risk SIG Announced: Results Will Be Interesting
December 13, 2011 Added by:Andrew Weidenhamer
The one that I am most interested in seeing is the results of is the Risk Assessment SIG. Although IT Risk Assessments has been a term that has been used for decades now, they are still rarely performed and almost always poorly when they are in regard to effectively considering threats...
Comments (0)
PwC’s Economic Crime Survey Focuses on Cybercrime
November 30, 2011 Added by:Headlines
"Many executives have yet to seize upon the serious nature of the cybercrime threat. Cybercrime has emerged as a formidable threat, thanks to deeply determined, highly skilled, and well-organized cybercriminals, from nation states to hacktivists, from criminal gangs to lone-wolf perpetrators..."
Comments (0)
Five Key Aspects of a Good Infosec Risk Assessment
November 26, 2011 Added by:Albert Benedict
Because they are consistent and repeatable, current risk assessment results can be compared to previous years’ results to see if there was any growth. You can also compare the client’s status to other companies of similar size and stature to show them where they stand...
Comments (0)
Security Scribbling: ISO 27001 vs. PCI Misunderstanding
November 18, 2011 Added by:Andrew Weidenhamer
The problem with using a risk based approach is the manner in which risk is defined and accepted. As long as there is a good Risk Assessment methodology in place and further good reasons and justifications to deal with risk, then using a risk based approach is perfectly acceptable...
Comments (0)
What To Do About Insider Threats
November 15, 2011 Added by:PCI Guru
Insiders must have access to information that the general public or even you business partners do not. As a result, should an employee get sloppy with controls or go “rogue,” you can expect to lose whatever information that person had access. Remember my mantra – security is not perfect...
Comments (0)
- Not Totally Sure What Just Happened...
- Has Anonymous Infiltrated the US Government?
- Big Opportunities in the Cloud
- Zeus Malware Targeting Facebook, Gmail and Yahoo Users
- Follow Up to the Out of Band Authentication Post
- Skype Malware Campaign Spreading Poison Ivy Trojan
- I Hope Edo is Worth the Privacy Risk
- Dutch MoD Innovation Competition 2012: CYBER Operations 2.0
- NIST Workshop: The Technical Aspects of Botnets
- Security Automation by Hand - Batch/Bash/FOR