Blog Posts Tagged with "Security Audits"
What is the Value of a Good Name?
May 15, 2012 Added by:Jon Long
What is the value of a good name? Do you want a firm that has little to lose, or one who has much to lose. I guarantee you that the firm with the most to lose will be the most thorough in their examination of your internal controls. It's time we take a stand against cheap risk assurance...
Comments (0)
The Great Compliance Conundrum
May 10, 2012 Added by:Mark Gardner
The crux of the matter is why people bemoan compliance: To comply in this case requires no external verification, and in order to meet compliance you may avoid some as they're too hard to do or do not go deep enough, but still have the ability to turn and say that "we are compliant"...
Comments (0)
What Infosec Can Learn from Enron
May 09, 2012 Added by:Beau Woods
Auditors aren't the sole authoritative voice, and they can be fooled or coerced like anyone else. Too often internal and external auditors are trusted as the arbiters of right and wrong. This can fail an organization if executives don't understand the role auditors should play...
Comments (0)
SOC 2: The Customer Security Questionnaire Killer
May 08, 2012 Added by:Jon Long
User organizations figured out a long time ago that if they want confirmation of how secure their suppliers are, they have to find out for themselves because a sufficient third party attestation did not exist. This is also where the challenge to service auditors is...
Comments (0)
Password Policy: Sharing Passwords
May 03, 2012 Added by:benson dana
I once worked at a place where a senior manager collected the passwords of employees. There had been resistance to giving up this policy, and the excuse was that this unit's mission was unique and that this was necessary. How often does the internal auditor hear this excuse?
Comments (0)
ICS-CERT: Event Auditing and Log Management
April 30, 2012 Added by:Infosec Island Admin
Without properly configured auditing and logging practices, incident response teams often find it difficult to determine the significance of a cybersecurity event. ICS-CERT has provided a collection of resources to assist vendor and asset-owner security teams...
Comments (0)
Cybersecurity Problems Found in Electrical Infrastructure
April 08, 2012 Added by:Joel Harding
DOE is in charge of locating and fixing critical infrastructure problems within the energy sector. Do they, in turn, report to DHS if it has to do with critical infrastructure? Does DHS oversee DOE’s cybersecurity problems, their critical infrastructure problems or...?
Comments (2)
Online Tool Assesses Intellectual Property Awareness
April 06, 2012 Added by:Infosec Island Admin
The NIST and the USPTO have teamed up to create new online tool to help small companies and entrepreneurs evaluate their awareness of intellectual property, trade secrets, company data and more - and learn how to protect it...
Comments (0)
Assurance : Don't Worry, I've Got This...
April 06, 2012 Added by:Jon Long
There is nothing that changes faster than technology, and if you are not ahead of it, you are ancient history. Within the category of technology, security is at the forefront of rapid change, and there is nothing more critical to ensure that we understand as auditors...
Comments (0)
On PCI DSS Compliance Certificates
March 28, 2012 Added by:PCI Guru
All of you processors and acquiring banks that think the only proof of PCI compliance is some mystical PCI DSS Compliance Certificate, stop demanding them. They do not exist and never have. The document you need for proof of PCI compliance is the Attestation Of Compliance, period...
Comments (0)
Application Security: Why is Everybody Always Picking on Me?
March 19, 2012 Added by:Fergal Glynn
The recent explosion in Mobile application development paints a clear picture of the modern development landscape. Not only in terms of the incredible speed of production, but perhaps more importantly, the widening gap between speed-to-market and software security quality...
Comments (0)
Conflict of Interest is the Root of Cheap Risk Assurance
March 19, 2012 Added by:Jon Long
When process owners and management challenge my audit findings and pressure me to suppress them, I am comforted in knowing that I ultimately work for the benefit of stakeholders who are interested in me doing my best even if it upsets management in the process...
Comments (0)
Improving Compliance Performance in Your Supply Chain
March 06, 2012 Added by:Thomas Fox
One of the areas moving towards being incorporated into compliance programs is the supply chain. While many companies have focused significant compliance efforts towards the sales chain, the supply chain is now viewed as an area which requires compliance scrutiny...
Comments (0)
Log Management: Debugging Security
February 19, 2012 Added by:Danny Lieberman
Logs are key to security management not only for understanding what and why an event happened but also in order to prove regulatory compliance. The business requirements are that security logs should be both relevant and effective...
Comments (0)
AdiOS: Say Goodbye to Nosy iPhone Apps
February 17, 2012 Added by:Fergal Glynn
I put together a free utility called AdiOS (Addressbook Detector for iOS) that lets Mac users scan the iOS apps in your iTunes directory to see if they have the potential to dump your phone book externally. AdiOS detects apps that access your address book using a binary grep...
Comments (0)
Best Practices to Prevent Document Leaks
February 17, 2012 Added by:Peter Weger
Unfortunate consequences occur when companies lose control over confidential assets and experience intentional or unintentional disclosure of the information. In some cases, even the possibility of information leakage can damage reputations and stock prices...
Comments (0)
- Not Totally Sure What Just Happened...
- Has Anonymous Infiltrated the US Government?
- Big Opportunities in the Cloud
- Zeus Malware Targeting Facebook, Gmail and Yahoo Users
- Follow Up to the Out of Band Authentication Post
- Skype Malware Campaign Spreading Poison Ivy Trojan
- I Hope Edo is Worth the Privacy Risk
- Dutch MoD Innovation Competition 2012: CYBER Operations 2.0
- NIST Workshop: The Technical Aspects of Botnets
- Security Automation by Hand - Batch/Bash/FOR