Blog Posts Tagged with "Assessments"
Error Logs and Apollo 11: One Giant Step For Risk Management
September 09, 2012 Added by:Tripwire Inc
Although Neil Armstrong is the hero of the Apollo 11 story, the planning, management, complexity and technology for the mission is often overlooked. Iit were not for testing and assessing risks associated with the systems the lunar landing would not have been a success...
Comments (0)
A Packet of Risks and a Small Pot of Tea
July 29, 2012 Added by:Christopher Laing
Risks are just circumstances that if they occurred, would have some impact on the business. Naturally risks can potentially disrupt the business, but if identified, planned for, and effectively managed, risks can have a beneficial impact on the business. The key word here is managed...
Comments (0)
Free Power on the Grid?
July 15, 2012 Added by:Jayson Wylie
Sometimes the wrong people get the code and use it maliciously. It is in the nation’s best interest to keep the power infrastructure safe and keep meters fool proof, but it depends on how effective a tool is to be able to effectively manipulate the technology to an individual’s own financial advantage...
Comments (0)
More on PCI Scoping
June 22, 2012 Added by:PCI Guru
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope"...
Comments (1)
PCI’s Money Making Cash Cow Not So Good for the Industry
June 07, 2012 Added by:Andrew Weidenhamer
The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to accentuate it with the advent of the ISA program. The false sense of confidence the ISA program gives individuals is insanely bad for the industry. Like any other certification, the test isn’t difficult..
Comments (1)
Why AppSec Won't Always Bail You Out
May 24, 2012 Added by:DHANANJAY ROKDE
The approach of NetSec pros is different from the AppSec folks, as they concentrate on the attack-surface rather than get into the application itself. This is in no way comparison of the level of difficulty of either of the disciplines, NetSec pros just take it to the next level...
Comments (0)
FedRAMP Releases Updated Security Assessment Templates
May 11, 2012 Added by:Kevin L. Jackson
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and monitoring for Cloud Service Providers. This document has been designed for Third-Party Independent Assessors to use for planning security testing of CSPs...
Comments (0)
On PCI DSS Compliance Certificates
March 28, 2012 Added by:PCI Guru
All of you processors and acquiring banks that think the only proof of PCI compliance is some mystical PCI DSS Compliance Certificate, stop demanding them. They do not exist and never have. The document you need for proof of PCI compliance is the Attestation Of Compliance, period...
Comments (0)
Incident Response and PCI Compliance
March 25, 2012 Added by:Chris Kimmel
One question you should be asking your penetration testing company is, “Do you also test my incident response?” This is an important piece of PCI compliance. As stated by section 12.9 of the PCI DSS v2, a company must implement an IRP and be prepared to respond to an incident...
Comments (0)
ENISA: Inventory of Public Sources on Information Security
March 16, 2012 Added by:Infosec Island Admin
ENISA has launched a stock taking exercise using a questionnaire to establish an Inventory of publicly available sources on Information Security. Therefore, collection and aggregation of existing data and sources is an effective tool to raise information security...
Comments (0)
A Structured Approach to Handling External Connections
February 27, 2012 Added by:Enno Rey
The approach to be developed is meant to work on the basis of several types of remote connections in which each determines associated security controls and other parameters. At the first glance, not overly complicated, but – as always – the devil is in the details...
Comments (0)
Build Your Security Portfolio Around Attack Scenarios
February 14, 2012 Added by:Danny Lieberman
In the current environment of rapidly evolving types of attacks - hacktivisim, nation-state attacks, credit card attacks mounted by organized crime, script kiddies, competitors and malicious insiders and more - it is essential that IT and security communicate effectively...
Comments (1)
Smart Grid Raises the Bar for Disaster Recovery
February 13, 2012 Added by:Brent Huston
Many of the organizations we have talked to simply have not begun the process of adjusting their risk assessments, disaster plans and the like for these types of operational requirements, even as smart grid devices begin to proliferate across the US and global infrastructures...
Comments (0)
How To Choose A Security Vendor
January 16, 2012 Added by:Brent Huston
Variations exist in depth, skill level, scope, reporting capability, experience, etc. Selecting security testing vendors based upon price is a bad idea. Matching specific experience, reporting styles and technical capabilities to your environment is a better solution...
Comments (0)
How to Assess the Effectiveness of Internal Control
January 11, 2012 Added by:Norman Marks
“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning..."
Comments (1)
Vulnerability Response Done Right
January 09, 2012 Added by:Fergal Glynn
Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium...
Comments (0)
- Creating Your Own Privacy & ROI
- Security Intelligence for the Enterprise - Part 1
- Why are Cybercrimes NOT Always White-collar Crimes?
- From the SMB to Security Guru: Five Ways IT Pros Can Manage Security on a Budget
- Balancing Act Between Privacy and Security
- The NSA’s Word Games Explained: How the Government Deceived Congress in the Debate over Surveillance Powers
- NSA Surveillance Is Legal And Not Targeting Average Americans, Says Texas A&M Professor
- Enterprise Software Security - The Fake Choice Between Fast and Secure
- BSidesLV Preview: Vulnerabilities in Application Whitelisting
- Scangate Re-visited: Vulnerability Scanners Uncovered