Business context for ISO 27001
ISO 27001 is increasingly popular because of compliance regulation and the growing need to reduce the operational risk of information security. What ISO 27001 is missing though, is the business context – the ability for an SME to determine the cheapest and most effective security countermeasures and their order of implementation. Since ISO 27001 certification requires compliance […]
SOX IT Compliance
A customer case study – SOX IT Compliance We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number […]
DLP for telecom service providers
A customer case study: Using DLP to protect customer data at a telecom service provider Our first data loss prevention (DLP) project was in 2005 with 013 Barak – now 013 Barak/Netvision. It followed on the heels of an extensive business vulnerability assessment and management level decision to protect customer data. It’s significant that 013 […]
Catch 22 and Compliance
Let’s say your’e a payment processor going through a PCI DSS 2.0 audit: Does this sound familiar? (just replace certain words by certain other compliance related words): Without realizing how it had come about, the combat men in the squadron discovered themselves dominated by the administrators appointed to serve them. They were bullied, insulted, harassed […]
Why less log data is better
Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of […]
Weekly security lessons learned
We specialize in security and compliance for the health care and bio-med space, helping clients build security into their products, instead of bolting it on later. There are plenty of challenges to go around and it often seems like you’re trying to drink from a fire-hose. Lots of water, a few drops into your mouth, […]
Securing Web servers with SSL
I’ve been recently writing about why Microsoft Windows and the Microsoft monoculture in general is a bad idea for medical device vendors – see my essays on Windows vulnerabilities and medical devices here, here and here. It is now time to slaughter one more sacred cow: SSL. One of the most prevalent misconceptions with vendors in […]
The ethical aspects of data security
Ethical breaches or data breaches. I was standing in line at Ben Gurion airport, waiting for my bag to be x-rayed. A conversation started with a woman standing next to me in line. The usual sort – “Where are you traveling and what kind of work do you do?”. I replied that I was traveling […]
The economics of software piracy
One year ago this time was World Cup season and Mondial fever put a lot of regional conflicts on the back burner for a month – not to mention put a dent in a lot of family budgets (husbands buying the latest 60 inch Sony Bravia and wives on retail therapy while the guys are […]
Medical device security in a hospital network
Medical devices are everywhere today. In your doctors office measuring your blood pressure, at your cosmetician (for hip reduction…) and in the hospital for everything from patient monitoring to robot-assisted surgery. The people that develop embedded medical devices based on Intel platforms know that Windows is vulnerable. Lacking embedded Linux know-how, medical device developers often […]
