How to make Federal data security effective
I submit that a “no tickee, no washee” strategy might improve US Federal data security. An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that is based on numbers reported by the […]
A cyber-terror derivatives market?
I first heard the idea about hedging risk against actual future disasters (man-made or natural) around the time of Hurricane Katrina. The essay below by professor Avinash Persaud considers the creation of a terrorism futures market. The ideas are particularly timely in the context of the unrest in Libya and the uptick in oil prices. Right […]
10 guidelines for a security audit
What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike […]
Moving your data to the cloud – sense and sensibility
Data governance is a sine qua non to protect your data in the cloud. Data governance is of particular importance for the cloud service delivery model which is philosophically different from the traditional IT product delivery model. In a product delivery model, it is difficult for a corporate IT group to quantify asset value and data […]
Mobile device security challenges
It has been said that there is nothing new under the sun and that every generation forgets or never learned the hard-earned lessons from the spilled blood of the previous generation. Reviewing the security and compliance issues of a new mobile medical device recently, I was struck by how familiar many of the themes are. […]
Giving ISO 27001 business context
ISO 27001 is arguably the most comprehensive information security framework available today. Moreover, it is a vendor neutral standard. However – ISO 27001 doesn’t relate to assets or asset value and doesn’t address business context which requires prioritizing security controls and their costs. This article discusses the benefits of performing an ISO 27001 based risk […]
The 7 deadly sins of software security
Companies spend millions on compliance, but proprietary assets are still getting ripped off by insiders and hackers who compromise buggy, poor-designed applications. Here are 7 software development mistakes you don’t want to make in 2011. 7. Don’t KISS If my experience is any indication – the software industry as a whole is wasting hundreds of millions […]
Small business data security
Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation. Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices […]
Protecting your data in the cloud
Several factors combine to make data security in the cloud a challenge. Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 […]
Making security live in a performance culture
In a recent PCI seminar I attended, the speaker (who hails from the European PCI Security Council) claimed that most European businesses were in a very bad place in terms of their data security but that that the ultimate business objective is 100 percent compliance. I’ve heard similar pronouncements from industry analysts like Forrester. This is problematic for […]
