Business unit strategy for data security
At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm. This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to […]
Data security and compliance – Best practices
Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties. So where and how does DLP fit into the compliance […]
Return on security investment
The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”, will teach measurement of how well security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years […]
Choosing a data loss prevention solution
Data security is not one-size fits all. For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure; you need a network DLP solution to prevent leaks of clear text data and a software security assessment that […]
Reducing risk of major data loss events
Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons Hellman proposes that we need a third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been […]
Exploiting a wireless mesh network for utilities
I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity. Until then, there is a problem of range and coverage. Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s […]
Less regulation, increased data security
Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing. As my maternal grandmother, who spoke fluent Yiddish would yell at […]
Imperfect knowledge security
Keeping the organization robust in a highly dynamic threat environment Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in […]
Pharmas, Web 2.0 and regulation
For a change – ethics based regulation that differentiates between the medium and the message. Dr. Jean Ah Kang, works at DDMAC and is in charge of Web 2.0 policy development. She speaks very well at her interview with Mark Senak, a regulatory affairs lawyer ( eyeonfda.com ). Here is the podcast: FDA’s views and […]
Designing a data security system
User-Driven Design versus User-Centered design Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and […]
