Risk analysis of legacy systems
A practical, proven methodology for practical risk assessment and security breach risk reduction in enterprise software systems. Click here to download the article
SOX IT Compliance
A customer case study – SOX IT Compliance We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number […]
10 guidelines for a security audit
What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike […]
Giving ISO 27001 business context
ISO 27001 is arguably the most comprehensive information security framework available today. Moreover, it is a vendor neutral standard. However – ISO 27001 doesn’t relate to assets or asset value and doesn’t address business context which requires prioritizing security controls and their costs. This article discusses the benefits of performing an ISO 27001 based risk […]
Understanding culture and security
Whether you’re an account manager at Cisco, a programming geek in an Israeli startup, an expert on PCI DSS 2.0 or an industry authority on CRM; you must understand the culture in your workplace in addition to your professional skills in order to effectively manage risk and comply with regulation. If you alienate people – […]
Taking security on the offensive
I believe many people involved with IT security have a feeling of frustration that stems from continously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. Is it possible to be an information security officer and mitigate threats to confidentiality, availability and integrity of data in a proactive […]
Protecting your data in the cloud
Several factors combine to make data security in the cloud a challenge. Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 […]
Making security live in a performance culture
In a recent PCI seminar I attended, the speaker (who hails from the European PCI Security Council) claimed that most European businesses were in a very bad place in terms of their data security but that that the ultimate business objective is 100 percent compliance. I’ve heard similar pronouncements from industry analysts like Forrester. This is problematic for […]
Why Rich Web 2.0 may break the cloud
There are some good reasons why cloud computing is growing so rapidly. First of all there are the technology enablers: Bandwidth and computing power is cheap. Software development is more accessible than ever. Small software teams can develop great products and distribute it world wide instantly. But cloud computing goes beyond supply-side economics and directly […]
What is security?
So what is security anyhow? Security is not about awareness. A lot of folks talk about the people factor and how investing in security awareness training is key for data protection. I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a […]
