Thursday, November 18, 2010

Time flies...

It's hard to believe I haven't updated this in over six months! You might wonder why that is, though I suspect most people who read this read my personal blogs and already know about the whirlwind that is latter-2010.

If you pay attention to things like author bios, you will have noticed that mine changed in July: I have a new job. I'm now the guy hiring the consultants to perform assessments rather than the consulting auditor, and there have been a million things to learn about my new environment. There have also been a million things happening in my personal life -- nearly all good -- that have also required my attention.

I'm not saying things are stabilizing, but I am saying I have been doing more writing of late, and if I can I'll be picking things back up, here. In the meantime, if you're a newcomer, why not read through the past articles? I've tried to choose topics that will take some time to go stale.

Sunday, May 2, 2010

Something different: An information security parable

Usually, when we write about risk management, we talk about money. Lots of risk has to do with money, so that makes sense. But there's something lost, as well. This occurred to me this morning:

Death is the only promise we have in this life. Many religions make promises about life after, but I'm talking about this life, death is the only promise we have in this life. Some say taxes are promised, but even governments fall. I tell you three times: Death is the only promise we have in this life. To paraphrase Freddy Mercury, "Who dares to love, when love must die?"

And yet, who does not love?

As terrible as the price of love is, the price of not loving is greater still. That, my friends, is also risk management.

This, incidentally, touches on why my posting here has slowed a bit of late -- work's picked up a bit, and that time has to come from somewhere. Part of my risk management is taking as little of that time from my loved ones as possible.

I hope you enjoyed your Beltane or May Day or what have you as much as I've enjoyed mine.

Thursday, April 22, 2010

Spycamgate Update: Getting worse and worse

Some time has passed since the last time I mentioned Spycamgate, the case of the rural Pennsylvania school at which an assistant principal was secretly activating the cameras built into the school-distributed laptops and watching kids in their bedrooms at home.
Security Mangement magazine is reporting that it’s worse than initially thought.

Tuesday, April 6, 2010

PCI III: Addressing the Criticisms of the PCI DSS – Scope of Protection

In Part II of my PCI series, I listed the criticisms of the PCI DSS I’ve heard to date and asked for readers to add to the list. Nothing’s been added to date, so I’m going to address the list I have. If more criticisms are raised later, I’ll address them at that time.

Tuesday, March 30, 2010

Governance Part 4: Standards

We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.

The relationship between a policy and a standard is similar to the relationship between a vision and a mission:

Monday, March 22, 2010

PCI II: Criticisms of the PCI DSS

Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard.

Friday, March 19, 2010

Compliance: PCI in a very small nutshell

I am certified as a Payment Card Industry (PCI) Qualified Security Assesor (QSA). I am frequently paid to perform PCI audits, to advise people on how to fill out their Self Assessment Questionnaire (SAQ), and how to identify and remedy gaps in security that would prevent them from complying.

Previously, I’ve written about identifying risks and handling them. I’ve asserted, indeed my fundamental thesis in this blog, is that risk management is something everyone does; and that if done mindfully and consciously we live happier and better lives personally and professionally. That never means there aren’t complications and challenges to face, and today I’m writing about one of them.

It should come as no surprise that if everyone evaluates their own risks, different people come up with different risks and ideas about how to manage them.

Monday, March 15, 2010

Managing Risk Through Acceptance and Assignment

Last week, we looked at risk mitigation. If you do something to reduce your vulnerability to a threat, or the impact of that threat, the risk goes down. Your personal firewall, your anti-virus system, the lock on your front door, and the umbrella you carry when it looks cloudy out are all examples of risk mitigation. It’s a very popular way to manage risk, and literal billions of dollars of the economy are people the world over mitigating trillions of dollars of risk. Mitigation very nearly always costs money, and frequently it’s the most cost effective way to manage one’s risk, but there are others. Today we’ll take a short look at two of them: Acceptance and Assignment.

Tuesday, March 9, 2010

Risk Management: Risk Mitigation

Last week, I started talking about risk management by talking about how it relates to something as mundane as forgetting your car keys. I’m going to stick with that analogy as we discuss how to use risk assessment to understand whether you’re happy with the risk you have or if it’s worth spending some money to mitigate that risk.

Friday, March 5, 2010

Governance Part 3: Policies

In Part 2, we discussed the Missions, Visions, and Charters, which define a task, lay out an overall strategy for accomplishing that task, and authorize someone to do it. Today, we’ll discuss how policies tell everyone to execute the charter to accomplish the mission that realizes the vision. (If I can make this into a spoof of The Court of King Caractacus, why not?).

Humor aside, a policy is a high level statement from senior management to the enterprise describing how it expects everyone to conduct business.

Wednesday, March 3, 2010

Risk management example: my tire

I was going continue the governance series today by writing about policies, but I had the idea to use my last few days to show how theory turns into practice. In particular, how I think about and do risk management in day-to-day life. I’m sure you do the same thing, but call it by a different name. “Thinking things through,” perhaps. The really cool thing about it is that it takes longer to describe than to actually do – and if it’s that reflexive for some things, it can become reflexive for everything.

Meta: Comments now hosted at Intense Debate

I've set up the comments to use the Intense Debate system. This will add threading, a degree of cross-site identity continuity, and a number of other features to the system.

Monday, March 1, 2010

Risk Management: YOU Are a risk manager!

Risk management. Assessment, Vulnerabilities, threats, and impact. Mitigation, assignment, acceptance. If you don’t do security for a living, or do it as a purely technical activity, these can sound like terms from some arcane art practiced by Wizards, Sorcerers, Actuaries, and Mutual Fund managers. Today we start taking the mystique out of it and showing that it’s something nearly everyone does every day.

Friday, February 26, 2010

Spycamgate followup

I’ve written previously about “Spycamgate,” wherein a school administrator tried to hold a student accountable for perceived behavior at home based on images taken from a camera on the student’s school-issued laptop. The school’s defense is that the webcams are a security feature to track down lost or stolen machines. If so, the school is illustrating how not to do security. In this instance, doing security wrong consists of doing security in a way that is disrespectful of other people’s security. The case for the importance of meticulously respecting other people’s security is simple to make: there are civil and criminal laws against disrespecting other people’s security:

Wednesday, February 24, 2010

Security Without Tears or Apology

In plugging this blog, for which I’m grateful, Avedon Carol mentioned that my subtitle “Security without apology or tears” doesn’t necessarily make immediate sense. I thought I’d spend some time talking about that.

Every time I tell someone I do information security for a living,

Friday, February 19, 2010

School Principal Spys on Children at Home via Laptop Camera

Whichever side of the infosec coin one is on, a jargon we use to refer to the control of a system is ownership. We refer to a system as “compromised” or “owned” or “pwned” if the person who owns it isn’t also the person who owns it in the legal sense of the term. Most information security practice is concerned with preventing and detecting inappropriate changes in ownership-with-a-p.

Wednesday, February 17, 2010

Governance Part 2: Charters, Visions, and Missions

In my Introduction I listed charters, visions, and missions as the documents that state what you’re trying to accomplish when you set out to do security. I’m going to expand on that here.

Monday, February 15, 2010

Introduction to Governance, First of a Series

Governance is the foundation that effective security is built on. It’s a big word for a common-sense idea: things work better if you know what you’re trying to do and how you’re willing to do it than if life is an endless flailing reaction of whatever the latest situation drops in your lap. Boy Scouts have been telling people to “be prepared” for a long time.

If it’s such an easy idea, why do so many people get wrong, in their personal lives and in business?

The lights come on, the set is down, the curtains float away...

People already blog about information security – just look at my short but growing blog roll. Does the world really need one more? I think so, and my inaugural post is to make the case for it.

Information Security is big business. The U.S. federal government alone spent 7.1 billion dollars on it in 2009, and private industry dropped a pretty penny on it as well. The headlines regularly show the cost of not getting it right, literally and figuratively. Companies appoint executives, staff departments, allocate budgets, and do all the other things that businesses do in order to secure their computing. I should know – it’s kept me employed full time for most of my adult life.

And yet, the headlines keep coming.