Had an interesting conversation this week with the CISO of a large bank. They were interested in moving towards ISO-27001 certification and we were talking about the challenges of conducting a “meaningful” risk assessment in such a large and distributed organization.
As we were talking about the merits of information and process centric risk assessment using ...
Continue Reading →
Not that long ago I bemoaned the fact that there was too much guidance on Smart Grid Security.
So it may seem odd that I’m about to profess admiration for some new guidance, namely the Smart Grid Interoperability Panel (SGIP) “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security”.
The original three volumes of 7628 cover almost 700 pages and were one of the main ...
Continue Reading →
Smart Grid promises to radically change the face of energy technology today; however, along the way, it creates threat vectors that can leave utility companies vulnerable to a whole new realm of attacks. Besides these new threats, utility companies are also affected by the uncertain economic times, thus investments are receiving more scrutiny from local PUCs (Public Utility Commissions), as it becomes increasingly difficult to recover ...
Recently we were conducting an outsourced internal audit, looking at the risk associated with a third-party on behalf of our client. (Their vendor risk management program requires due diligence in the use of a third-party to process “sensitive” data on their behalf). On review, we found that the third-party data analytics/SaaS vendor we were assessing likewise outsourced a significant part of its IT operations ...
Writing this blog with egg on my face, tail between my legs, or whatever your favorite expression is for highly chagrined. The Zappos breach made me do a formal evaluation of my personal password practices … which sadly to say are not consistent with what I preach as an information security practitioner. Worse – my “personal password policy” had put my employer at risk.
ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Database Security is one step in a comprehensive approach to building a robust Information Security Management System.
Penetration Tests are often used in a manner that is inconsistent with achieving the assurance that the organization seeks.
Best Practices for SIEM learned from working closely with numerous vendors and customers on a wide variety of SIEM projects.
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
Random Article
