With apologies to Eminem …
Had a very interesting conversation with the CISO of a Global 100 the other day. He was very concerned that there were risks that they were not fully cognizant of and was understandably concerned that one of them was going to rear its head and put them in the headlines. So the initial portion of the conversation revolved around the idea of conducting a broader Risk Assessment to ensure that all key risks had been identified.
To ensure the approach was optimum, we delved into “all things security” and I was impressed at the overall level of maturity of the control environment. A Systems Development Lifecycle (SDLC) Methodology was in place and operational and included the integration of key security elements (e.g., Risk Assessment / Security Requirements /S ecurity certification) at the appropriate project phases. As the conversation evolved, we jointly realized that many of the “suspected” and most concerning risks (e.g., privileged user access to databases, source code control, ability to comply with eDiscovery requirements) were symptomatic of a failure of the security requirements definition phase to fully document the requirements relating to monitoring / logging / compliance measurement.
The result is rather than conducting a Risk Assessment, we are going to address the “suspected” risks in a more direct/focused manner while at the same time making the necessary changes at multiple points in the SDLC to ensure that the aforementioned issues are addressed.
Risk Management is by its nature circular … so the “real” issue may require that you look at it through the back of the mirror
Related Articles That Might Interest You
Download: Information Security Attestation Guide
A Best-Practices Guide to Information Security Attestation
Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.
Free Download: A Best Practices Guide to Database Security
Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.
Free Download: ISO 27001 Implementation Roadmap
Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.
Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!
Is ISO 27001 Right for (Y)our Organization?
Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar
- How to deal with increasing threats
- How to manage multiple regulatory requirements
- How to handle client requests for attestation
- To validate that significant changes did not have unanticipated results
Free Whitepaper: Stop Wasting Money on Penetration Testing
Penetration Testing is most frequently performed to:
- Substantiate the net effectiveness of a mature control environment
- Prove to a third party that an environment is secure/trustworthy
- Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
- To validate that significant changes did not have unanticipated results
Free Whitepaper: Five Best Practices for SIEM
The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.
Best Practices for Firing A Network Security Administrator
Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
About the Author:
John Verry, CISA, 27001 Certified Lead Auditor, CCSE, CRISC - "Security Sherpa" - Information Security Auditor