June 2007
40 posts
Alex Hutton: Jack’s getting addicted to Blogging. It’s funny (via Twitter / Alex Hutton)
Alex Hutton: Meeting with Jack, talking about the Controls Framework (via Twitter / Alex Hutton)
Quickies on a Travel Day
Hey everyone. I have a travel day, so I thought I’d use today to point some items out to y’all (sorry, too much Paula Dean).
PITY ADAM SHOSTACK
Why? Because apparently, Adam has one of the worst jobs in the world. You know what? I’m betting he doesn’t. I’ll bet his job kicks butt. Microsoft’s PR department, however…
RISK MANAGEMENT IS MY PASSION
So is baseball. Why not combine the...
Comparing Your Security Budget, Or, The Lemming...
Hey everyone. I’d like you to welcome Jack Jones to the weblog. I’m getting him his own account, but in the meantime, enjoy his excellent article on IRM budgeting.
Just the other day I was asked again what percentage of my employer’s IT budget went toward security. My answer (as it’s always been) was, “Why should I care?” As usual, the response I received ran along the lines of, “Well if you...
I Really Just Don’t Agree
With this article from CSO
CSO: Seciurity(sic) Veto Can Impede Business by By Andreas M. Antonopoulos
Sloppy spelling aside (like I’m one to talk -grin-), I really don’t like the idea of IRM having “veto” power. Ideally, IRM would present a risk analysis for the data owners (you know, the business people) to accept or reject - complete with options to lessen risk. When I say “Accept”, I mean...
Alex Hutton: @bsag - I had the same experience. Couldn’t hate that application enough. To be fair, 8 is the best version so far (via Twitter / Alex Hutton)
Puzzles, Mysteries, & The Giant Ball Of String
In response to yesterday’s “Sad State Of Metrics” Rybolov writes:
Technical things are easy and cheap to measure, usually the tool gives you all sorts of statistics. However, we usually have those problems figured out already–we need metrics for the stuff we don’t know about yet, and that’s where the concept of metrics falls apart.
And then points us to his excellent post on Puzzles &...
Alex Hutton: BSAG: Do it! (via Twitter / Alex Hutton)
Alex Hutton: Robot Chicken Wars is one of the greatest works of the 21st century (via Twitter / Alex Hutton)
The Sad State of Metrics
If you think Risk Management is a term that’s been beaten and abused, the state of “metrics” is even worse.
Dear readers, I’ve been doing some research in the name of our little blog journey together (Ok, not really just for you, I have had other motives). For the past year, I’ve been trying to find out all I can about what people are doing right here, right now, about metrics.
The answer? Not...
Value, Value, Value
I’ve seen a couple of folks write about value and infosec recently. It is a very intriguing and difficult subject and it dovetails into a subject that I’m chewing on right now - metrics.
The first post is from Michael Dahn and it’s entitled, “Does PCI affect the bottom line?” Now PCI, for better or for worse, is here to stay. And if you’re not one of the lucky “self assessment” folks who can...
Alex Hutton: watching Tora!Tora!Tora! (via Twitter / Alex Hutton)
Alex Hutton: There is a reason, I promise. A ood one (via Twitter / Alex Hutton)
Alex Hutton: So help me, I’m actually on second life (via Twitter / Alex Hutton)
Alex Hutton: Had to switch from Shiira back to Safari (2)… Couldn’t get Shiira to do what I needed :( (via Twitter / Alex Hutton)
Alex Hutton: mcwresearch: YES! (via Twitter / Alex Hutton)
Information Security Sell Out →
Best InfoSec Post of the Week
Alex Hutton: Downloaded Shiira and loving it, except for bookmarking (via Twitter / Alex Hutton)
Alex Hutton: Safari 3 beta screwed the pooch (or at least some of my plugins are making it uber flakey). (via Twitter / Alex Hutton)
Alex Hutton: Safari 3 beta screwed the pooch (or at least some of my plugins are making it uber flakey). Downloaded Shiira as a replacement and loving i (via Twitter / Alex Hutton)
Alex Hutton: mcwresearch: Yes (via Twitter / Alex Hutton)
Alex Hutton: Discuss Among Yourselves: Is the Chip on the Matasano/Maynor Shoulder Good or Bad for Apple users? (via Twitter / Alex Hutton)
Alex Hutton: Weekly Software Development Status Meeting! So close to 1.0 I can taste it :) (via Twitter / Alex Hutton)
Good C & A helps CYA, Bad C & A, well…
If you’re into doing things the government way, Laura Taylor’s article “Security Certification and Accreditation 101” is a great primer on SC&A processes.
I’ve often thought that a good C&A process used regularly is much more beneficial and critical than your average penetration test or even giant OCATVE or NIST “risk assessment” (which are usually just vulnerability assessments with...
Alex Hutton: MMMMMMMMMM (via Twitter / Alex Hutton)
Alex Hutton: Leopard (via Twitter / Alex Hutton)
Alex Hutton: Waiting for WWDC to start! (via Twitter / Alex Hutton)
Alex Hutton: Panera bread time (via Twitter / Alex Hutton)
Data Access Outside the Cubical Farm…
Friend of the Blog Miki Calero has a quick article up, “Do You Trust The Mailroom Clerk” in Security Solutions.com magazine.
It’s a great point, with our orders to identify, clarify and classify, information and who has access - we account for all sorts of “cubical creatures”, but tend to leave out the guy who has to change the fluorescent lighting. I especially like the following:
Consider...
TJX Does Not Deserve To Be Taken Advantage Of
I’ve had at least one person suggest to me that TJX was “grandfathered” into PCI compliance, and, as such were compliant during the incident. There’s a lot of uproar about TJX here online, goodness knows I’ve tried to contribute something different - not condemnation of TJX (incidents happen) but discussion of business and risk tolerance to explain how PCI (and compliance) fines/judgements must...
Alex Hutton: Trying to figure out the best way to lay out some web work (via Twitter / Alex Hutton)
What The World Eats →
A photogallery from Time Magazine about the weeks food consumption for families from various parts of the world…
Heidi’s Novel is Here
You may remember me (and many others) talking up the website: Heidi, Geek Girl Detective.
Well, the novel is now available here:
http://www.lulu.com/content/895846
Go! Spend!
And if you’re looking for a gift for that infosec someone in your life - I think the book will make a great gift. It would also be fantastic cubicle fodder…
Tags: compliance, information risk, information, risk,...
SaaS & Security - Your Thoughts Wanted
First, a real quick note of thanks to those who served 63 years ago today:
SOFTWARE AS A SERVICE, BOON TO USERS, PROBLEM TO IRM?
I’m not the only person who dislikes the acronym for Software As A Service. But SaaS is a heck of a lot easier to type.
I’ve kind of “known” Rod Drury in an online kind of manner (blogging, a few emails, etc.) for a year or so. His new start up, Xero...
More Zombie Auditors
Some folks are digging the zombie auditor graphic I mashed up. I’ve had a few requests for a larger size that can be printed out, and that one is available »>here«<.
(QUICK WARNING ON THE LINKS BELOW: I can’t find any real objectionable material, but Panera Bread’s SonicWall Nannyware blocks some of these as:
Reason for restriction: Forbidden Category “”
I’ve heard that ””...
Alex Hutton: I’m going to bed! (via Twitter / Alex Hutton)
Standards With No Teeth Are Worse Than None At All
A few years ago in my son’s T-Ball, there was “that” parent who had “that” kid. The kid was constantly disobedient, and the parent was constantly shouting at them, making threats. Threats like, “If you do that again I’ll pull you off the field and take you right home!” Any parent out there can tell you exactly what this kid did right after those threats were made - they repeated the action that...