Comments for InfoReck http://www.robbreck.net/blog Enterprise InfoSec from Robb Reck Wed, 09 May 2012 00:03:40 +0000 hourly 1 http://wordpress.org/?v=3.3.2 Comment on Making Security Metrics That Matter by Robb Reck http://www.robbreck.net/blog/enterprise_information_security/making-security-metrics-that-matter/#comment-897 Robb Reck Wed, 09 May 2012 00:03:40 +0000 http://www.robbreck.net/blog/?p=506#comment-897 Andy, Thank you for taking the time to read and comment. As you said, there is a lot of room for us to improve our security alignment. Fortunately, it's fun. I appreciate the kind words. -Robb Andy,

Thank you for taking the time to read and comment. As you said, there is a lot of room for us to improve our security alignment. Fortunately, it’s fun. I appreciate the kind words.

-Robb

]]> Comment on Making Security Metrics That Matter by Andy Bochman http://www.robbreck.net/blog/enterprise_information_security/making-security-metrics-that-matter/#comment-741 Andy Bochman Mon, 23 Apr 2012 12:27:42 +0000 http://www.robbreck.net/blog/?p=506#comment-741 Robb - this is great. This message is starting to get through to the security masses, though slowly. Thanks for helping to speed it up !!! Andy Robb – this is great. This message is starting to get through to the security masses, though slowly. Thanks for helping to speed it up !!!

Andy

]]> Comment on Security Depends on IT Maturity by Steve Lodin http://www.robbreck.net/blog/enterprise_information_security/security-depends-on-mature-it-governance/#comment-606 Steve Lodin Tue, 20 Mar 2012 23:54:15 +0000 http://www.robbreck.net/blog/?p=422#comment-606 Completely agree. I've seen cases where new systems in the PCI segment don't have FIM installed or logging enabled, new networks pop up that aren't put in the vulnerability scanner, etc... The CAB should catch this, but the right people and the right questions must be asked during CAB meetings. Otherwise, the CAB is just a rubberstamp process without value. Completely agree. I’ve seen cases where new systems in the PCI segment don’t have FIM installed or logging enabled, new networks pop up that aren’t put in the vulnerability scanner, etc… The CAB should catch this, but the right people and the right questions must be asked during CAB meetings. Otherwise, the CAB is just a rubberstamp process without value.

]]> Comment on Security Depends on IT Maturity by Lou Rabon http://www.robbreck.net/blog/enterprise_information_security/security-depends-on-mature-it-governance/#comment-602 Lou Rabon Mon, 19 Mar 2012 20:50:12 +0000 http://www.robbreck.net/blog/?p=422#comment-602 Hey Robb, Just found this via the Palo Alto Networks twitter feed. So true! I have been battling this problem for years...and the worst part is that it leads to a kind of "security apathy", where the least common denominator is usually taken as a solution with no overarching framework and commitment to improvement. It needs to come from the top and have board and exec team signoff and leadership. Great post! Lou Hey Robb,

Just found this via the Palo Alto Networks twitter feed. So true! I have been battling this problem for years…and the worst part is that it leads to a kind of “security apathy”, where the least common denominator is usually taken as a solution with no overarching framework and commitment to improvement. It needs to come from the top and have board and exec team signoff and leadership.

Great post!
Lou

]]> Comment on RSA Conference 2012 – Wrap-Up by RSA Round-up 2012 « VPN Haus http://www.robbreck.net/blog/enterprise_information_security/rsa-conference-2012-wrap-up/#comment-570 RSA Round-up 2012 « VPN Haus Tue, 06 Mar 2012 19:38:32 +0000 http://www.robbreck.net/blog/?p=433#comment-570 [...] For the full post, click here. [...] [...] For the full post, click here. [...]

]]> Comment on RSA Conference 2012: Day 1 Highlights by Robb Reck http://www.robbreck.net/blog/enterprise_information_security/rsa-conference-2012-highlights/#comment-569 Robb Reck Sun, 04 Mar 2012 19:27:12 +0000 http://www.robbreck.net/blog/?p=425#comment-569 Daya, Thanks for the note. I believe that the intent behind of the quote you mention ("The destination should achieve compliance, not be compliance") is that when organizations are architecting their security programs it should be done with an eye toward implementing proper security, NOT toward passing a particular regulation or standard. I have written a few blog posts on this topic in the past if you want to read my thoughts on the matter. http://www.robbreck.net/blog/enterprise_information_security/security-leads-to-compliance/ http://www.robbreck.net/blog/enterprise_information_security/proactive-security-versus-reactive-compliance/ http://www.robbreck.net/blog/enterprise_information_security/compliance-leads-to-security-breaches/ I am looking forward to your thoughts. I am always interested in dialog about these subjects. -Robb Daya,

Thanks for the note. I believe that the intent behind of the quote you mention (“The destination should achieve compliance, not be compliance”) is that when organizations are architecting their security programs it should be done with an eye toward implementing proper security, NOT toward passing a particular regulation or standard. I have written a few blog posts on this topic in the past if you want to read my thoughts on the matter.

http://www.robbreck.net/blog/enterprise_information_security/security-leads-to-compliance/
http://www.robbreck.net/blog/enterprise_information_security/proactive-security-versus-reactive-compliance/
http://www.robbreck.net/blog/enterprise_information_security/compliance-leads-to-security-breaches/

I am looking forward to your thoughts. I am always interested in dialog about these subjects.

-Robb

]]> Comment on RSA Conference 2012: Day 1 Highlights by Daya Puls http://www.robbreck.net/blog/enterprise_information_security/rsa-conference-2012-highlights/#comment-568 Daya Puls Sun, 04 Mar 2012 17:44:07 +0000 http://www.robbreck.net/blog/?p=425#comment-568 Hi Robb, Thanks for your RSA Conference 2012 thoughts. I was unable to attend this year and have been going through conference withdrawal. I am interested in hearing more about one of your bulleted items above; '“The destination should achieve compliance, not be compliance.”' First, I'd like to understand what you mean before I can agree or disagree. Do you mean that our efforts to secure the enterprise should achieve compliance and that our destination should not just be meeting some compliance standard? Thanks again. Daya Hi Robb, Thanks for your RSA Conference 2012 thoughts. I was unable to attend this year and have been going through conference withdrawal.

I am interested in hearing more about one of your bulleted items above; ‘“The destination should achieve compliance, not be compliance.”’ First, I’d like to understand what you mean before I can agree or disagree. Do you mean that our efforts to secure the enterprise should achieve compliance and that our destination should not just be meeting some compliance standard?

Thanks again.

Daya

]]> Comment on Security impact of putting it in the cloud by Ren Li http://www.robbreck.net/blog/enterprise_information_security/security-impact-of-putting-it-in-the-cloud/#comment-563 Ren Li Wed, 22 Feb 2012 00:51:48 +0000 http://www.robbreck.net/blog/?p=415#comment-563 From the outsourcing prospect of adopting cloud, considering issues wrapped around service providers, the sensitivity of data that will be release to the providers, and the people who will be allowed to access the cloud would probably be a good idea before adopting the cloud service. I think that the sensitivity of data must be considered first and above everything. Just like that before you upload a picture onto the Internet, you have to consider whether it contains private factors first. Because you know that once it is uploaded, everything pretty much gone wild like spreading fire. From the outsourcing prospect of adopting cloud, considering issues wrapped around service providers, the sensitivity of data that will be release to the providers, and the people who will be allowed to access the cloud would probably be a good idea before adopting the cloud service. I think that the sensitivity of data must be considered first and above everything. Just like that before you upload a picture onto the Internet, you have to consider whether it contains private factors first. Because you know that once it is uploaded, everything pretty much gone wild like spreading fire.

]]> Comment on Why do we Pen Test? by Robb Reck http://www.robbreck.net/blog/enterprise_information_security/why-do-we-pen-test/#comment-549 Robb Reck Fri, 13 Jan 2012 23:21:24 +0000 http://www.robbreck.net/blog/?p=406#comment-549 Thomas, I definitely agree. InfoSec and Audit (Internal Audit at least) have much more in common than they do different. And both teams can be much more effective by working together. Please take a look at a post I wrote about the subject a while back. http://www.robbreck.net/blog/enterprise_information_security/internal-audit-and-information-security/ Thomas,

I definitely agree. InfoSec and Audit (Internal Audit at least) have much more in common than they do different. And both teams can be much more effective by working together. Please take a look at a post I wrote about the subject a while back.

http://www.robbreck.net/blog/enterprise_information_security/internal-audit-and-information-security/

]]> Comment on Why do we Pen Test? by Thomas Butler, CPA, CIA, CISSP, CEH, ECSA, LPT, CISA http://www.robbreck.net/blog/enterprise_information_security/why-do-we-pen-test/#comment-548 Thomas Butler, CPA, CIA, CISSP, CEH, ECSA, LPT, CISA Fri, 13 Jan 2012 22:46:55 +0000 http://www.robbreck.net/blog/?p=406#comment-548 It is the same situation with auditing. It is the same situation with auditing.

]]>