InfoReck

Security impact of putting it in the cloud

It seems you can’t make it through any IT related article or meeting these days without a discussion of “the cloud.” Every CEO wants to know how the cloud can improve innovation and productivity, and every CFO wants to know when we’re going to move to the cloud to dramatically cut the costs of doing business. Most CISOs are just scared to think about all that data sitting outside our firewalls.

In the security arena our job is to help identify and quantify the risks associated with such a move. The risks of an … Continue Reading

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

2012 Enterprise Information Security Resolutions

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my … Continue Reading
   

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears … Continue Reading

Focusing on success or failure?

This is the second part in the discussion of the difference between IT and Information Security. Click here for Part 1.

You probably think I’m going to say focus on success, don’t you? Well read on, it’s not nearly that simple.

When a system administrator or application developer is working to create a new system, the process usually starts first by identifying what the system is supposed to do. The process will include purchasing hardware, writing code, tweaking settings, and a rollout, all with the intention of meeting a particular objective. The system’s creator is focused intently … Continue Reading

Every Employee, a Security Partner

The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program … Continue Reading

Or, The Difference between Information Security Professionals and those Paid to Perform Information Security

Evidence of people performing accounting has been found as far back as Babylon (circa 4500 BC).  We have records of a civil engineer from as long ago as 2630 BC. It’s fair to say that these are mature, well understood professions. The education and training for their practitioners has been thoroughly tested and documented. If you want to become an accountant you take some classes, learn your craft, and prove you’ve learned it by taking the Certified Public Accountant (CPA) exam. If you want to … Continue Reading