Improve Program Change Controls To Reduce Incidents

April 21st, 2008

Recently in my Norwich MSIA class we were discussing the importance of program change controls, and I wanted to continue the discussion here because as important as it is, it typically does not get the attention it deserves in most organizations.

Read the rest of this entry »

Improve Program Change Controls To Reduce Incidents

April 21st, 2008

Recently in my Norwich MSIA class we were discussing the importance of program change controls, and I wanted to continue the discussion here because as important as it is, it typically does not get the attention it deserves in most organizations.

Read the rest of this entry »

Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law

April 17th, 2008

Last fall I blogged about Microsoft’s HealthVault, “Why Would You Trust Microsoft To Store Your Sensitive Health Information?
It didn’t take long before Google got in on the game.
Today an interesting story ran in the New York Times, “Warning on Storage of Health Records” that also points out the concerns with having huge amounts of health information stored in some mega-multi-services-products types of monolith company. The issues are the same for any organization storing such information, though; but putting health information in the same corporate systems that contain the records of billions of people really open up quite a Pandora’s box of privacy breach possibilities.
Here are some excerpts from the news story that make some good points…

Read the rest of this entry »

Addressing Application Vulnerabilities With PCI DSS Log Management Compliance

April 16th, 2008

The third and final paper in my PCI DSS log management compliance series is now available!
I encourage you to download the much nicer-looking formatted PDF version. 🙂
However, the following is the unformatted version of “Addressing Application Vulnerabilities with PCI Log Management Compliance“…

Read the rest of this entry »

Great New Risk Management Document From The U.S. GAO

April 15th, 2008

There is a new document from the U.S. Government Accountability Office (GAO), “STRENGTHENING THE USE OF RISK MANAGEMENT PRINCIPLES IN HOMELAND SECURITY
It includes discussions of current risk management practices from non-government industries that are really quite interesting, not to mention some great risk management ideas and descriptions of risk management practices.
Check it out!

Privacy and Security Lost And Found

April 14th, 2008

Today I’ve been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.
Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been “activated,” may have been turned in to the hotel’s lost and found.

Read the rest of this entry »

Policy VALUE versus Policy COST

April 13th, 2008

I’ve been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a frequently occurring topic throughout many of those conversations, and I just wanted to get it out of my mind and on the blog, perhaps to reference later…

Read the rest of this entry »

Effectively Working with IT Auditors

April 10th, 2008

The April edition of my “IT Compliance in Realtime” e-journal is now available!
There are three papers within this month’s issue. The first is, “Effectively Working with IT Auditors.”
Communicating well with your IT auditors will help ensure that your audit goes smoothly and provides as much value as possible for your business. within this article I explain what to ask for before, during, and after your audit.
Downlowd the PDF version of the e-journal to not only get the nicest looking version of the article, along with much information in tables and additional short items I included within sidebar boxes throughout the article, but also to get all three of the articles I wrote for this month.
The following is an unformatted version of “Effectively Working with IT Auditors”…

Read the rest of this entry »

Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside

April 9th, 2008

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.

Read the rest of this entry »

One Word Makes A World Of Difference…To Auditors and To Practitioners

April 7th, 2008

I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?

Read the rest of this entry »