The following is borrowed from www.hipaadvisory.com, in particular, from the section on Information Security Manager’s Role Description. Why from here? No reason….it covers it just as good as most other places.

Above all others, the information security manager’s primary goals are to protect the confidentiality and integrity of information, and maintain the technical mechanisms of legitimate access to it. To achieve these goals, the information security manager’s responsibilities typically include:

  • Documenting the information security policies and procedures instituted by the organization’s Information Security Committee
  • Implementing the organization’s information security policies and procedures
  • Coordinating the activities of the Information Security Committee
  • Providing direct information security training to all employees, contractors, alliances, and other third parties
  • Monitoring compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties, and referring problems to appropriate department managers or administrators
  • Monitoring internal control systems to ensure that appropriate information access levels and security clearances are maintained
  • Performing information security risk assessments and serving as the internal auditor for information security processes
  • Preparing the organization’s disaster recovery and business continuity plans for information systems
  • Serving as an internal information security consultant to the organization Monitoring advancements in information security technologies
  • Monitoring changes in legislation and accreditation standards that affect information security
  • Initiating, facilitating, and promoting activities to foster information security awareness within the organization
  • Serving as the information security liaison for users of clinical, administrative, and behavioral systems
  • Reviewing all system-related information security plans throughout the organization’s network, and acting as liaison to the Information Systems Department

Looks pretty standard for most IT Security Manager roles doesn’t it? Looks like a lot of ads placed for roles in organisations?

Why is then that when the IT Security Manager comes on board, the objectives/role changes and every step of progress made by the new guy in the organisation is as tough as pulling teeth. Why is that organisations post this as what they want to achieve but then don’t?

It’s no wonder most security dudes are cynical about the IT industry. It takes a special breed who can deal with the lip service day in and day out, listen to the latest company rants about how they take security seriously, read about the latest government initiatives on cybercrime etc etc etc…yet the realities as we know are far different.

As a community, we are too insular. We spend too much time ranting to each other and sharing war stories…….who wants to listen to a bunch of paranoid techs?

There’s enough posts in here that cover my thoughts on this but I’d be keen to hear from anyone that disagrees?



http://www.news.com.au/dailytelegraph/story/0,22049,22304224-5005941,00.html

Good initiatives…what? Election year? Snotty nosed kids? Why am I even giving this space? What else has happened today?

Posted in: WTF




This paper, titled: “Common Risks Impeding the Adequate Protection of Government Information” sponsored by the the US Department of Homeland Security and the Office of Management and Budget isn’t rocket science and does highlight the concerns that most organisations themselves face.

Nothing new in here and nothing that should not be in place or rather have already been in place as standard. It is a worry to think that in 2007, we’re still talking about security and risk management basics.

You have to wonder how many millions and billions are wasted on security products around the world for little to no benefit to organisations? Actually….we know…..millions and billions.



I wrote a little while ago about seeing the results of some “Big” guy’s PCI Audits at clients, only to be called out in another PCI site that “Big” guys don’t do PCI audits. Most don’t……anymore and it was nice to get some follow-up responses on the site supporting facts.

Lets not pick on these guys directly though remnants of their work still remain. We know….we see it! Aside: How some of these guys ever signed off on some audits, giving clients a compliance pass, makes it clear why many are no longer in the game. Negligence and dangerous to clients.

If you’re a merchant or service provider, let me explain something called “Safe Harbour”.

A Report on Compliance that gives you all the ticks means jack should you be compromised and then found non-compliant by an independent review undertaken by an authorised party engaged by the PCI dudes post your compromise. Yep…..you’ll be deep in it potentially even though that PCI Auditor told you all was well!

So, was it worth going with the guys that quoted 4 days for the PCI Onsite Audit when another company quoted 4 weeks?! Did that difference not ring alarm bells? Did you not ask questions? Did you really think that the ticks in the boxes discharged your responsibilities? Did you know what “safe harbour” meant?

Companies need to get smarter and realise the risks that they face by not spending some time to ask questions. Saving a few thousand bucks today could equate to being up for millions in damages later…. and trust me, it does and will happen.

Read Choose your PCI Auditors Carefully – Part 2.

Posted in: Bad Stuff, PCI, PCI DSS


Posted in: Research, news


Just another notice about Kiwicon 2007. This will be an awesome event…hopefully the first of many.

For further information, go to: https://kiwicon.org/

Posted in: Research


Interesting news out of Germany that will impact the research community:

http://www.theregister.co.uk/2007/08/13/german_anti-hacker_law/



Hey, I love my guitars as some of you know……so I have decided that if any guitar manufacturer or distributer needs some vulnerability assessments, PCI scans or Web Application security testing done, I will do it for guitars instead of money.

- Fender: Telecaster….love the strat also but the tele kills it.
- Gibson: Les Paul…love it but the SG has the nicer neck and rocks harder. Probably why I like the tele.
- Dean: Nuff said…current owner and daily player!
- PRS: Any US model…Nuff said
- BC Rich: Gave away a “Bitch” in 1987 and still regret it!
- Maton: Home brand…great rep!
- Washburn: Paul Stanley….nuff said!

etc etc….just call….the list above is just a start!

Line 6 Spider 3…..also most cool!

Posted in: Uncategorized


This recent story from Information Week tracks the TJX saga: The TJX Effect. Well worth a read for all organisations – not just those required to be compliant under the PCI DSS program.

This story is far from done and also further highlights implications of non-compliance to good practices and PCI DSS. As also covered in:

http://beastorbuddha.com/2007/06/27/implications-of-non-compliance-with-pci-dss/



Older Posts »