As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same…..so at least, “better the devil you know”. This blog is full of posts, (since day 1 about the trials and tribulations of Information Security people) trying to do their job and battling every step of the way for even small gains. I won’t link to these posts….to many but have a search here if you want further references.

I’m not going to go over all the old issues again here. What I am going to put forward is another idea, that at a minimum, may provide Information Security professionals with a sense of worth, accomplishment and within their organisation, a position whereby an organisation can choose to accept professional opinion, views and recommendations – or not, but at least the Information Security professional can rest secure in a position of having at least gone on record from an overarching management, governance and strategic perspective. (The following need not only relate to the most senior Information Security person in the organisation – but anyone who holds to a belief that things should be better than they are now). Read on……

(more…)



Liverpool City Council has burned down. Reported here in the SMH.

Listening to the Mayor being interviewed on radio this afternoon; you get the sense that the data loss and impact will be huge. I don’t think she [the Mayor] seems to get what a problem they have. They believe they have backup tapes “from last Thursday”, but don’t seem to have computers to restore them to. They believe they’ll have *a* computer in a temporary office, “but no email”.

Listening to this, I just thought, what a f**king disaster! What genius decided that a DRP was not worth having? (Unless of course this has all been reported incorrectly). If not, this will be a great case study.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Release from ANSI. (I’ve included this as an FYI for Australian Information Security people). This link below has the content of the email sent out recently.

Related post regarding recent Australian Government activity here. Coordination? Focus? Lessons?

———————————————————————————————
White House Releases National Strategy for Trusted Identities in Cyberspace
http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=2576

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



“On Monday 21 June 2010, the Standing Committee on Communications tabled its report on the inquiry into Cyber Crime entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.” Full details and report here.

We covered the updates to this inquiry last year: October 2009 post, September 2009 post.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



As reported in ITNews and syndicated sites:

“The Federal Government has announced plans to sign an international treaty designed to facilitate the identification, extradition and conviction of cybercriminals around the world.”

In principle, the thinking and premise behind this is what you would expect in terms of technology issues/practices trying to align with “traditional” laws. But is this happening to mirror “traditional/current” laws in the member countries? What impact such a treaty owned and driven out of the EU for “other members” such as Australia? While 99% of this may be acceptable and most already a practice accepted here, care must be taken that we don’t jump into something without a full understanding of the impacts to our country and it’s citizens.

Are we prepared to fully jump into something like this (albeit, we do formally and in-formally undertake and work against most of these principles now), without other foundation legislation in place that would strengthen our abilities to really make this work on all levels?

The Government(s) in Australia have not really instilled us with much confidence for a while that they truly get IT, IT Security, eCommerce etc. Hopefully this is not another case of kicking something off and then having it come back to haunt them later….and there’s quite a bit of that.

I’m no expert in this field but find it an interesting topic. Am keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Patrick Gray delivers Australia’s best Information Security Podcast here at Risky Business.

In this podcast, he talks with regular guest, Securus Global’s, Declan Ingram:
http://risky.biz/RB2-declan-forrester

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



The APRA “prudential practice guide”, (PPG234) hasn’t really come out all guns a blazing so far has it? (Press release and document here). Or has it?

It would be interesting to know from readers if anyone has yet been involved with PPG 234 and APRA. ie; Are you talking about it? Are you adopting the “principles”? Are you dealing with APRA in any sense regarding the “principles”?

We mentioned in a previous post that it’s very similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, only seems to have no teeth and is a decade behind.

Lets hope not. I talk in this post here recently about regulation and the impacts of enforcing stronger controls and practices on organisations – in particular, the financial sector. APRA has never really given us any indication of heading down this path like the MAS and other regulators in the region have. You have to wonder why not? Seriously. (The simplest answer probably is that it’s all too hard, lack of funding and support etc etc). So what’s the point of it you may ask? And, that would be a fair question.

I welcome your thoughts on this.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



APRA has released what they dub as a “prudential practice guide” – “on the management of security risk in information and information technology (IT) by institutions supervised by APRA”. Press release and document here.

It will be interesting to see how the “guideline” adoption will go. Similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, but a decade behind, and packing what seems to be no real regulatory push nor enforcement like that in Singapore.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Older Posts »