Security decisions are risk decisions (directly or indirectly), but what kind of risk does it matter? For me, the most important is the risk of a company doesn't achieve its objectives. Although all these security decision processes that we have today are deficient to address the organizations' objectives.
Let's see ourselves. Most of security professionals don't "waste" their time to define which is the objective of a security control and if it is aligned with company objectives . Even an enlightened professional, when proposes a control to minimize some threat, almost never evaluates the impact of controls on company's opportunities. A control, once it has been implemented, became sacred and no one can even propose its revoke, why? I would like to see something like "zero-based budgeting" on security process, so every year security personnel should justify every existing and planning security controls.
Labels: Security Management
There is a big confusion on many web pages which write that Sarbanes-Oxley specifies 7 years of log retention. This is common on Internet, people copy & paste from others sites but don't verify the original source and something, that is not true, gets some credibility because many of us repeat this information.
In reality, the U.S. Securities and Exchange Commission establish the following in one of its rules:
WE are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements. Records to be retained include an accounting firm's workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.
So, the Sarbanes-Oxley act does not specify how long the log retention period should be. Actually, it only states that accounting firms should retain their audit records for 7 years.
THE study, done by research firm IDC on behalf of RSA Security, shows that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses right now. Much of this stems from the belief that security personnel are inclined to simply say no to whatever request they receive from a line of business executive and that even if they do agree to help with a given initiative, the turnaround time will be too long to be of any use, the research shows.
This paper by Rainer Böhme and Thomas Nowey is really good. Its first part cleverly summarizes the main financial decision methods for information security investments like ALE (Annual Loss Expectancy), some ROSI (Return on Security Investment) variations and NVP (Net Present Value). In addition, it also analyzes some weakness of these methods.
The second part describes some security metrics based on market mechanisms. This subject is very interest and deserves more of my attention in the future. By the way, this paper was originally a chapter of “LNCS 4909 Dependability Metrics”.
As usual, Joanna Rutkowska posted some interesting thoughts:
IF we looked at the computer systems and how they try to provide security, I think we could categorize those attempts into three broad categories:
- Security by Correctness
- Security by Isolation
- Security by Obscurity
January 2000 February 2000 March 2000 February 2007 April 2007 May 2007 July 2007 October 2007 November 2007 January 2008 February 2008 March 2008 September 2008 November 2008 September 2009 December 2009
Subscribe to Posts [Atom]