Events calendar

Ronaldo Vasconcellos, the responsible for some of the main Brazilian security mail lists, maintains this security events calendar.

• Computer Security and Hacker Conferences

Sarbanes-Oxley and the log retention myth

There is a big confusion on many web pages which write that Sarbanes-Oxley specifies 7 years of log retention. This is common on Internet, people copy & paste from others sites but don't verify the original source and something, that is not true, gets some credibility because many of us repeat this information.

In reality, the U.S. Securities and Exchange Commission establish the following in one of its rules:

WE are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements. Records to be retained include an accounting firm's workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.

So, the Sarbanes-Oxley act does not specify how long the log retention period should be. Actually, it only states that accounting firms should retain their audit records for 7 years.

Security vs. Innovation

When security is seen as obstacle to innovation, something is wrong.

THE study, done by research firm IDC on behalf of RSA Security, shows that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses right now. Much of this stems from the belief that security personnel are inclined to simply say no to whatever request they receive from a line of business executive and that even if they do agree to help with a given initiative, the turnaround time will be too long to be of any use, the research shows.

IT security not valued at many firms, study finds by Dennis Fisher

Economic security metrics

This paper by Rainer Böhme and Thomas Nowey is really good. Its first part cleverly summarizes the main financial decision methods for information security investments like ALE (Annual Loss Expectancy), some ROSI (Return on Security Investment) variations and NVP (Net Present Value). In addition, it also analyzes some weakness of these methods.

The second part describes some security metrics based on market mechanisms. This subject is very interest and deserves more of my attention in the future. By the way, this paper was originally a chapter of “LNCS 4909 Dependability Metrics”.

Security by correctness, isolation or obscurity

As usual, Joanna Rutkowska posted some interesting thoughts:

IF we looked at the computer systems and how they try to provide security, I think we could categorize those attempts into three broad categories:

1. Security by Correctness
2. Security by Isolation
3. Security by Obscurity

More here.

Software testing and quantitative risk

Software testing blogs

• JW on Test
• Testing, TCL and Other Stuff

Article about quantitative risk (the title says everything)

• The Fallacy of Complete and Accurate Risk Quantification

New ways to security management

Information security has two main branches: one is technological and other is about management. The first one is changing and developing so fast that is hard to be updated. But the second one, there is nothing really new about it.

Basically, there are compliance oriented management, risk oriented management and the combination of those. Compliance oriented management is normally structured in market's best practices, but this approach has difficulty to show the real value that these practices have to the organization.

Risk oriented security management also has its limitations. When uses qualitative risks, it has problem to connect the analyst's identified risk with the perceived reality of the organization. It happens because these risks depend mainly on analyst's point of view. On the other side of the coin, to calculate the quantitative risk is a very hard task, and most of time it is impracticable if we want a useful and honest result.

But are there only these options? There are some studies about economy theory applied to information security. Market forces over information security subjects are easily identified nowadays. The next step is obvious for me: why not use economic management models for information security management?