Tuesday, December 22, 2009


RE: Security decision making

Augusto Paes de Barros iniciated a discussion on Goggle Wave about security decision process. Here is my response about this subject:
Hello Augusto
Security decisions are risk decisions (directly or indirectly), but what kind of risk does it matter? For me, the most important is the risk of a company doesn't achieve its objectives. Although all these security decision processes that we have today are deficient to address the organizations' objectives.
Let's see ourselves. Most of security professionals don't "waste" their time to define which is the objective of a security control and if it is aligned with company objectives . Even an enlightened professional, when proposes a control to minimize some threat, almost never evaluates the impact of controls on company's opportunities. A control, once it has been implemented, became sacred and no one can even propose its revoke, why? I would like to see something like "zero-based budgeting" on security process, so every year security personnel should justify every existing and planning security controls.


Wednesday, September 09, 2009


Why did nobody have this idea before?


Sunday, November 23, 2008


Events calendar

Ronaldo Vasconcellos, the responsible for some of the main Brazilian security mail lists, maintains this security events calendar.


Saturday, November 22, 2008


Sarbanes-Oxley and the log retention myth

There is a big confusion on many web pages which write that Sarbanes-Oxley specifies 7 years of log retention. This is common on Internet, people copy & paste from others sites but don't verify the original source and something, that is not true, gets some credibility because many of us repeat this information.

In reality, the U.S. Securities and Exchange Commission establish the following in one of its rules:

WE are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements. Records to be retained include an accounting firm's workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.

So, the Sarbanes-Oxley act does not specify how long the log retention period should be. Actually, it only states that accounting firms should retain their audit records for 7 years.


Tuesday, September 30, 2008


Security vs. Innovation

When security is seen as obstacle to innovation, something is wrong.
THE study, done by research firm IDC on behalf of RSA Security, shows that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses right now. Much of this stems from the belief that security personnel are inclined to simply say no to whatever request they receive from a line of business executive and that even if they do agree to help with a given initiative, the turnaround time will be too long to be of any use, the research shows.
IT security not valued at many firms, study finds by Dennis Fisher

Labels: ,

Monday, September 29, 2008


Economic security metrics

This paper by Rainer Böhme and Thomas Nowey is really good. Its first part cleverly summarizes the main financial decision methods for information security investments like ALE (Annual Loss Expectancy), some ROSI (Return on Security Investment) variations and NVP (Net Present Value). In addition, it also analyzes some weakness of these methods.

The second part describes some security metrics based on market mechanisms. This subject is very interest and deserves more of my attention in the future. By the way, this paper was originally a chapter of “LNCS 4909 Dependability Metrics”.

Labels: , ,

Monday, September 22, 2008


Security by correctness, isolation or obscurity

As usual, Joanna Rutkowska posted some interesting thoughts:

IF we looked at the computer systems and how they try to provide security, I think we could categorize those attempts into three broad categories:

  1. Security by Correctness
  2. Security by Isolation
  3. Security by Obscurity
More here.



January 2000   February 2000   March 2000   February 2007   April 2007   May 2007   July 2007   October 2007   November 2007   January 2008   February 2008   March 2008   September 2008   November 2008   September 2009   December 2009  

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]