Within the context of information security, Critical Success Factors (CSFs) are objectives or goals that must be met before an organization can provide reasonable and appropriate protection of its information assets. In this article, I explore seven CSFs that lead to an acceptable level of information asset assurance.
Archive for the ‘All’ Category
Security Critical Success Factors
Tuesday, February 21st, 2006eDiscovery Challenges
Friday, February 17th, 2006During the past two decades, the shift from paper to electronic filing of business documents introduced a new challenge: meeting the requirements of litigation discovery. Not only are organizations keeping more information; the vast amounts of email messages and other types of documents are typically not organized in a way that facilitates quick, cost effective extraction from personal and enterprise storage.
If you’re responsible for the security of your company’s information, your role extends to protecting documents required by discovery requests. Are you prepared to assure your executive management, or to testify, that you’ve done everything reasonable and appropriate to meet the court’s expectations?
In this article, I explore the challenges of eDiscovery (Electronic Discovery) followed by recommendations that might help avoid the high costs of compliance – or non-compliance.
Goodmail Systems CertifiedEmail: What is it, and why all the fuss?
Tuesday, February 14th, 2006Last month, AOL announced it was beginning to use a certified email system designed by Goodmail Systems. Basically, the Goodmail solution attaches an encrypted token to business/marketing email from certified businesses. When AOL sees the token, and validates it, the email is treated as a non-spam message. The catch for the sender is a small fee per message. The impact on AOL email users is an increase in email with no other purpose than the delivery of unsolicited marketing material.
In this article, I’ll explore how Goodmail’s CertifiedEmail works, what the implementation of this solution means to business, and what users of AOL email services can expect.
Invasion of the Botnet Armies
Sunday, February 12th, 2006In previous articles, I wrote about malicious hackers (crackers) moving away from attacks for bragging rights to attacks for profit. Part of this transition is the increased use of zombie PCs, or bots, to surreptitiously acquire personal and business information with criminal intent. In this article, I describe the nature of bots and botnets, the danger to your organization from these growing threats, and some things you can do to protect your information assets.
University of Washington Spyware Study Results
Friday, February 10th, 2006In a recent University of Washington paper (see Sources below), the results of a five month study (May 2005 to October 2005) of the state of spyware on the Internet were documented. The following is a summary of the researchers’ conclusions:
Application Security: People, Process, and Technology
Thursday, February 9th, 2006Most organizations have worked feverishly to secure the network infrastructure, including executing rigorous operating system patch and configuration management processes. They’ve done such a good job, attackers are turning to applications as the next avenue of attack. This includes both commercial and proprietary solutions.
In this article, we’ll look at the challenges facing managers as they implement commercial applications and applications developed in-house. And we’ll explore ways to begin the process of hardening those applications.
Security Risk Management
Tuesday, February 7th, 2006Risk management is an important part of securing today’s information assets. Security has moved from the fringes of technology to take its place alongside other critical business activities. And like other business activities, the resources expended on the people, processes, and technology necessary to protect an organization’s information infrastructure must be justified in terms of return on investment (ROI).
In this article, we’ll explore the fundamentals of risk management as it applies to information security.
Data Storage Security
Monday, February 6th, 2006Data in transit, across and between company networks, is usually the focus of extensive security efforts. However, organizations typically regard data residing on internal storage devices as “secure enough.” Databases and flat files stored on server, laptop, or SAN-attached disks don’t always move outside the security perimeter; so why worry?
In this paper, we’ll explore data storage vulnerabilities, the risks associated with these vulnerabilities, and ways to effectively manage those risks.
Author: Tom Olzak
Dissecting Nyxem: New dog, same old tricks.
Saturday, February 4th, 2006There has been some real buzz concerning a new virus in the wild, Nyxem. While it employs the same old tricks virus coders have been using for years, it has a new nasty ending. Let’s discuss Nyxem (aka Mywife, Blueworm, BlackMal) and see what kind of risk we are really looking at.
(more…)
Laptop Encryption: Reasonable and Appropriate?
Monday, February 20th, 2006Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999. The GLBA places a set of constraints on how financial insitutions should handle customer information. There’s been plenty of coverage on this issue since the ruling. But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?
(more…)
Posted in All, Commentary, Current Events | No Comments »