Maturity – Cybersecurity and Operational Risk Management - Security Current, May 2020
Business executives leverage cybersecurity programs to understand residual risk. That helps
them make informed decisions to mitigate risk to an acceptable level. This article provides
guidance to improve program maturity in stages. A risk-prioritized approach can be used to
Application Security Program: Protect Against Data Breaches
- Unisys, March 2017
Data breaches are common in today's headlines. Criminal enterprises and hostile nation
states have the resources to penetrate infrastructure controls and access data through
web application vulnerabilities. Therefore, it is necessary to have an Application
Security program in place to protect applications and prevent business impact.
Advisories - RiskCenter, February 2015
We live in a time where hackers are active and high profile data breaches are making
headlines. Employees want to know what they can do to protect their company. This article
provides techniques to create advisories that help prevent business impact.
Risk Management: Risk Hunting - RiskCenter, July 2014
Risk is addressed in a generic context within control frameworks and compliance requirements; most
of which refer to a need for risk assessment. This article provides practical techniques to seek
out and identify residual risk within an organization.
Risk via Slide Deck - RiskCenter, September 2013
Effective conversations are required to establish and maintain an information security program.
This article provides guidance for creating presentations with an emphasis on risk, with business
executives as the intended audience.
- Unfair and Deceptive Trade Practices - RiskCenter, April 2013
Consumers expect their personal information will be used in a manner that does not surprise them.
This article provides best practices to process consumer data by the standard of due care. Sanctions
and consequences can be severe in the event of a data breach or misuse of consumer data.
Operational Risk: Remediation, Root Cause and New Controls
- RiskCenter, January 2013
An organization is at risk when security vulnerabilities are present. This article outlines
practical ways to accelerate remediation within the risk tolerance of senior executives. It
also includes tips to increase efficiency. That provides capacity to implement new
safeguards without increasing headcount.
Information Security Risk Model: Switch Lenses
- Enterprise CIO Forum, April 2012
A Risk Model is a useful tool for defining how a security function identifies and mitigates
risk. This article explains how to document your current risk model, evaluate its effectiveness
and plan for changes to better mitigate risk moving forward.
Supplier Risk: The Captive Customer Experience
- RiskCenter, October 2011
Business leaders may select a supplier due to frustration with internal services. That decision
may or may not be in the best interests of the company. This article provides practical advice for
improving service and identifying the true risks and costs associated with a supplier relationship.
10 Golden Rules of Information Security
- (IN)SECURE Magazine, June 2011
Establishing an information security program is a complex undertaking. It is easy to get lost in
the details and neglect a critical component of the program. This article focuses on high-level
guidelines or tenets. Its framework can also be used to provide an overview for senior management
Cyber Security Risk: The Threat Landscape is Changing
- RiskCenter, June 2011
Malicious actors and the techniques they employ have continued to evolve over the past few years.
The term Advanced Persistent Threat has been coined to address adversaries with the will and
resources to inflict harm. Industry is preoccupied with whether or not cyber war is a credible
threat. This article reflects on recent events, describes the players, inherent risk and provides
practical recommendations to address threats from a business perspective.
Payment Card Security:
Risk and Control Assessments
- (IN)SECURE Magazine, September 2010
The PCI Data Security Standard mandates foundational controls, most of which are information security
best practices. It is a one-size-fits-all standard meant to address all business and technological
environments that store, process or transmit payment card data. Minimum compliance with PCI standards
may not adequately protect card data. Therefore, it is necessary to conduct a risk assessment in
accordance with PCI requirements.
Gulf Oil Spill, an Operational Risk Disaster
- RiskCenter, June 2010
The ecological impact of the recent oil spill in the gulf is obvious. Now is the time to reflect on
the resulting business impact, what could have been done to prevent it and steps we can take with our
business partners to prevent a similar issue.
Enterprise Risk and
Compliance Reporting - (IN)SECURE Magazine, June 2009
Modern companies are challenged by the need to demonstrate compliance, mitigate risk and fund
security initiatives. Reporting is the pursuit of simple truth. Like many technical challenges,
the underlying complexity can be daunting. This article addresses a variety of techniques to
report risk and compliance statuses, raise awareness and influence remediation.
E-Commerce Payment Card
Security - Bank of
America, October 2008
E-commerce merchants conduct business over the Internet by definition. As such, they are
vulnerable to attack from remote locations around the world. This article provides guidance
for protecting e-commerce websites in accordance with the PCI Data Security Standard (PCI
DSS) and information security best practices.
PCI DSS Revisions and Next Steps - Bank of America, October
October 1, 2008 marks the first revision to the Payment Card Industry Data Security Standard
(PCI DSS) in two years. This article provides an overview of the changes, with recommendations
for a PCI awareness campaign and implementation next steps.
Beyond Minimum Compliance: PCI Risk Management - Bank of America, April 2008
The PCI Data Security Standard is nearly two years old. Organized crime has shifted focus to new attack
vectors and theft of card data has become big business. To adapt, business management must adopt a
comprehensive risk and compliance-based approach to safeguard card data.
Failure Mode and Effects Analysis: Process and System Risk Assessment - SearchSecurity.com, March 2008
Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the
U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered
application). It prioritizes potential failures by impact severity, probability of occurrence and
likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure
to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and
the Information Technology Infrastructure Library (ITIL).
The Federal Bureau of Investigation – Capabilities and Service - Help Net Security,
The Federal Bureau of Investigation (FBI) is an elite law enforcement organization. This
article provides an overview of FBI teams, InfraGard and the FBI Citizens' Academy.
Security Acumen: Business First - Microsoft, May 2007
The line between business and information security professionals is blurring. Government
regulations have mandated security practices over the past decade. The resulting changes
are evident. Security professionals are being given seats at the executive table and within
lines of business. Business acumen is quickly becoming the eleventh domain of information
security. To adapt, security professionals must align with business management and develop
depth and breadth within business.
Cyberwar: A Threat to Business
- SearchSecurity.com, February 2007
It's no secret that large U.S. businesses are in the crosshairs of foreign government
entities and terrorists. According to Maj. Gen. William Lord, "China has downloaded 10
to 20 terabytes of data from the NIPRNet," the Department of Defense network used for
transmitting sensitive information. It is only a matter of time before military and
terrorist organizations target commercial organizations. In fact, the Department of
Homeland Security recently warned of potential Internet attacks on the U.S. stock
market and banking Web sites. Large businesses offer an attractive target and the
potential impact is very high.
Insider Risk Management Guide
- SearchSecurity.com, August 2006
The threat posed by authorized personnel is well documented by research and court
cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud
annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage,
negligence, human error and exploitation by outsiders to consider. If you have not
taken a hard look at insider threat controls in your organization, now is the time.
Systematic Removal of Accesses: Pull the Key from the Lock
- ISSA Journal, June 2006
Systematic removal of accesses refers to revoking physical and logical accesses when
a person leaves an organization or their role changes. In the absence of a formal
process, lingering privileges can be used to access systems, applications and office
space. Potential damage includes theft of funds, equipment or intellectual property,
disclosure of confidential information, and/or damage to property or personnel. In
practice it can be difficult to completely rescind a person?s accesses. Start by
inventorying systems, applications and assets and incorporate the respective
administrators into access control procedures.
Challenging 24/7/365 - Question the Status Quo - CyberGuard, March 2005
Several readers have responded to a previous article in which I recommended powering
down computer rooms to prepare for inevitable emergencies. The respondents stated that
they could not power down their systems due to either 24/7/365 or 99.999 percent
availability requirements (often referred to as "the five nines").
Computer Room Emergency - Only a Matter of Time
- CyberGuard, November 2004
It's an infrastructure manager's worst nightmare: The computer room is down. There
are several events that can make this scenario a reality. A hurricane knocks out power
for several days. Building management disrupts power for scheduled maintenance.
Construction workers sever an underground power line.
Safeguarding Sensitive Information - An Ounce of Prevention
- CyberGuard, October 2004
Disclosure of sensitive information can cause severe damage to an organization. In
the absence of clearly defined policies and procedures, disclosures will occur.
Organizations must create and maintain a program for effectively protecting sensitive
information throughout its lifecycle. A data security policy should detail how
sensitive information is labeled, stored, distributed and destroyed. The fast
operations tempo of the workplace and the complexity of systems contribute to
disclosures. The data security program must account for this, with minimal impact
Mergers and Acquisitions - Securing the Union
- CyberGuard, September 2004
Mergers and acquisitions are sensitive matters that must be handled with the
utmost care and due diligence. A great deal of complexity arises out of combining
two organizations. With complexity comes the potential for chaos and disorder.
Implementing Information Security: Risks vs. Cost
- CyberGuard, June 2004
As a security professional who understands how the business world works, I wrote
this article to convey the imperative need for security professionals and senior
management to see eye-to-eye. Being motivated by business, senior management
focuses on productivity and the bottom line. It is sometimes difficult to calculate
a return on investment for security, but the damage caused by the absence of
efficient controls is far greater than the cost of implementing them.
- CyberGuard, May 2004
There is an old expression, through rain or sleet or dark of night, the mail must get through.
The same sense of urgency applies to the delivery of e-mail. This article details how e-mail flows
between mail servers, through firewalls and across the Internet. E-mail can be difficult to
troubleshoot because it uses SMTP (Simple Mail Transfer Protocol), DNS (Domain Name System) and
TCP/IP (Transmission Control Protocol/Internet Protocol). To troubleshoot e-mail outages, start
with DNS troubleshooting and consider the basic concepts of network troubleshooting as well.
- CyberGuard, April 2004
The Domain Name System (DNS) service is required to access e-mail, browse Web sites and use
hostnames in general. DNS resolves hostnames to IP addresses and back (e.g. www.cyberguard.com
translates to 22.214.171.124). This article details how DNS works under normal circumstances and
provides troubleshooting tips.
- CyberGuard, March 2004
The most efficient manner to troubleshoot a network issue is to approach it in a systematic way.
Start by gathering background information; then troubleshoot following the Open System
Interconnection (OSI) networking model.
How Network Traffic Flows
- CyberGuard, January 2004
To troubleshoot an issue, you need to know how network traffic flows under normal circumstances.
This article details what happens when a Web browser is used to access a Web site.
- CyberGuard, December 2003
Security teams must ensure that firewalls are installed, configured and maintained in accordance
with mission requirements and the best interests of the organization. There are many reasons why
firewall administration must be tightly controlled. Firewalls are inherently complex. Employee
turnover can result in a lack of continuity. Firewall logs may be called as evidence in a court
case. Many organizations must also meet auditing requirements.
Building a Security Awareness Program
- CyberGuard, September 2003
Each day organizations are faced with an increasing number of threats. While hackers and
viruses are attacking from the Internet, social engineers or disgruntled employees may be
circumventing security from within. A formal security awareness program is required to help
address these threats by educating employees. The primary goal of the program should be to
recognize threats and vulnerabilities and respond to them appropriately.
Reduce InfoSec Risks in
Operations - Cyber-Crime Fighter, August 2003
Operations security (OPSEC) is a term for the confidentiality of internal business processes
and of sensitive information used in day-today operations.