ARTICLES

Program Maturity – Cybersecurity and Operational Risk Management - Security Current, May 2020
Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This article provides guidance to improve program maturity in stages. A risk-prioritized approach can be used to obtain funding.

Application Security Program: Protect Against Data Breaches - Unisys, March 2017
Data breaches are common in today's headlines. Criminal enterprises and hostile nation states have the resources to penetrate infrastructure controls and access data through web application vulnerabilities. Therefore, it is necessary to have an Application Security program in place to protect applications and prevent business impact.

Threat Landscape Advisories - RiskCenter, February 2015
We live in a time where hackers are active and high profile data breaches are making headlines. Employees want to know what they can do to protect their company. This article provides techniques to create advisories that help prevent business impact.

Information Risk Management: Risk Hunting - RiskCenter, July 2014
Risk is addressed in a generic context within control frameworks and compliance requirements; most of which refer to a need for risk assessment. This article provides practical techniques to seek out and identify residual risk within an organization.

Mitigating Risk via Slide Deck - RiskCenter, September 2013
Effective conversations are required to establish and maintain an information security program. This article provides guidance for creating presentations with an emphasis on risk, with business executives as the intended audience.

Privacy Risk - Unfair and Deceptive Trade Practices - RiskCenter, April 2013
Consumers expect their personal information will be used in a manner that does not surprise them. This article provides best practices to process consumer data by the standard of due care. Sanctions and consequences can be severe in the event of a data breach or misuse of consumer data.

Operational Risk: Remediation, Root Cause and New Controls - RiskCenter, January 2013
An organization is at risk when security vulnerabilities are present. This article outlines practical ways to accelerate remediation within the risk tolerance of senior executives. It also includes tips to increase efficiency. That provides capacity to implement new safeguards without increasing headcount.

Information Security Risk Model: Switch Lenses - Enterprise CIO Forum, April 2012
A Risk Model is a useful tool for defining how a security function identifies and mitigates risk. This article explains how to document your current risk model, evaluate its effectiveness and plan for changes to better mitigate risk moving forward.

Supplier Risk: The Captive Customer Experience - RiskCenter, October 2011
Business leaders may select a supplier due to frustration with internal services. That decision may or may not be in the best interests of the company. This article provides practical advice for improving service and identifying the true risks and costs associated with a supplier relationship.

10 Golden Rules of Information Security - (IN)SECURE Magazine, June 2011
Establishing an information security program is a complex undertaking. It is easy to get lost in the details and neglect a critical component of the program. This article focuses on high-level guidelines or tenets. Its framework can also be used to provide an overview for senior management and employees.

Cyber Security Risk: The Threat Landscape is Changing - RiskCenter, June 2011
Malicious actors and the techniques they employ have continued to evolve over the past few years. The term Advanced Persistent Threat has been coined to address adversaries with the will and resources to inflict harm. Industry is preoccupied with whether or not cyber war is a credible threat. This article reflects on recent events, describes the players, inherent risk and provides practical recommendations to address threats from a business perspective.

Payment Card Security: Risk and Control Assessments - (IN)SECURE Magazine, September 2010
The PCI Data Security Standard mandates foundational controls, most of which are information security best practices. It is a one-size-fits-all standard meant to address all business and technological environments that store, process or transmit payment card data. Minimum compliance with PCI standards may not adequately protect card data. Therefore, it is necessary to conduct a risk assessment in accordance with PCI requirements.

Gulf Oil Spill, an Operational Risk Disaster - RiskCenter, June 2010
The ecological impact of the recent oil spill in the gulf is obvious. Now is the time to reflect on the resulting business impact, what could have been done to prevent it and steps we can take with our business partners to prevent a similar issue.

Enterprise Risk and Compliance Reporting - (IN)SECURE Magazine, June 2009
Modern companies are challenged by the need to demonstrate compliance, mitigate risk and fund security initiatives. Reporting is the pursuit of simple truth. Like many technical challenges, the underlying complexity can be daunting. This article addresses a variety of techniques to report risk and compliance statuses, raise awareness and influence remediation.

E-Commerce Payment Card Security - Bank of America, October 2008
E-commerce merchants conduct business over the Internet by definition. As such, they are vulnerable to attack from remote locations around the world. This article provides guidance for protecting e-commerce websites in accordance with the PCI Data Security Standard (PCI DSS) and information security best practices.

PCI DSS Revisions and Next Steps - Bank of America, October 2008
October 1, 2008 marks the first revision to the Payment Card Industry Data Security Standard (PCI DSS) in two years. This article provides an overview of the changes, with recommendations for a PCI awareness campaign and implementation next steps.

Beyond Minimum Compliance: PCI Risk Management - Bank of America, April 2008
The PCI Data Security Standard is nearly two years old. Organized crime has shifted focus to new attack vectors and theft of card data has become big business. To adapt, business management must adopt a comprehensive risk and compliance-based approach to safeguard card data.

Failure Mode and Effects Analysis: Process and System Risk Assessment - SearchSecurity.com, March 2008
Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL).

The Federal Bureau of Investigation – Capabilities and Service - Help Net Security, October 2007
The Federal Bureau of Investigation (FBI) is an elite law enforcement organization. This article provides an overview of FBI teams, InfraGard and the FBI Citizens' Academy.

Security Acumen: Business First - Microsoft, May 2007
The line between business and information security professionals is blurring. Government regulations have mandated security practices over the past decade. The resulting changes are evident. Security professionals are being given seats at the executive table and within lines of business. Business acumen is quickly becoming the eleventh domain of information security. To adapt, security professionals must align with business management and develop depth and breadth within business.

Cyberwar: A Threat to Business - SearchSecurity.com, February 2007
It's no secret that large U.S. businesses are in the crosshairs of foreign government entities and terrorists. According to Maj. Gen. William Lord, "China has downloaded 10 to 20 terabytes of data from the NIPRNet," the Department of Defense network used for transmitting sensitive information. It is only a matter of time before military and terrorist organizations target commercial organizations. In fact, the Department of Homeland Security recently warned of potential Internet attacks on the U.S. stock market and banking Web sites. Large businesses offer an attractive target and the potential impact is very high.

Insider Risk Management Guide - SearchSecurity.com, August 2006
The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time.

Systematic Removal of Accesses: Pull the Key from the Lock - ISSA Journal, June 2006
Systematic removal of accesses refers to revoking physical and logical accesses when a person leaves an organization or their role changes. In the absence of a formal process, lingering privileges can be used to access systems, applications and office space. Potential damage includes theft of funds, equipment or intellectual property, disclosure of confidential information, and/or damage to property or personnel. In practice it can be difficult to completely rescind a person?s accesses. Start by inventorying systems, applications and assets and incorporate the respective administrators into access control procedures.

Challenging 24/7/365 - Question the Status Quo - CyberGuard, March 2005
Several readers have responded to a previous article in which I recommended powering down computer rooms to prepare for inevitable emergencies. The respondents stated that they could not power down their systems due to either 24/7/365 or 99.999 percent availability requirements (often referred to as "the five nines").

Computer Room Emergency - Only a Matter of Time - CyberGuard, November 2004
It's an infrastructure manager's worst nightmare: The computer room is down. There are several events that can make this scenario a reality. A hurricane knocks out power for several days. Building management disrupts power for scheduled maintenance. Construction workers sever an underground power line.

Safeguarding Sensitive Information - An Ounce of Prevention - CyberGuard, October 2004
Disclosure of sensitive information can cause severe damage to an organization. In the absence of clearly defined policies and procedures, disclosures will occur. Organizations must create and maintain a program for effectively protecting sensitive information throughout its lifecycle. A data security policy should detail how sensitive information is labeled, stored, distributed and destroyed. The fast operations tempo of the workplace and the complexity of systems contribute to disclosures. The data security program must account for this, with minimal impact on productivity.

Mergers and Acquisitions - Securing the Union - CyberGuard, September 2004
Mergers and acquisitions are sensitive matters that must be handled with the utmost care and due diligence. A great deal of complexity arises out of combining two organizations. With complexity comes the potential for chaos and disorder.

Implementing Information Security: Risks vs. Cost - CyberGuard, June 2004
As a security professional who understands how the business world works, I wrote this article to convey the imperative need for security professionals and senior management to see eye-to-eye. Being motivated by business, senior management focuses on productivity and the bottom line. It is sometimes difficult to calculate a return on investment for security, but the damage caused by the absence of efficient controls is far greater than the cost of implementing them.

E-mail Troubleshooting - CyberGuard, May 2004
There is an old expression, through rain or sleet or dark of night, the mail must get through. The same sense of urgency applies to the delivery of e-mail. This article details how e-mail flows between mail servers, through firewalls and across the Internet. E-mail can be difficult to troubleshoot because it uses SMTP (Simple Mail Transfer Protocol), DNS (Domain Name System) and TCP/IP (Transmission Control Protocol/Internet Protocol). To troubleshoot e-mail outages, start with DNS troubleshooting and consider the basic concepts of network troubleshooting as well.

DNS Troubleshooting - CyberGuard, April 2004
The Domain Name System (DNS) service is required to access e-mail, browse Web sites and use hostnames in general. DNS resolves hostnames to IP addresses and back (e.g. www.cyberguard.com translates to 64.94.50.88). This article details how DNS works under normal circumstances and provides troubleshooting tips.

Network Troubleshooting - CyberGuard, March 2004
The most efficient manner to troubleshoot a network issue is to approach it in a systematic way. Start by gathering background information; then troubleshoot following the Open System Interconnection (OSI) networking model.

How Network Traffic Flows - CyberGuard, January 2004
To troubleshoot an issue, you need to know how network traffic flows under normal circumstances. This article details what happens when a Web browser is used to access a Web site.

Firewall Operations - CyberGuard, December 2003
Security teams must ensure that firewalls are installed, configured and maintained in accordance with mission requirements and the best interests of the organization. There are many reasons why firewall administration must be tightly controlled. Firewalls are inherently complex. Employee turnover can result in a lack of continuity. Firewall logs may be called as evidence in a court case. Many organizations must also meet auditing requirements.

Building a Security Awareness Program - CyberGuard, September 2003
Each day organizations are faced with an increasing number of threats. While hackers and viruses are attacking from the Internet, social engineers or disgruntled employees may be circumventing security from within. A formal security awareness program is required to help address these threats by educating employees. The primary goal of the program should be to recognize threats and vulnerabilities and respond to them appropriately.

Reduce InfoSec Risks in Operations - Cyber-Crime Fighter, August 2003
Operations security (OPSEC) is a term for the confidentiality of internal business processes and of sensitive information used in day-today operations.