Tuesday, February 24

FISMA - Compliance Guidance Drafted by CSIS

A new draft publication has been made available by the Center for Strategic and International Studies (CSIS), whose goal is:
“Establishing a prioritized baseline of information security measures and controls
that can be continuously monitored through automated mechanisms.”
Based on the inputs of the research including groups from public and private sectors, this vendor neutral document seems to high-light the real need for effective and auditable security controls, that aren't somehow linked the next best product offering.

Zero day targeted threats - don't panic if they are targeted?

According to a IT Knowledge Exchange article, we shouldn't panic because a zero day threat in software that almost every enterprise has installed are not spreading rapidly and are in most cases targeted.

Arent' these exactly the threats that we should be worried about? In fact I would argue that for every 0-day threat reported there are five more unreported. And in cases where the attacks are motivated (targeted) there is likely a greater probability of loss.

In my opinion the criteria we use to gauge the risk related to vulnerabilities shouldn't include how noisy and fast the infection rate is, but instead look at the impacts and probabilities of being targeted.

Saturday, February 14

Alberta's Audit of IT Security Halted

The Edmonton Journal is reporting that due to budget constraints four key investigations are being stopped. This includes investigation's into the Government's IT Security practices.

Although it appears that this would appear to be another disappointing effect of the economic situation, I would argue that it makes sense to direct the limited amount of funding into programs which improve the Government's security posture.

Sunday, February 8

ISACA Publication - RISK IT governance processes for managing IT Risks

ISACA recently released an exposure draft of their new governance framework "Risk IT". This framework describes in detail recommended processes for organizations to adopt to manage IT risks effectively. I'll try to follow this post up with a review of this draft and provide some commentary on related values and shortcomings of this new framework.

Wednesday, February 4

New Google Maps for Mobile - Latitude

As we continue to get more connected, google continues to allow us to search, track and map things, which now includes people as they release an update to the mobile version of their maps program.

And look what I see in there in one of the images used to show it off - putting Edmonton literally on the map!

Application Security Procurement Language

After publishing the SANS Top 25 Application security issues list, a small group of people in New York state have provided a set of contract language and requirements which organizations can use to ensure software development contracts have appropriate requirements for ensuring security. Although the vendor communities might not be thrilled by the prospect of having to train and maintain the security skills of their development staff, I would agree that this type of control goes a long way to ensuring issues get resolved at the source.

Monday, February 2

ISC2 Releases Online Resource Guide

ISC2 today has released an online resource guide accessible online or in download form. The guide provides up-to-date pointers to things like events, online resources and related organizations that provide information regarding information security.

Another place to bookmark and use for researching security topics.