TripleCheck Consulting Blog

A new draft publication has been made available by the Center for Strategic and International Studies ( CSIS ), whose goal is: “Establishing a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.” Based on the inputs of the research including groups from public and private sectors, this vendor neutral document seems to high-light the real need for effective and auditable security controls, that aren't somehow linked the next best product offering.

According to a IT Knowledge Exchange article , we shouldn't panic because a zero day threat in software that almost every enterprise has installed are not spreading rapidly and are in most cases targeted. Arent' these exactly the threats that we should be worried about? In fact I would argue that for every 0-day threat reported there are five more unreported. And in cases where the attacks are motivated (targeted) there is likely a greater probability of loss. In my opinion the criteria we use to gauge the risk related to vulnerabilities shouldn't include how noisy and fast the infection rate is, but instead look at the impacts and probabilities of being targeted.

The Edmonton Journal is reporting that due to budget constraints four key investigations are being stopped. This includes investigation's into the Government's IT Security practices. Although it appears that this would appear to be another disappointing effect of the economic situation, I would argue that it makes sense to direct the limited amount of funding into programs which improve the Government's security posture.

ISACA recently released an exposure draft of their new governance framework " Risk IT ". This framework describes in detail recommended processes for organizations to adopt to manage IT risks effectively. I'll try to follow this post up with a review of this draft and provide some commentary on related values and shortcomings of this new framework.

As we continue to get more connected, google continues to allow us to search, track and map things, which now includes people as they release an update to the mobile version of their maps program. And look what I see in there in one of the images used to show it off - putting Edmonton literally on the map!

After publishing the SANS Top 25 Application security issues list, a small group of people in New York state have provided a set of contract language and requirements which organizations can use to ensure software development contracts have appropriate requirements for ensuring security. Although the vendor communities might not be thrilled by the prospect of having to train and maintain the security skills of their development staff, I would agree that this type of control goes a long way to ensuring issues get resolved at the source.

ISC2 today has released an online resource guide accessible online or in download form. The guide provides up-to-date pointers to things like events, online resources and related organizations that provide information regarding information security. Another place to bookmark and use for researching security topics.