Category: Risk Assessment

  • Data security and compliance – Best practices

    Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties. So where and how does DLP fit into the compliance […]

  • Return on security investment

    The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years […]

  • Choosing a data loss prevention solution

    Data security is not one-size fits all. For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that […]

  • Reducing risk of major data loss events

    Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been […]

  • Exploiting a wireless mesh network for utilities

    I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity. Until then, there is a problem of range and coverage. Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s […]

  • Less regulation, increased data security

    Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing. As my maternal grandmother, who spoke fluent Yiddish would yell at […]

  • Imperfect knowledge security

    Keeping the organization robust in a highly dynamic threat environment Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in […]

  • Pharmas, Web 2.0 and regulation

    For a change – ethics based regulation that differentiates between the medium and the message. Dr. Jean Ah Kang, works at DDMAC and is in charge of Web 2.0 policy development. She speaks very well at her interview with  Mark Senak, a regulatory affairs lawyer ( ).  Here is the podcast:  FDA’s views and […]

  • Designing a data security system

    User-Driven Design versus User-Centered design Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and […]

  • Data discovery and organization

    The problem is that you know where you start, you don’t know where you finish and you will always have trouble organizing the useful references you collect on the way. After a call with a client, I started investigating how to provide high value scientific data in a social network for doctors and medical representatives […]