Archives

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War). The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance …

A customer case study – SOX IT Compliance We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number …

What exactly is the role of an information security auditor?  In some cases, such as compliance  by Level 1 and 2 merchants with PCI DSS 2.0,  external audit is a condition to PCI DSS 2.0 compliance.   In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike …

This is an essay I wrote in 2004.  There is nothing here that doesn’t still ring true, especially with the latest round of Wikileaks disclosures. I wrote then and I still hold that  compliance and and data security technology cannot protect an organization from a data breach. The best security countermeasures  for protecting a company’s …

I think fragmentation of knowledge is a root cause of data breaches. It’s almost a cliche to say that the  security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years. It is apparent that government regulation is  ineffective in preventing identity …

I’m surprised with the blood bath in the financial markets and demise of WaMu, Lehman Brothers et al – that there has not been a cry to investigate the auditors of these companies. Did any of the SOX-compliant firms like AIG and Lehman Brothers really comply? I don’t think so. What should have happened if …