Product Guides- Windows 7 beta shows off task bar, UI goodies
- How the yellow first-down line actually works
- Outlook '09
- Microsoft research projects to improve our lives
- Ballmer sets loose Windows 7 public beta
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
In my last column, I introduced the excellent booklet called "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps", by Gene Kim, Paul Love and George Spafford.
Phase 1 provides a chilling reminder of how badly information assurance implementation can go wrong. A table lists many typical issues (and narrative examples, some of which are hilarious) that security experts encounter all the time in our assessments and audits; examples include (quoting directly):
* Inadequate situational awareness (I came into the information security job full of high hopes, but I started to realize that I was dropped into the desert, with no idea what I was supposed to start walking in. Worse, I didn’t know how big the desert was, but I did know that I had no food or water. / I also started to notice that everyone seemed to be avoiding me, often running in the opposite direction when they saw me.)
* Information security ineffective as an afterthought (We couldn’t believe they just deployed the application over our objections. I’m literally losing sleep at night because of the potential risk of loss of confidential information. I said, “Look, you can’t put private health information out on the public Internet.” They just don’t seem to understand, and they all say I’m being hysterical, paranoid, and an obstacle.)
* Information security disrupts IT operations and IT operations gets in information security’s way (…. And half the time, when we do get the patches in, I almost wish we hadn’t. At the end of last year, we did a database patch that broke seven of our top business applications. . . .)
Step 1 of Phase 1 is “Gain Situational Awareness.” The authors urge practitioners to know exactly (again, quoting)
1.1 What senior management and the business wants from information security.
1.2 How the business units are organized and operate.
1.3 What the IT process and technology landscapes are.
1.4 What the high-level risk indicators from the past are.
In good, clear English, the authors then expand on each of the four tasks above with some practical examples and excellent suggestions and examples that readers can use in formulating their own responses for their own organizations.
Step 2 of Phase 1 is “Integrate into Change Management.” The key tasks (again, well developed and explained in the text) are as follows:
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2009 Network World, Inc. All rights reserved. |
Comment