After my last blog, “A is for Asset,” I decided to stay on track with the ABC’s of technology lifecycle management. My original thought for the letter “B” was Budget – but due to recent events, Breach has become the new “B” word (In more ways than one).
Continue reading "B is for Breach" »
Recently, I listened to comments from Ron Ross, a Senior Computer Scientist with NIST. In this roundtable discussion, Ross connects the dots between risk management and complexity. Ross is the chief author of Special Publication 800-53, NIST’s security controls guidance; so he ought to know a thing or two about mitigating risk.
Continue reading "Keep It Simple to Keep It Safe" »
I don’t know about you, but I want to use my own laptop, cell phone and tablet at work. Let me integrate my life so I carry only the devices I like to use. Enable me to use them both personally and professionally. Oh sure, it would be great if I didn’t have to pay for these devices, but I digress. The point is that I love my iPhone and I am crazy about my iPad. And the laptop? Not so much. But again I digress. I’d forgo the company provided Blackberry if I could just use my own iPhone. Our HR director would prefer to use her MacBook over the Windows laptop we provide her. Our sales directors like the idea of presenting from their iPads and using them to keep up with e-mail when they travel.
Continue reading "BYOD: Risks to Reason" »
As IT security and risk management professionals look at how best to address the complications that the impending wave of BYOD (a.k.a. Consumerization) brings; they will have to sell end-users on one idea, compromise.
Continue reading "Bring Your Own Device Calls for Compromise" »
I recently came across a presentation recording by computer-security expert Bruce Schneier where he discusses the security biases all people have and how these various biases can prevent us from truly improving our security. Schneier is known for his writings on Security Theater; things that make us feel more secure, while not necessarily making us more secure.
Continue reading "Overcoming Bias for True Risk Mitigation" »
I was recently asked to write a briefing document for use by a customer in their internal deliberations around methods for data destruction. They were debating which data security process would best ensure satisfaction of their Health Insurance Portability and Accountability Act (HIPAA) regulatory obligations, and asked that I discuss the compliance implications of physical destruction of hard drives versus overwriting.
Continue reading "Physical vs. Systematic Data Destruction: Risk Management Implications" »
With what data destruction standard does your organization comply? Too many times, the answer to that question is limited to the technology by which data is overwritten or destroyed, and does not focus enough on the processes around application of that technology.
There exists today a major gap between the market’s need for comprehensive IT Asset Disposition (ITAD) operational and technical controls, and the supply of such standards. Statistics consistently show us that between two-thirds and three-quarters of data loss incidents are a result of some failure of physical asset control. However, there does not exist a comprehensive, third-party audited, ITAD standard that focuses sufficiently on both physical control processes and methods to erase hard drives.
Continue reading "E-Stewards Standard: Enhancing Data Destruction Controls" »
I love redundancy. There’s a lot of philosophy behind redundancy: a basic understanding that perfection, while often pursued, rarely exists. While we might strive to attain it, it will always be beyond our grasp. So, why would we create a risk mitigation process that assumes perfection? Especially one as critical as data destruction?
Continue reading "Mitigating Risk with Redundancy" »
The Ponemon Institute this week released another new survey, this one concluding that 90% of U.S. organizations have sustained at least one data breach in the past year. IT security breaches most often occurred at off-site locations housing mobile workers, partners or other third-parties, the survey found. Last week, another new Ponemon survey revealed that lost or stolen IT equipment is the primary cause for data loss within business organizations. While online hacks are getting a great deal of attention due to some high-profile security breaches, off-network data breaches remain a significant problem for business enterprises.
Continue reading "Data Security Breaches Continue Off-Network and On" »
I suspect that I know the real reason there have been so many off-network data security breaches during the past several years. It’s definitely part of a conspiracy perpetrated by the same extraterrestrial aliens who have been taunting us with UFO flyovers for decades.
This may sound a bit far-fetched, but most conspiracy theories are so perceived, especially when they are introduced. How else can one explain so many high-profile information security breaches involving stolen laptops, lost hard drives and missing flash drives impacting so many millions of people? With all of the privacy breach incidents that have been in the news, resulting in tarnished business reputations, regulatory penalties and enormous financial liabilities to repair the damage, certainly something more than human must be behind this crisis.
Continue reading "Global Data Security Conspiracy: Are Extraterrestrial Aliens Plotting to Steal Our Laptops?" »
