securitymetametrics.com

securitymetametrics.blogspot.com

Security Metametrics: Metrics to govern and manage information security

http://securitymetametrics.blogspot.com/2015/05/metrics-to-govern-and-manage.html

Measure to improve information risk and security management. Metrics to govern and manage information security. Section 9.1 of ISO/IEC 27001:2013 requires organizations to 'evaluate the information security performance and the effectiveness of the information security management system'. The standard doesn't specify precisely what is meant by 'information security performance' and '[information security? Effectiveness' but it gives some strong hints:. The organization shall determine:. Picks up the pieces.

securitymetametrics.blogspot.com

Security Metametrics: Resilience as a business continuity mindset

http://securitymetametrics.blogspot.com/2015/04/resilience-as-business-continuity.html

Measure to improve information risk and security management. Resilience as a business continuity mindset. An article written in conjunction with Dejan Kosutic has just been published at ContinuityCentral.com. Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to. A serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of. Dejan and I...

securitymetametrics.blogspot.com

Security Metametrics: March 2015

http://securitymetametrics.blogspot.com/2015_03_01_archive.html

Measure to improve information risk and security management. An article by Mintz Levin about the 2013 privacy breach/information security incident at US retailer Target. Stated that the company has disclosed gross costs of $252 million, with some $90m recovered from its insurer leading to a net cost of $162m, up to the end of 2014 anyway (the incident is not over yet! But before anyone runs amock with those headline numbers, let's delve a bit deeper. On top of that, there is some truth to the saying that...

securitymetametrics.blogspot.com

Security Metametrics: Infosec & risk management metrics

http://securitymetametrics.blogspot.com/2015/05/infosec-risk-management-metrics.html

Measure to improve information risk and security management. Infosec and risk management metrics. We've just republished the next in the series of management-level security awareness papers on metrics. The latest one lays out a range of metrics for information security and risk management. Leaving aside the conventional metrics that are typically used to manage any. I spent last week teaching a CISM course. Objectives that are relevant to information risk and security management, and using those to drive...

securitymetametrics.blogspot.com

Security Metametrics: August 2014

http://securitymetametrics.blogspot.com/2014_08_01_archive.html

Measure to improve information risk and security management. The universal hot crazy matrix. Is an amusing demonstration of the power of presenting numeric data in graphical form, extracting meaningful information from the data in order to lift the discussion off the page. We shall have to include it in our security metrics course. Links to this post. Subscribe to: Posts (Atom). A blog for practitioners struggling valiantly to get a handle on information security metrics. The art of security metrics.

securitymetametrics.blogspot.com

Security Metametrics: Low = 1, Medium = 2, High = 97.1

http://securitymetametrics.blogspot.com/2015/05/low-1-medium-2-high-971.html

Measure to improve information risk and security management. Low = 1, Medium = 2, High = 97.1. Naïve risk analysis methods typically involve estimating the threats, vulnerabilities and impacts, categorizing them as low, medium and high and then converting these categories into numbers such as 1, 2 and 3 before performing simple arithmetic on them e.g. risk = threat x vulnerability x impact. This approach, while commonplace, is technically invalid, muddling up quite different types of numbers. Is all that...

securitymetametrics.blogspot.com

Security Metametrics: May 2015

http://securitymetametrics.blogspot.com/2015_05_01_archive.html

Measure to improve information risk and security management. Low = 1, Medium = 2, High = 97.1. Naïve risk analysis methods typically involve estimating the threats, vulnerabilities and impacts, categorizing them as low, medium and high and then converting these categories into numbers such as 1, 2 and 3 before performing simple arithmetic on them e.g. risk = threat x vulnerability x impact. This approach, while commonplace, is technically invalid, muddling up quite different types of numbers. Is all that...

blog.noticebored.com

NBlog - the NoticeBored blog: Yet another information security awareness case study

http://blog.noticebored.com/2015/04/yet-another-information-security.html

Welcome to NBlog, the NoticeBored blog. Like the finer things in life, quality trumps quantity. Apr 15, 2015. Yet another information security awareness case study. Controversial plans to replace two Surrey/South London hospitals with a new one were prematurely and inappropriately disclosed. The disclosure involved trusted third parties possessing (and disclosing! The disclosed information was particularly sensitive. Aside from the patients and staff who are directly impacted by the proposals being d...

blog.noticebored.com

NBlog - the NoticeBored blog: Time to drop 'regular' password changes?

http://blog.noticebored.com/2015/01/time-to-drop-regular-password-changes.html

Welcome to NBlog, the NoticeBored blog. Like the finer things in life, quality trumps quantity. Jan 7, 2015. Time to drop 'regular' password changes? A mediocre bit of journalism in Forbes. Notes a security breach at NVIDIA, the video card company, that was notified to employees by an email from their Privacy Office last month. Good password or passphrase, let alone a new one every so often. If employees are to use unique passwords on each system, the additional requirement to change them 'regularly'...