Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Compliance Matters written by Sam Dekay

Sam Dekay

At The Bank of New York Mellon Corporation, Dr. DeKay is responsible for the development of policies and standards related to information security. Prior to BNYM, he served as manager of information security for Empire Blue Cross/Blue Shield; before this he worked at ABN Bank, also as manager of information security. His areas of expertise include security risk assessment, policy development, information security and law, and business/corporate communications. He is certified as an Information Security Manager (CISM). Dr. DeKay has received PhD degrees from Fordham University and Columbia University.

Risk Assessment Gone Awry: The Costly, and Unpleasant, Consequences of Good Intentions

May 21, 2008 – 6:00 am – We are all well aware that information security controls should be “risk-based.”  Innumerable email messages received from vendors stress this apparent truth, and conference speakers are forever reminding us that risk assessment must serve as the foundation of an effective—and…
Posted in Compliance and Laws, CSO/CISO Perspectives, Risk Analysis | Tagged , , , | Comments (3)

Proposed SEC Rules Broaden Scope of InfoSec Compliance Responsibilities

May 5, 2008 – 6:00 am – On March 11, 2008, the United States Securities and Exchange Commission (SEC) published proposed rules intended to “set forth more specific requirements for safeguarding information and responding to information security breaches, and broaden the scope of the information covered by Regulation…
Posted in Compliance and Laws, CSO/CISO Perspectives | Tagged , , , , , , , , , | Comments (0)

Does Security Awareness Work (pt. 2)? It all Depends on What You Mean by “Work”

April 22, 2008 – 6:00 am – Several weeks ago this column printed an article entitled, “Does Security Awareness Work? Some Answers from Experimental Research.” The article presented results from three published experiments concerning the effectiveness of awareness programs. In the final paragraph of that piece, readers…
Posted in Human Elements | Tagged , , , , , , | Comments (4)

Does Security Awareness Work? Some Answers from Experimental Research

April 3, 2008 – 6:00 am – Shortly before the 2004 Infosecurity Europe trade show was held in London, a small group of researchers gathered at a major rail station in that city and proceeded to approach the mass of morning commuters. The researchers offered a deal to each individual: If you tell me one of the passwords…
Posted in Human Elements | Tagged , , , , , | Comments (2)

Our Polymorphic Fluid Field of Information Security

March 27, 2008 – 6:00 am – Several years ago, I witnessed the first meeting of a newly-minted Director of Information Security with his supervisor, the CIO of a major insurance firm. The CIO carefully drew a large circle on a whiteboard and proceeded to inscribe the word “SECURITY” in the center of the circle. Then,…
Posted in Information Security News | Tagged , , | Comments (2)