Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Category Archives: Compliance and Laws

PCI DSS Position on Patching May Be Unjustified

June 27, 2008 – 6:00 am – Verizon Business recently posted an excellent article on their blog about security patching. As someone who just read The New School of Information Security (an important book that all information security professionals should read), I thought it was refreshing to see someone take an…
By Jeff Lowder | Also posted in Risk Analysis, Security Metrics | Tagged , , , | Comments (2)

An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionls (pt. 1)

June 23, 2008 – 6:00 am – Within the next few weeks—if not earlier—you should visit the “Chronology of Data Breaches” database available at the Privacy Rights Clearinghouse website (privacyrights.org). The database provides a listing of privacy-related security breaches that have been reported in the United…
By Sam Dekay | Tagged , , , , , | Comments (1)

Data Classification: Begin With Your Personally Identifiable Information

June 3, 2008 – 6:00 am – Let’s face it: Data classification—despite being an information security “best practice”— is an expensive, time-consuming, labor-intensive task. For those organizations supporting thousands (or even hundreds) of applications and databases, the job of identifying all data elements and…
By Sam Dekay | Tagged , , , , , , , , , , | Comments (0)

Risk Assessment Gone Awry: The Costly, and Unpleasant, Consequences of Good Intentions

May 21, 2008 – 6:00 am – We are all well aware that information security controls should be “risk-based.”  Innumerable email messages received from vendors stress this apparent truth, and conference speakers are forever reminding us that risk assessment must serve as the foundation of an effective—and…
By Sam Dekay | Also posted in CSO/CISO Perspectives, Risk Analysis | Tagged , , , | Comments (3)

Fitting the CIA Triad in a Business Context: The Concept of Agile Security

May 20, 2008 – 6:00 am – Last year, Harvard Business School Press published a very interesting book entitled IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. Westerman is a Research Scientist at the Center for Information Systems Research at the MIT Sloan School of…
By Jeff Lowder | Also posted in CSO/CISO Perspectives, InfoSec Economics | Tagged , , , , , | Comments (0)