Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Category Archives: Risk Analysis

Metrics Revisited – Application Security Metrics

May 12, 2008 – 6:00 am – I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones. “How ridiculous!” you say, “We have two dozen application security metrics, which we report in…
By C. Warren Axelrod | Also posted in Security Metrics | Tagged , , , , | Comments (0)

Slashdot Post On Security Ethics Demonstrates Professional Naiveness

April 18, 2008 – 6:00 am – Over at Slashdot, an anonymous reader was quoted as follows (in entirety): “I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I…
By Kenneth F. Belva | Also posted in Auditing, CSO/CISO Perspectives, Compliance and Laws, Cybercrime, Privacy | Tagged | Comments (4)

The Misleading Nature of Schneier’s Security Mindset

April 10, 2008 – 6:00 am – Recently Bruce Schneier wrote an essay on the Security Mindset. In it he wrote: Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They…
By Kenneth F. Belva | Also posted in Auditing, CSO/CISO Perspectives, Security in Popular Culture | Tagged , , | Comments (5)

Reviewing a SAS 70 report (and getting it right)

March 21, 2008 – 6:00 am – Welcome to the second “The Risk Rack” column. What I would like to talk to you today about are SAS 70 assessments. Not the actual performance of the assessment but, the proper way to review a SAS 70 assessment to ensure your service provider has the appropriate controls in place to protect…
By Frank Cassano | Also posted in Compliance and Laws | Tagged , , , | Comments (0)

The core truth of risk

March 11, 2008 – 6:00 am – Welcome to the inaugural “The Risk Rack” column. Being the first column I thought it would a good idea to use it to start simply and slowly. First I wanted to note that this column is intended for information technology risk management professionals, information technology auditors,…
By Frank Cassano | Also posted in CSO/CISO Perspectives, Information Security News | Tagged , | Comments (1)