ISG: STRATEGIES AND TACTICS FOR INFORMATION SECURITY GOVERNANCE

Proudly, we announce the release of the newest issue of eForensics Magazine - ISG: Strategies and Tactics for Information Security Governance.

To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.

Among the articles we are aiming at featuring in the issue you can find:

 

IT SECURITY HISTORY AND ARCHITECTURE. HOW DID WE GET INTO THIS MESS?

By Dr Steve Belovich

Understanding the history of IT security explains why we are in this situation of seemingly never-ending vulnerability to data theft, cyber attacks and hacking. It also significantly impacts our “go-forward” options due to the inertia of installed base and existing infrastructures.

INFORMATION SECURITY GOVERNANCE AND WHY IT FAILS TO STOP APTS

By Robi Papp

While conducting research for this article over the past few months, I have asked individuals across a range of industries that are responsible for the information security in their organization about the topic of governance and it is often met with a sigh, a fairly long diatribe about misuse and ineffectiveness, then an example of how they have taken some relevant sub-parts of a larger governance framework and been able to successfully apply it. It would only be fitting to follow in that pattern with this paper.

COMMUNICATING RISK TO EXECUTIVE LEADERSHIP.

By Andrew Plato

It was 2010 and my team had just completed a large, enterprise risk assessment for a financial services company. We followed a traditional assessment methodology and delivered a robust report filled with worksheets, diagrams, charts, graphs, and detailed explanations of risk…none of which made a bit of sense to the executive leadership. The CEO threw the report down on the table and dismissed all our work.

HOW AND WHY INCLUDE DBAs IN INFORMATION SECURITY GOVERNANCE

By Rob Stewart

Information security has greatly increased in visibility over the past two decades. Over the last ten years governance around the policies and procedures that make up information security has grown and new more specific areas such as data governance have begun to emerge. While some industries are regulated and must comply with government legislation, most companies now understand the necessity staying ahead of the curve when protecting access to and ensuring the integrity of their data. This article will examine why and how to actively involve your DBA group in information security from conception through to implementation and discuss how a complete strategy involves more than just controlling access to information systems.

ZEN & THE ART OF PCI COMPLIANCE. A GUIDE TO ENLIGHTENMENT.

By Richard Hollis

PCI has become a real and complex issue for businesses today as managers have painfully learned that one size does not fit all in the world of compliance, since unfortunately every business has its own unique set of card data security challenges to address.

INFORMATION SECURITY AWARENESS: FOCUS ON SOCIAL ENGINEERING.

By Dauda Sule

There is a lot of talk about cyber threats in recent times; ranging from the simplest forms to the most advanced. Technology is available to protect against threats, but they seem to be failing. One reason for the failure of such technology is that current threats circumvent signature based anti-malware protection software and tend not to show abnormal behavior on the infected host. Another reason is that they can avoid the technology used for protection by taking advantage of the weakest link – the human factor.

QUESTIONS’ COLUMN. INTERVIEW PANEL WITH NIKK GILBERT

By Robert Vanaman

“You’re only as good as the last scan and controls being effectively tested. To say that you’ll never be compromised would be a disservice to any organization…it’s a matter of being prepared for that day and how well you respond that’ll make the difference. It’s also good to have a Cyber Insurance policy.”

INDUSTRY MUST-HAVES FOR EFFECTIVE AND SECURE ENCRYPTION KEY MANAGEMENT

By Townsend Security

Data breaches are a world-wide epidemic that will not slow down unless encryption and encryption key management become an integral part of how we protect sensitive data. Encryption should be considered a first resort as opposed to a last resort. However, encrypted data is only as secure as how well you protect your encryption keys. This article outlines the critical industry “must-haves” in a powerful, cost-effective, and easy-to-deploy encryption key manager.

FORTYFING THE DEFENSES. IMPLEMENTING SECURE SHELL KEY MANAGEMENT THAT WORKS.

By Tatu Ylönen

In an effort to more thoroughly secure files, organizations and governments alike have instituted the use of the Secure Shell protocol. Secure Shell encrypts data as it is transmitted through the network through two encrypted keys; one of which is placed on the server and the other on the user’s machine. Not only does this protocol secure data that is being transferred within the network, but it also allows administrators to manage the systems remotely.

QUESTIONS’ COLUMN. INTERVIEW PANEL WITH ED GUNDRUM

By Robert Vanaman

“My advice would be to consider the anomalies. As the recent attack on major US retailers demonstrated, it is important to extend security policies and measures throughout your company’s entire eco-system, including outside entities like suppliers, channels and partners who may have partial access into your data systems.”

SURVIVAL OF THE FITTEST: THE EVOLUTION OF SECURING M2M CONNECTIONS AND ENCRYPTED NETWORKS.

By Jonathan Lewis

Ask a company if it has an identity and access management (IAM) strategy in place, and the response is likely, “Of course!” Ask if that IAM strategy covers the connections between machine-to-machine (M2M) automated access, and not just human “interactive” users, however, and the response might just be… silence.

SECURITY ISSUES AND SAFEGUARDS FOR 21st CENTURY DATA WAREHOUSE

By Robert Vanaman

Ironically, the same revolutionary technologies that delivered on the promise of Data Warehouse’s (DW) and Business Intelligence’s phenomenal capabilities, has also conspired to create issues of personal privacy and security concerns which possess unprecedented nefarious implications. Providing cyber-security to the Information Technology community and the general public has become a moral, legal, and professional imperative.

QUESTIONS’ COLUMN. INTERVIEW WITH ACO SKOLOVSKI

By Robert Vanaman

“Train your people extremely well on why and what they are defending. Make sure they keep up with technology trends. Meet once a week and have an open discussion on how you can improve your security. Your security is as good or as bad as your people”

CLOUD SECURITY ALLIANCE AND GOVERNMENT CLOUD.

By Mark Dunne

In order to reduce cost, Governments globally are adapting cloud technology at a very fast pace. Like everything else in the IT industry, rapid take up of any technology brings with it concerns related to security. All organisations must protect their crown jewels in order to stay ahead of competition and maintain Confidentiality, Integrity, and Availability (CIA). In Government it’s more than just that.

HOW TO INDEX DATA WITH KS

By Nanni Bassetti

This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage .

WHY INFORMATION SECURITY GOVERNANCE IS CRITICALLY IMPORTANT WHEN BUYING CYBER INSURANCE?

By Christine Marciano

Data, it’s everywhere. It moves at the speed of light, heading in all different directions and through countless channels. Today’s evolving technological advances have enabled data flows to be interconnected in ways in which one could never have imagined. Managing these data flows within today’s organizational environment must be a top priority for any business or organization that collects, stores and transmits sensitive data.

QUESTIONS’ COLUMN. INTERVIEW WITH JASON BROZ

By Robert Vanaman

Businesses need to have a robust overall security program based on continually assessing risk. Many tactical items roll up to the program level and are dependent on technology and operational constraints currently in place. Implementing tokenization or a P2PE validated solution would assist in the protection of credit card data, but those solutions alone are not the key.”

MEASURING AND MONITORING TO MANAGE AND IMPROVE INFORMATION SECURITY

By Kreg Brotby and Gary Hinson

How well does the avalanche of technical IT metrics posing as useful information serve organizations to help decide what resources to commit to security, how much security they need, or how to allocate those resources? Is the relentless drumbeat of burgeoning hacks, attacks and compromises inevitable? Is it just the price to be paid for exploiting the massive benefits provided by information systems?

WILL “DEAF LISTENING” TECHNOLOGY CHANGE WIRETAPPING LEGISLATION?

By Ed Gundrum

The evolution of cyberspace introduced the Internet Protocol communications VoIP, emails, instant messages, blogs and social networking. These new means of communications added complexity to surveillance because they may use open public networks that are less definable, accessible, and traceable for law enforcement officials than were the traditional hard-wired telco switching technologies. Blogging and social networking added yet another layer of complexity due to their use of complex website http protocols.

HOW IMPORTANT IT IS TO PROTECT YOUR TREASURE (DATA) FROM THE THEFT?

By Ernst Eder

As more company information is saved electronically there is an increase in the theft of this data. Data theft is a huge problem for every company regardless of size or location. Corporations lose billions of dollars per year as a result of data theft. Companies must be diligent in guarding against this threat. The problem is that data thieves (hackers) may come from outside a company or they may be a company’s own employees.

STEP BY STEP WALKTHROUGH TO DO THREATS AND RISKS MANAGEMENTS BY ADHERING INDUSTRY STANDARDS

By Jaya Ram Kumar Pothi

Information Security Governance became more reputed in all organization right from the beginning of modern era that is now known as “Internet”.
In all the organizations they have customized their practice as a Governing Operating System for easier visual management of project progress tracker. Governing Operating System commonly made with combination of existing systems like ISO27001, Lean, SOX, Six Sigma etc. In Information Security Governance the Imperative factor is Threats and risks Management.

So – let’s talk about Information Security Governance!