(2 votes, average: 10 out of 10)
Loading ...BlackHat USA 2008 - Day 1 Review
Welcome to our first Security Insider posting from the BlackHat conference here in Las Vegas. My colleague Tadd Axon and I will be doing our best over the next few days to post some highlights of the conference. For those of you not familiar with the event, BlackHat takes a deep look at emerging threats and security research. If you want a good close look into the future, this is the place to be.
For the purpose of these posts in the next few days, we’ll post some high-level summaries of the talks we attend. This isn’t anything close to a full list of everything that’s going on here, just what we’ve personally attended. For a more complete wrap up of both the BlackHat and Defcon events, be sure to attend this month’s TASK event. At the TASK event, all the various TASK members here in Vegas this week will be sharing highlights in more detail. As always TASK is free, check it out. You will also be able to catch some of these speakers when they come to SecTor this year.
So today represents the first day of the conference, and therefore the day that it’s easiest to wake up early for. Tonight many vendors will host many parties making tomorrow a much more difficult day to focus. Here is what we attended.
Read the rest of this entry »
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #12
Business is about change, and Peter’s change management repository is one of the very best, and certainly well worth regular visits by busy professionals.
Studying what the board is focusing on is always productive, this week additional board studies are highlighted. Finally, regularly check out the CERT security Podcast series, it has had more than 2 million visits since its launch earlier last year, and they continue to expand their repository of learning resources.
Enjoy.
Good luck and have another great week.
Managing Change
There is no management activity more misunderstood, abused and ignored than the act of implementing Change. Some have even suggested that the phrase “Change Management” is an oxymoron. The articles available below have a single purpose, to transform the act of Managing Change from something we dread, to something we approach with skill, insight, wisdom and an increased chance of success.
http://www.technobility.com/docs/menu-managing-change.htm
ISO 27001 CERTIFICATION GUIDES LAUNCHED
IT Governance Ltd has launched the world’s first practical guides to help company directors and IT project managers understand and achieve certification to ISO 27001, the newly published global certification standard for information security management (replaces BS7799 and complements ISO 17799). In the modern corporate governance climate, ISO 27001 certification will increasingly become a prerequisite for winning new business, thereby accelerating the transfer of IT security issues from the data room to the boardroom.
http://www.itgovernance.co.uk/news_detail.aspx?news_id=25
What the Board Needs to Know About IT (The board’s role in leveraging technology as a strategic resource)
In 2006, Deloitte Consulting LLP began a research initiative to explore how boards of directors are approaching information technology (IT). Phase I of this research represents the findings of more than 30 interviews with directors and senior executives. The findings from the Phase I interviews have been captured in the point of view: “What the Board Needs to Know About IT: The Board’s Role in Leveraging Technology as a Strategic Resource.”
You can also download “Bringing IT Into the Boardroom,” which appeared as a supplement to the Fall 2006 issue of Corporate Board Member magazine. Finally, you can learn about the upcoming Phase II research results on the topic of the board and IT by downloading a preview of the survey results, entitled: “Big Conundrum: Phase II Preliminary Findings.”
For more info on the Deloitte initiative, all the above mentioned documents, and “more”, visit: http://www.deloitte.com/dtt/article/0,1002,sid%3D26562%26cid%3D132853,00.html
CERT Launches Podcast Series
The CERT® Program is pleased to announce the launch of its first podcast series, “Security for Business Leaders,” available at http://www.cert.org/podcast. The series will provide both general principles and specific starting points for business leaders who want to launch enterprise-wide security efforts, or who want to ensure that their organizations’ existing security program is as effective as possible. New podcasts will be available every two weeks.
The newest podcast features Rich Pethia, Director of the CERT Program. Other podcast topics include ”Why Leaders Should Care about Security,” “The ROI of Security,” “Proactive Remedies for Rising Threat,” and “Compliance vs. Buy-in.” Podcasters can listen to entire conversations, download PDF transcripts, and investigate additional references in show notes.
“Security for Business Leaders” is the first podcast series for the SEI.
Information Security Oversight: Essential Board Practices, from the National Association of Corporate Directors (NACD).
Learn four steps each board should adopt to avoid the hazards of leaving information inadequately protected from cyber criminals. Review the questions each board should ask to determine inherent risks. Discover the potential liabilities and other woes that might befall corporate boards and management who show too little involvement in safeguarding the security and privacy of corporate-held information. Lessons include identifying vulnerabilities, mitigating damages, establishing controls, educating officers and employees, and resolving issues. Sponsored by KPMG’s Audit Committee Institute and published in collaboration with the Institute of Internal Auditors and the Critical Infrastructure Assurance Office of the U.S. Department of Commerce.
The Language of Compliance
The Language of Compliance is the biggest (3,500+ entries) resource for acronyms, terms, and extended definitions. Authored by Dorian Cougias and Marcelo Halpern it covers the terms found in HIPAA, SOX, GLB, CobiT, ISO 17799 and 27001, BCI, BSI, ISSF, and over 100 other regulatory bodies and standards agencies.
http://www.unifiedcompliance.com/index.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #11
Auditing information security helps identify key improvement opportunities while studying leading audit guidance provides a better understanding of what the auditors are looking for, helping make audits more productive (a true win/win).
Taking the perspective of a board director will help focus your efforts on what the board is concerned about. Board guidance also tends to be very concise (very focused), i.e. they are great reports to study closely. Finally, getting your unplanned work under control will help make your life better, full stop.
Enjoy.
Good luck and have another great week.
Management Planning Guide for Information Systems Security Auditing
Produced by the National State Auditors Association and the US General Accounting Office.
http://www.gao.gov/special.pubs/mgmtpln.pdf
Information Technology and the Board - ”An Insightful Resource”.
http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D152626%2C00.html
What the Board Needs to Know About IT: Phase II Findings
Maximizing performance through IT strategy
http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html
Unplanned Work: The Silent Killer
Find out how unplanned work - those activities not mapped to any project, procedure or change request - is undermining the effectiveness of your IT efforts.
http://www.networkworld.com/whitepapers/nww/pdf/Tripwire_Unplanned_Work_Management_Paper.pdf
20 Questions Directors Should Ask About IT (Revised April 2004)
Information technology is a critical part of an organization’s internal control and management information system. Ensuring its integrity is an important responsibility for board members. ITAC has compiled 20 key questions about IT that should be asked about: strategic planning and technology, performance and personnel issues, internal control issues, risk and security, information privacy, e-business, availability policies, and legal issue.
http://www.cica.ca/index.cfm/ci_id/1000/la_id/1
The Federal Government of Canada (GOC) Internal Audit Guides
Audit of Information Technology Security audit guide
http://www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/tb_h4/01guid01_e.asp
Audit of Security audit guide
http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/gas-gvs/gas-gvs_e.asp
Various other GOC internal audit guides
http://www.tbs-sct.gc.ca/ia-vi/common/guides_e.asp
