Recently in Essential Truths Category

Into the breach

By Kees on October 7, 2008 3:36 PM | No Comments | No TrackBacks

Unfortunately, I have not had much time to read lately. The only time I really get to see a book is just before bed and then I usually don't read more than a few pages. Because of this, I was a little skeptical to take on two new titles: the new school of information security and Into the Breach. The latter one is at the top of my current reading stack for a number of reasons. First of all, Michael handed it to me personally at Defcon. Secondly, because it has much less pages, and the chances that I actually finish the book are somewhat greater.

Having said that, I just finished part 2 of the book and my opinion of the book is already a very positive one. Santarcangelo captures the true essence of modern information security: information exists to serve users, and users just want to get the job done. Most people are truly willing to do the right thing, but they need to be enabled and empowered to do so.

When a person is confronted with having to chose between finishing the job in a timely enough fashion for senior management to proceed, versus full and unquestioning compliance with information security controls that might prevent him from getting the job done, it is clear what that choice will be.

Just realizing that is paramount.

Information security must never get in the way of doing business.

And yes, that implies that an information security officer must actually know what the business is all about and how it is conducted.

Essential truth: Never say No.

Information Security in three steps

By Kees on June 12, 2008 10:13 AM | No Comments | No TrackBacks
Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

  1. Have control over your systems.
  2. Check your security frequently.
  3. Educate all your people.

This is an excellent summary.

Continue reading Information Security in three steps.

Essential Truths in Information Security: Be Reliable and Trustworthy

By Kees on June 4, 2008 8:08 PM

As an information security professional, everything you do has to lead to one thing only: confidence in information.

In order to achieve this, it is of paramount importance to have excellent working relationships with the people who actual use the information in your organization (the users) and also with the owners of that information. More often than not, primary users of information are also considered the owners of that information.

Having a separation between information owners, information custodians, and an information security role is a good thing. It will allow the owners to worry about the quality of the information (including risks that might affect that quality), the custodians to look after the data within the requirements set by the owner, and the security role to ensure that the owners know what level of protection they should require, and for helping the custodians do a good job (see: "Security", whose responsibility).

Continue reading Essential Truths in Information Security: Be Reliable and Trustworthy.

The value of documentation in incident response

By Kees on June 2, 2008 7:32 PM | No Comments | No TrackBacks
Scott Wright has a good post over at Security Views. The essence of the post is

"Keep information about your systems simple, neat, documented, and secure."

Especially during an emergency, the last thing you want to have to worry about is where you filed your incident response plan, your contact list, IP plan, etc. Good stuff. Go read it and be enlightened.

This might have to become an Essential Truth!

« Crypto | Main Index | Archives | Events »

Categories

Monthly Archives