Senior leadership in InfoSec functions need to perform annual strategic planning with budgets, staffing plans, project planning, etc. However, this activity should not take a considerable amount of time. Suggested timelines include one hundred and fifty (150) hours of aggregate effort.
Should strategic planning require more time an observation has been that a re-org / redesign may be required. Said changes should focus on clarity with respect to roles & responsibilities, reporting structures, procurement / solution requirements, operational work streams, P&L, and vendor mgmt. Furthermore, strategic planning activities should include both grassroots and top-down involvement.
Tuesday, March 21, 2017
Sunday, March 19, 2017
Digital Signatures Are Worthless Without Compensating Controls
Many orgs leverage crypto to verify software / firmware / patches / updates; however, many do not leverage integrity safeguards on the versioning of those platforms.
Checksums and other compensating controls should be utilized to ensure the stability of the platform in question. Such methods would negate the rogue installation of software / firmware.
Checksums and other compensating controls should be utilized to ensure the stability of the platform in question. Such methods would negate the rogue installation of software / firmware.
Monday, March 6, 2017
Ransomware Response: A Service Continuity Challenge
While many security solutions (e.g., CASB, ATP, MTD, DMARC/SPF, EDR) look to catch malware / ransomware threats before they are experienced, isn't the response to a ransomware incident a service continuity challenge?
With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless. The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.
With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless. The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.
Subscribe to:
Posts (Atom)