Nearly all compliance regulation and standards addressing aspects of information security (aka cyber security ;-)) contain a mandate for IT risk assessment (or analysis) and management. Most often, these requirements are fairly generic. They do not prescribe a specific methodology for risk assessments, and they do not mandate a specific depth (level of detail) for … Continue reading How Much Risk Assessment Is Enough?
I wrote a white paper on risk-based authentication: Download it as a PDF: dissecting_risk-based_authenticationDownload At conferences and trade fairs, I have run into the term risk-based authentication a lot recently. There is really nothing new to implementing authentication measures that are commensurate in effectiveness with the value of the information to be protected. (Iris scanners … Continue reading Dissecting Risk-Based Authentication (White Paper)
Bring Your Own Device (BYOD) is a hot topic in security management circles these days. This blog post provides some guidance on implementing a framework that allows users to access corporate assets from their privately owned devices. In writing this, we assume that your organization does not already use third party solutions for managing user-owned … Continue reading Bring Your Own Device (BYOD) – Strategy and Best Practice
A Wind Energy Farm, a piece of critical infrastructure. The National Institute of Standards and Technology (NIST) recently released an official draft of its Cybersecurity Framework for America’s critical infrastructure, i.e. the infrastructure that contributes to keeping the US and its economy running. Think power generation and distribution, transportation, communication networks, … The framework is a direct result of … Continue reading A Look at NIST’s Preliminary Cybersecurity Framework