What is an information security objective or goal? Could you state that your
organisation’s information security objective / goal is to „protect
confidentiality, integrity and availability of information“? Pause and
think for a second. Isn’t this a definition of information security?
Isn’t this what is information security all about – protecting
information? Is this maybe too general?
What are your security objectives?
This seven word statement is the most commonly used information security goal
statement in information security policy documents and if left just like this
– itself is a textbook example of a badly defined one. Why is it so?
For plenty of reasons:
• goal defined like this is not specific enough (What does it mean to
protect information? Which information? What system? Protecting it from
what? Information in what form?),
• it is not defined how can ... (more)
Anyone who’s reading this entry of mine has doubtless asked this question
(when speaking of disaster recovery sites)- what is the right distance from
primary to secondary company (disaster recovery) site? Is there any law,
regulation, standard, best practice or anything else that defines the
„right“ distance? If so, what is it? 10 miles, 50 miles, 100 miles or
more? Or less? Is there any universally acclaimed methodology for determining
the „right“ distance?
Well, … the answer is NO. There is no such document that defines the
minimum distance from primary to secondary site. The... (more)
Facebook on Ulitzer
I really don’t have any problems with Facebook whatsoever since I don’t
really use it in any meaningful way (can it be used in such a way at all?).
But that does not mean that Facebook does not have some serius security
problems. In fact I could write a book about them if I could find more time.
Let’s consider some of them. For instance, Facebook users can use too many
different applications for which no serious (mandatory) security evaluation /
verification process exists. So hackers and other bad guys can continue to
create applications that appear not so ma... (more)
Security Track at Cloud Expo
According to wikipedia, information security means „protecting information
and information systems from unauthorized access, use, disclosure,
disruption, modification or destruction“.
Another definition could be – „managing the process of mitigating
(transfering, reducing, avoiding) unacceptable information security risks“.
And yet another – „the implementation of programs and practices that
protect the integrity and safety of computer programs and information“.
Of course, there are variations on the common theme. And this theme without
any doubt is ... (more)
Security Track at Cloud Expo
Have you ever Googled "information security strategy“?
Try it yourself and see the results.
What you get is bunch of mixed-up terminology, most of it does not (should
not) fit into what information security strategy really is (or should be).
Major misconception is this – information strategy is risk treatment
(mitigation) plan. In some way it is true, but let’s consider some major
limitations with that approach.
According to wiki, „strategy“ is „a plan of action designed to achieve
a particular goal.“ So you have a business strategy, which is a plan o... (more)
...
Chris Koenig
Mark Clifton
Steve Cumings
John Igoe
Mike Benkovich
Scott Sellers
Anthony Franco
Daniel Morris
Wayne Walls
Ulitzer content is offered under Creative Commons "Attribution Non-Commercial No Derivatives" License.
For any reuse or distribution, you must make clear to others the license terms of this work.
The best way to do this is with a link to this web page.
Any of the above conditions can be waived if you get written permission from Ulitzer, Inc., the copyright holder.
Nothing in this license impairs or restricts the author's moral rights.