The Control Policy Group

October 15, 2009 – at our Thursday online data security workshop, we’ll be hosting OS Balaji, the Indian expert on Business process management.

OS will be talking about Data Security identified as business objective

Agenda

• Business Strategy alignment with Business Process -
• Information /Data Security identified as business objective -
• Building processes integrated with Security aspects -
• Software development,Banking ,Service industries etc. -
• Case studies -
• Key Metrics -
• Advantages of building security framework as part of the Business process

Register now for this great online workshop with one of the top experts in the field.

There is nothing like collecting real data and validating the effectiveness of your security countermeasures.

Most companies have good perimeter security – i.e. a firewall and an IDS or IPS. While many security people often view an IPS as the next generation of IDS; it’s important to understand the different roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is part of your access control  systems – a way of keeping the bad guys off your network.

However, in our experience the same companies with well-managed perimeter security do not know what’s happening inside their network.

Do you know what is happening inside your network?

Read the full article here  network surveillance.

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing systems in order to run the business and make decisions, no matter how many employees we have. Whether you have a small business making wedding cakes or a global enterprise with 14,000 employees in 40 locations, you use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software

2. Quantitative evaluation and financial justification

3. Explicit communications between developers and security

4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here

Comments are off for this post

Many small to medium-sized enterprises (SME) have  risk and privacy compliance issues similar to big companies without the big budgets.

Control Policy Group’s  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security to the business.

The Control Policy risk and compliance automation tool provides 4 key benefits for an SME (besides being free…): Read more

One of the most common problems a CIO/VP information technologies has is understanding what are the most effective security products.   The cost of evaluating a new security technology can be very high, and often an IT manager will need to take a decision to implement a particular type of product (for example two-factor authentication) before she knows if the products will be effective.

Read more