http://www.controlpolicy.com Independent internal security in Central Europe Sun, 07 Sep 2008 10:24:47 +0000 http://backend.userland.com/rss092 en The two top categories of operational risk are Internal and External Fraud, but what IS "operational risk" exactly? The best definition of operational risk comes from Basel II, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Although ... http://www.controlpolicy.com/2008/09/operational-risk/ Many small to medium-sized enterprises (SME) have  risk and privacy compliance issues similar to big companies without the big budgets. Control Policy Group's  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security ... http://www.controlpolicy.com/2008/08/making-iso27001-risk-assessment-effective/ Most organizations separate the two functions: security functions typically inside the IT department and compliance usually reports to corporate finance or general management for large companies in a Chief compliance office. We believe that security and compliance operations in a company are synergistic.Question is - How can you do it without ... http://www.controlpolicy.com/2008/07/organizational-politics-is-not-a-dirty-word/ In a recent article published online at the JFK School of Government at Harvard - Malcolm Sparrow talked about how controlling risks, is a central challenge for government regulators charged with the task of reducing societal ills and preventing bad things from happening. Professor Sparrow notes there does not seem ... http://www.controlpolicy.com/2008/06/controlling-risk/ The biggest bugs are hiding in the system integration interfaces your integration team glued on the day before delivery. They go home, you get fired. Perhaps you have been in this situation before: You're a CIO/VP IT/IT manager and you're preparing to implement a packaged business application - for example a ... http://www.controlpolicy.com/2008/06/the-biggest-bugs-are-hiding-in-the-cracks/ Excel is easy to use, but you can lose or destroy your data pretty easily. Although risk assessment standards such as ISO 27001 or PCI DSS 1.1 have a one dimensional hierarchical structure of controls - you can get into big trouble once you try and link controls to vulnerabilities, ... http://www.controlpolicy.com/2008/06/automating-iso-27001-security-audits-with-pta/ Abstract This article reviews the main areas for concern for protecting information assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to ... http://www.controlpolicy.com/2008/06/best-practice-controls-for-data-loss-prevention/ One of the most common problems a CIO/VP information technologies has is understanding what are the most effective security products.   The cost of evaluating a new security technology can be very high, and often an IT manager will need to take a decision to implement a particular type of product ... http://www.controlpolicy.com/2008/06/getting-the-most-cost-effective-information-security-controls-in-it-operations/ Abstract Data loss prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and ... http://www.controlpolicy.com/2008/05/data-leakage-prevention-technologies/ Attack the attackers I believe many people involved with IT security have a feeling of frustration that stems from continuously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. What should you do? Consider the three basic tenets of IT Security Network Security is Warfare, if ... http://www.controlpolicy.com/2008/05/network-security-warfare-offensive-security/