Posts Tagged “risk management”
Dear CloudTards: “Securing” The Cloud isn’t the problem…
by alex on September 14, 2010
@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today. And from a Cloud advocate point of view I like four of the assertions. But his point about Cloud Security is off: “While many are pushing back on cloud computing due (…)
The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.
by alex on September 7, 2010
Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP. Ignoring the hindsight bias of the article here… “This oil spill (…)
ISACA CRISC – A Faith-Based Initiative? Or, I Didn’t Expect The Spanish Inquisition
by alex on July 2, 2010
In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts. Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the (…)
CRISC -O
by alex on June 24, 2010
PREFACE: You might interpret this blog post as being negative about risk management here, dear readers. Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why (…)
Why I’m Skeptical of “Due Diligence” Based Security
by alex on March 17, 2010
Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about (…)
For Blog/Twitter Conversation: Can You Defend “GRC”?
by alex on December 15, 2009
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance (…)
Can quantitative risk estimation serve as a guide for every-day policy decisions?
by Russell on December 5, 2009
A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.
For Those Not In The US (or even if you are)
by alex on November 26, 2009
I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is (…)
Rich Mogull’s Divine Assumptions
by alex on November 13, 2009
Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he (…)
The Cost of a Near-Miss Data Breach
by Russell on October 6, 2009
Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.