Posts Tagged “risk management”

Dear CloudTards: “Securing” The Cloud isn’t the problem…

by alex on September 14, 2010

@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due (…)

Read the rest of this entry »

The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.

by alex on September 7, 2010

Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP.  Ignoring the hindsight bias of the article here… “This oil spill (…)

Read the rest of this entry »

ISACA CRISC – A Faith-Based Initiative? Or, I Didn’t Expect The Spanish Inquisition

by alex on July 2, 2010

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the (…)

Read the rest of this entry »

CRISC -O

by alex on June 24, 2010

PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why (…)

Read the rest of this entry »

Why I’m Skeptical of “Due Diligence” Based Security

by alex on March 17, 2010

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about (…)

Read the rest of this entry »

For Blog/Twitter Conversation: Can You Defend “GRC”?

by alex on December 15, 2009

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance (…)

Read the rest of this entry »

Can quantitative risk estimation serve as a guide for every-day policy decisions?

by Russell on December 5, 2009

A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.

For Those Not In The US (or even if you are)

by alex on November 26, 2009

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is (…)

Read the rest of this entry »

Rich Mogull’s Divine Assumptions

by alex on November 13, 2009

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he (…)

Read the rest of this entry »

The Cost of a Near-Miss Data Breach

by Russell on October 6, 2009

Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.