Practical Issues in InfoSec » Risk http://www.dlstrom.com ... putting information security within reach of everyone! Tue, 20 Dec 2011 17:00:00 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Pets, Vets and InfoSec http://www.dlstrom.com/2009/09/04/pets-vets-and-infosec/ http://www.dlstrom.com/2009/09/04/pets-vets-and-infosec/#comments Fri, 04 Sep 2009 13:00:00 +0000 Dan Strom http://www.dlstrom.com/?p=282

We currently have two dogs and usually have multiple cats. We’ve had snakes, lizards, fish, birds, hedgehogs and other critters as pets in the past.

So it was with great interest that I listened to the advertisement on the radio encouraging pet owners to take their pet to the veterinarian and have a semi-yearly risk and health assessment performed. This radio spot was sponsored by some veterinarian organization.

The selling point was that your pets may be exposed to diseases and parasites that you are unaware of and the assessment will help to detect and give a jump-start to remediation.

Wow! That sounds like what is done in information security.

  • Pets (dogs) will wonder around and stick their nose in places where it doesn’t belong.
  • Users will visit just about any Internet site – even ones they shouldn’t.
  • Pets will pick up parasites just by running through the brush.
  • Users will get a virus, trojan or some other malware just by clicking a link in some spam email.
  • Pets will sometimes have to be put on a leash to keep them from running off.
  • Content filters are sometimes necessary for users.

I could go on. The point is that just like with pets, we need to be constantly aware of the changing risks and take steps to adequately respond to that risk.

Who would have thought we could learn information security practices just by having pets?

- Dan

]]> http://www.dlstrom.com/2009/09/04/pets-vets-and-infosec/feed/ 0 InfoSec Tip: Create A Risk Register http://www.dlstrom.com/2009/06/25/infosec-tip-create-a-risk-register/ http://www.dlstrom.com/2009/06/25/infosec-tip-create-a-risk-register/#comments Thu, 25 Jun 2009 13:00:16 +0000 Dan Strom http://www.dlstrom.com/?p=248

I don’t know if your memory is like mine, but sometimes I cannot remember what happened last week.

Do you remember each and every information security exposure that is found?

Several years ago I started keeping a Risk Register. This is very similar to the checkbook register that we all keep.

When I find a new exposure to our organization, I keep track of these things…

  1. Date Risk Found
  2. Description of Risk
  3. Business Unit Impacted
  4. Steps Taken for Remediation
  5. Date of Each Step Taken

Now, I’ll be honest. Many times I keep much more information that what is listed above. But, the above is a good start.

What are the benefits of keeping a Risk Register?

  • Helps with remembering what has been done.
  • Helps with justifying InfoSec expenses.
  • Helps in explaining what has been done to Management.
  • Helps to identify the most vulnerable business unit.

So, remove some items from the list of things you need to remember. Keep a Risk Register.

- Dan

]]> http://www.dlstrom.com/2009/06/25/infosec-tip-create-a-risk-register/feed/ 1