Security Management Strategies for the CIO
Email Alerts
-
Compliance and risk modeling
You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to... E-Zine
-
Understanding governance, risk and compliance frameworks
Governance, risk and compliance frameworks, tools, and strategies are essential to the success of today’s corporate information security programs. This in-depth e-book explores all facets of GRC from the complexities of evaluating the right solution ... E-Book
-
Top considerations for midmarket security
This month's issue of Information Security focuses on risk management. We'll cover many important topics, such as: Cloud Computing - cost savings vs. security concerns; Web 2.0 - ways monitor and manage Web 2.0 usage within your company; Web Applicat... E-Zine
-
Keeping on top of risk management and data integrity essentials
Risk management is vital for all enterprises, but for an oil company like ChevronTexaco and its Chief Information Protection Officer, Richard Jackson, the consequences of a risky drill site can last for decades. Also in this issue, read features on f...
-
Balancing act: Security resource planning helps manage IT risk
Effective enterprise risk management is a challenging balancing act, demanding careful attention to vulnerabilities, policies, regulations, internal and external threats, and more. Our cover story looks at technology that promises to ease the burden,... E-Zine
-
Editor’s desk: A chat with Peter G. Neumann
Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures. Feature
-
Security Risk Assessment Process a Team Effort at Notre Dame
The university created a committee to tackle risk assessment on an ongoing basis. Feature
-
Information Security Decisions: From Dogma to Data
The information security field needs to overcome information sharing roadblocks to improve decision making. Feature
-
Risk Management
guide
-
Eye On IT Security
guide
-
Readers' Choice Awards 2011
Readers vote on the best risk assessment and modeling, and policy creation, monitoring and reporting products and services, IT governance, risk and compliance products, and configuration management products. Guide
-
Quiz: Building a compliance scorecard
How much have you learned about building a compliance scorecard? Find out with this short quiz. Quiz
-
The New School of Information Security
In this chapter excerpt from "The New School of Information Security," authors Adam Shostack and Andrew Stewart explain why the use and abuse of security language calls for a fresh and innovative way of thinking. Book Chapter: Windows Vis
-
Quiz: Building a risk-based compliance program
A five-question multiple-choice quiz to test your understanding of Richard Mackey's Compliance School lesson. Quiz
-
Quiz: Developing a risk-based compliance program
A five-question multiple-choice quiz to test your understanding of the content presented by expert Richard Mackey in this lesson of SearchSecurity.com's Compliance School. Quiz
- See more Essential Knowledge on Enterprise Risk Management: Metrics and Assessments
-
Symantec 2013 Threat Report highlights rise in SMB attacks
Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets. News | 18 Apr 2013
-
Panel: Cyber-intelligence alone can't stop enterprise security threats
Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats. News | 27 Mar 2013
-
Kaminsky: Fostering improved security culture demands societal change
At B-Sides San Francisco, Dan Kaminsky discussed how society inhibits its own security culture, and the need to look beyond status-quo technology. Column | 25 Feb 2013
-
Converging audit and risk management programs a flawed approach, says expert
Most risk management programs fail because they end up being another audit function, explains Alex Hutton, a faculty member at IANS. News | 10 Dec 2012
-
PCI Council: Risk assessment methodology unique to company environment
The PCI Risk Assessment Special Interest Group concludes that risk assessments are based on a company's unique risk tolerance and environment. News | 19 Nov 2012
-
Expert urges security pros to speak out, educate upper management
Security expert Jayson E. Street explains why security pros must learn to communicate effectively to gain trust from management and empower employees. News | 02 Oct 2012
-
For Target, retailer's risk management program hinged on executive buy-in
To get executive buy-in, the retailer's risk management program architect had to define success and make sure everyone could speak the same language. News | 11 Sep 2012
-
Review your security contingency plan during the Games
U.K. companies are preparing to manage their security during the Olympics. Would your security contingency plan hold up to such a disruptive event? News | 21 Jun 2012
-
CISOs struggle with visibility, complexity in enterprise risk management
McAfee says organizations must juggle visibility, system complexity challenges when balancing compliance-driven priorities with the threat landscape. News | 29 May 2012
-
Geer: More redundancy, manual processes can cut IT infrastructure risk
Luminary Dan Geer says IT infrastructure risk can be reduced by boosting Internet resiliency and by planning backup processes should the Net go down. News | 19 Apr 2012
- See more News on Enterprise Risk Management: Metrics and Assessments
-
Lessons of cyberwar: A chance to boost information security budgets
In the wake of an incident, CISOs should make the most of the opportunity to increase information security budgets. Column
-
Whistleblower policy: Preventing insider information leak incidents
NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks. Tip
-
How to reduce IT security risk with IT asset management
IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk. Tip
-
Forrester's GRC framework: Using three lines of defense
Chris McClean of Forrester Research provides a GRC framework. It offers three lines of defense to boost participation rates and define clear roles. Tip
-
How to implement an enterprise threat assessment methodology
Learn how incorporating an assessment of external threats can increase the accuracy and comprehensiveness of risk assessments. Tip
-
Building a compliance culture means learning from mistakes
In this bonus to our "Compliance scorecard" Security School lesson, Eric Holmquist covers the importance of learning from failure by assessing how and why mistakes happen. Tip
-
How to write an effective enterprise mobile device security policy
Expert Lisa Phifer explains the process for creating a winning enterprise mobile device security policy that reduces the risk of mobile data threats. Tip
-
Remediating IT vulnerabilities: Quick hits for risk prioritization
There's no way to eradicate all IT vulnerabilities, but spotting the most critical ones is essential. Read these quick hits for risk prioritization. Tip
-
Forrester: Developing an enterprise risk assessment template
Despite skeptics, an enterprise risk assessment template is worth investing in. Forrester’s Chris McClean explains why and how to get started. Tip
-
Defining enterprise security best practices for self-provisioned technology
Is your current enterprise security policy ready for mobile and cloud computing technology? Probably not, but it can be: Forrester's Chenxi Wang explains how. Tip
-
Understanding SCAP NIST guidance and using SCAP tools to automate security
The Security Content Automation Protocol (SCAP) is intended to help automate vulnerability management, but is it really effective? Learn how NIST guidance can help you navigate an SCAP implementation. Tip
- See more Tips on Enterprise Risk Management: Metrics and Assessments
-
Weighing compliance mandates vs. security vulnerability management
Should security vulnerabilities be prioritized based on compliance needs? Mike Chapple discusses this approach to vulnerability management. Answer
-
Network security metrics: Basic network security controls assessment
Get advice on how to devise appropriate network security metrics for your enterprise from expert Mike Chapple. Answer
-
How to protect intellectual property from hacker theft
More hackers are targeting corporate IP over SSNs and card data. Expert Nick Lewis explains how to protect intellectual property in the enterprise. Answer
-
Merger management: How to handle potential merger threats to security
During a merger, management of information security becomes even more crucial in order to mitigate threats, including the many new insiders and attentive attackers that want to take advantage of holes in the companies' infosec integration. Ask the Expert
-
Perform a Windows Active Directory security configuration assessment
How secure is your configuration of Active Directory? Learn how to perform a security configuration assessment on such a directory in this expert response . Ask the Expert
-
Creating a security risk management plan format
Enterprises without a codified risk management plan are much more susceptible to threats. In this expert response from Ernie Hayden, learn how to create a risk management plan that covers all the bases. Ask the Expert
-
How to determine the net value of an asset for risk impact analysis
Asset valuation and impact analysis are two different but equally important aspects of risk analysis. Expert Ernie Hayden explains. Ask the Expert
-
Gap analysis methodology for IT security and compliance
If your enterprise is faced with multiple-standard compliance, having a set gap analysis methodology can save a lot of time and effort. Learn more in this expert response from Ernie Hayden. Ask the Expert
-
Risk prioritization: DLP for data loss or laptop full disk encryption?
With a limited IT security budget, it's often necessary to undergo risk prioritization and make difficult choices. In this expert response, Ernie Hayden discusses whether it's better to deploy a DLP tool for data loss or laptop full disk encryption. Ask the Expert
-
Electronic access control system and biometrics authentication
Biometrics authentication and an electronic access control system can be closely related, but they're not the same thing. In this IAM expert response, Randall Gamby explains the difference. Ask the Expert
- See more Expert Advice on Enterprise Risk Management: Metrics and Assessments
-
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a security framework for determining risk level and planning defenses against cyber assaults. The framework defines a methodology to help organizations minimize exposure t... Definition
-
Closing the gap between IT security risk management and business risk
Video: It's a mistake to equate IT security risk and business risk. VerSprite's Tony UcedaVelez explains why, and offers advice on bridging the chasm. Video
-
Use the Mandiant Redline memory analysis tool for threat assessments
Video: Keith Barker of CBT Nuggets shows how to use the Mandiant Redline memory analysis tool to conduct threat assessments, defeat rootkits. Video
-
Martin Roesch: Increase in cybersecurity breaches demands new tactics
Video: Sourcefire interim CEO Martin Roesch discusses the need for new tactics amid rampant cybersecurity breaches, plus APTs, big data and CISO priorities. Video
-
Creating a normalized corporate compliance program
It's essential for IT security managers to create a corporate compliance program to adhere to regulations while maintaining a productive workplace. Video
-
Meeting PCI DSS compliance requirements with a data management program
In order to meet PCI DSS requirements and compliance, it is important to organize and sort the data coming in by devising a data management plan. Video
-
Security data mining techniques to weed through data overload
These security data mining techniques will allow security professionals to find and tackle the real issues while overcoming data overload. Video
-
Vulnerability researcher on layered security plan mistakes
A layered security plan is good, but Argonne National Laboratory vulnerability researcher Roger Johnston warns against too many layers. Video
-
Mobile security survey 2012 audio slideshow
SearchSecurity.com presents the key findings of its 2012 mobile security survey with audio analysis by editors Eric B. Parizo and Robert Westervelt. Audio Slideshow
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
Gartner Security Summit attendees on IT security, government issues
When managing IT security, government infosec pros face unique risks. Check out these Q&As from the 2011 Gartner Security & Risk Management Summit. Video
- See more Multimedia on Enterprise Risk Management: Metrics and Assessments
-
Whistleblower policy: Preventing insider information leak incidents
NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks. Tip
-
Closing the gap between IT security risk management and business risk
Video: It's a mistake to equate IT security risk and business risk. VerSprite's Tony UcedaVelez explains why, and offers advice on bridging the chasm. Video
-
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a security framework for determining risk level and planning defenses against cyber assaults. The framework defines a methodology to help organizations minimize exposure t... Definition
-
How to reduce IT security risk with IT asset management
IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk. Tip
-
Compliance and risk modeling
You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to... E-Zine
-
Editor’s desk: A chat with Peter G. Neumann
Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures. Feature
-
Weighing compliance mandates vs. security vulnerability management
Should security vulnerabilities be prioritized based on compliance needs? Mike Chapple discusses this approach to vulnerability management. Answer
-
Symantec 2013 Threat Report highlights rise in SMB attacks
Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets. News
-
Panel: Cyber-intelligence alone can't stop enterprise security threats
Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats. News
-
Use the Mandiant Redline memory analysis tool for threat assessments
Video: Keith Barker of CBT Nuggets shows how to use the Mandiant Redline memory analysis tool to conduct threat assessments, defeat rootkits. Video
- See more All on Enterprise Risk Management: Metrics and Assessments
About Enterprise Risk Management: Metrics and Assessments
Get the help you need with your enterprise risk assessments, analysis and management framework. Learn the steps, assign roles and responsibilities, find the right tools, make use of standards and automate the process, plus decide what is and isn't acceptable risk.