Information Security Management

IT security strategy 2.0: Adjusting for a shifting infosec landscape

Seismic shifts in the infosec landscape can no longer be ignored. Ernie Hayden explains how to update an IT security strategy to account for change.Tip

Cisco spends cool $2.7 billion in Sourcefire acquisition

In biggest security acquisition since 2011, Cisco has announced it will buy IDS maker Sourcefire for $2.7 billion.News | 24 Jul 2013

Cyberthreat landscape plagued by automated attacks, Gartner says

Gartner VP Richard Hunter reviews the enterprise cyberthreat landscape and explains why automated attacks will only make a bad situation worse.Podcast

Damballa: Security vendor partnerships of growing importance

Damballa executives say partnerships among security point product vendors are increasingly important, and will ultimately benefit enterprises.News | 09 Jul 2013

IT content and vendor engagement evaluation survey

When IT professionals, such as you, have an IT project at their organization, there is a need to research multiple pieces of content from a variety of sources including vendors, third-parties and experts. This survey will allow TechTarget to identify the type of content that you prefer when conducting research related to your IT projects, and how you prefer to engage with vendors.Survey

How to manage the deluge of information security threat reports

Many vendors and analysts publish information security threat reports. See Joseph Granneman's strategy to find and use the information that matters.Tip

Ponemon data breach study finds costs up, notification major driver

The latest Ponemon study on data breaches found that the cost per lost record in an average breach incident increased modestly, from $130 to $136.News | 05 Jun 2013

How will the cloud affect future network security skills requirements?

Will the ongoing adoption of cloud technology affect the skills that network security engineers need in the future? Matt Pascucci discusses.Answer

Opinion: DBIR, other computer security statistics paint tricky picture

Verizon's annual breach report highlights a spate of new security research reports. However, overall conclusions from these are hard to come by.News

Opinion: The APT1 aftermath and information sharing

Marcus Ranum says the Mandiant APT1 report must serve as a model for better information sharing within the information security industry.Opinion

Whistleblower policy: Preventing insider information leak incidents

NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks.Tip

Closing the gap between IT security risk management and business risk

Video: It's a mistake to equate IT security risk and business risk. VerSprite's Tony UcedaVelez explains why, and offers advice on bridging the chasm.Video

OCTAVE

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a security framework for determining risk level and planning defenses against cyber assaults. The framework defines a methodology to help organizations minimize exposure to likely threats, determine the likely consequences of an attack and deal with attacks that succeed.Definition

How to reduce IT security risk with IT asset management

IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk.Tip

Compliance and risk modeling

You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to structure security programs both for heightened security and clear compliance deliverables. The cover story tackles not only this shift in emphasis, but also the latest updates in key compliance frameworks, offering guidance on how to position new requirements as an opportunity rather than more paperwork.E-Zine

Editor’s desk: A chat with Peter G. Neumann

Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures.Feature

Weighing compliance mandates vs. security vulnerability management

Should security vulnerabilities be prioritized based on compliance needs? Mike Chapple discusses this approach to vulnerability management.Answer

Symantec 2013 Threat Report highlights rise in SMB attacks

Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets.News | 18 Apr 2013

Panel: Cyber-intelligence alone can't stop enterprise security threats

Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats.News | 27 Mar 2013

Use the Mandiant Redline memory analysis tool for threat assessments

Video: Keith Barker of CBT Nuggets shows how to use the Mandiant Redline memory analysis tool to conduct threat assessments, defeat rootkits.Video

Reframing compliance with a threat model

Too many compliance programs miss the mark. Tony UcedaVelez explains how leveraging a threat model can re-energize your strategy.Feature

Reframing compliance with a threat model

Creating a normalized corporate compliance program

It's essential for IT security managers to create a corporate compliance program to adhere to regulations while maintaining a productive workplace.Video

Meeting PCI DSS compliance requirements with a data management program

In order to meet PCI DSS requirements and compliance, it is important to organize and sort the data coming in by devising a data management plan.Video

Security data mining techniques to weed through data overload

These security data mining techniques will allow security professionals to find and tackle the real issues while overcoming data overload.Video

PCI QSA

Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting servicesDefinition

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.Answer

Balancing compliance with information security threat assessment

Compliance is often the driver for security spending rather than real risks. Learn how to incorporate current threats into a compliance program.Tip

Compliance and Cloud Security

This comprehensive guide to compliance and cloud security covers all the angles in order to help clarify security and compliance issues associated with cloud computing.EBook

The effects of PCI DSS, compliance requirements on the security industry

Paul Judge of Barracuda Networks and Joshua Corman of the 451 Group discuss whether compliance hinders the creation of innovative security technologies.Article | 04 Mar 2011

IT security strategy 2.0: Adjusting for a shifting infosec landscape

Seismic shifts in the infosec landscape can no longer be ignored. Ernie Hayden explains how to update an IT security strategy to account for change.Tip

Corporate compliance program: How to give a status update to the board

Expert Mike Chapple explains how to communicate the status of a corporate compliance program to the board, including both successes and shortcomings.Tip

IT content and vendor engagement evaluation survey

When IT professionals, such as you, have an IT project at their organization, there is a need to research multiple pieces of content from a variety of sources including vendors, third-parties and experts. This survey will allow TechTarget to identify the type of content that you prefer when conducting research related to your IT projects, and how you prefer to engage with vendors.Survey

Reframing discussions about return on security investment

According to expert Joe Granneman, return on security investment is a misnomer. Here's a better way to view security expenditures.Answer

The effects of secure application development practices

Selling the CIO and others on secure application development requires understanding how it will impact the development process.Answer

IT security risk training for executives: How to get started

Executives don’t have time for formalized security risk training, so the onus is on the security team to become involved with core business processes.Answer

Aligning business and IT security: Learning from South Carolina breach

Ernie Hayden details how South Carolina's Department of Revenue breach proves business and IT security are often out of alignment, and how to fix it.Tip

Boosting information security budgets: How to get the funds you need

Getting executive support to boost the information security budget is no easy task. Expert Joe Granneman offers tips for getting the funds you need.Answer

Information Sharing and Analysis Centers: Getting started with ISACs

Joe Granneman explains how ISACs enable cybersecurity information sharing and the basic requirements for joining an ISAC.Answer

Assumption of breach: How a new mindset can help protect critical data

By adopting the assumption-of-breach security model, CISOs and security pros can better protect critical data. Expert Ernie Hayden explains.Tip

Corporate compliance program: How to give a status update to the board

Expert Mike Chapple explains how to communicate the status of a corporate compliance program to the board, including both successes and shortcomings.Tip

Reframing compliance with a threat model

Too many compliance programs miss the mark. Tony UcedaVelez explains how leveraging a threat model can re-energize your strategy.Feature

Creating a normalized corporate compliance program

It's essential for IT security managers to create a corporate compliance program to adhere to regulations while maintaining a productive workplace.Video

Meeting PCI DSS compliance requirements with a data management program

In order to meet PCI DSS requirements and compliance, it is important to organize and sort the data coming in by devising a data management plan.Video

Security data mining techniques to weed through data overload

These security data mining techniques will allow security professionals to find and tackle the real issues while overcoming data overload.Video

security information and event management (SIEM)

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of organization’s information technology (IT) security. Definition

PCI assessment

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS).Definition

PCI QSA

Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting servicesDefinition

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.Answer

Cloud security among PCI Council 2012 special interest groups

The PCI Security Standards Council delineated a scope of special interest groups known as SIGS in order to help prioritize next years areas of focus.News | 16 Nov 2011

Prepare for Shamoon malware with data backup and recovery plan

Expert Nick Lewis discusses how to detect Shamoon malware and emphasizes the importance of detailed data backup and recovery plans.Answer

Security and IT business intelligence

Sandy put business continuity planning in spotlight

Some firms struggled while others smoothly executed disaster procedures. Experts said cloud computing aided data center resiliency.News | 05 Nov 2012

Time is now for pandemic flu planning

Cybersecurity Act of 2009: Power grab, or necessary step?

Disaster recovery and contingency planning security considerations

Perspectives: Pandemic planning for remote access

Avoiding a breach by a third-party data recovery services provider

Expert Nick Lewis discusses the security requirements enterprises should establish when selecting a third-party data recovery services provider.Answer

Download: Log management best practices: Six tips for success

In this expert e-guide from SearchSecurity.com you'll discover Six tips for success in Log managementMagazine

DoS attack responses demand better business continuity plans

Expert Nick Lewis says an effective DoS attack responses demand better business continuity plans, including pre-negotiating with providers.Tip

Security incident response procedures: When to do a system shutdown

At times, security incident response procedures require drastic measures. Expert Nick Lewis explains when and how to perform a system shutdown.Tip

Is it time for cyber liability insurance?

Cyber liability insurance can provide a new layer of security in data breach or exploit situations, study finds.News | 13 Aug 2013

SANS Top 20 Critical Security Controls vs. Defence Signals Directorate

Expert Michael Cobb compares the value of the SANS Top 20 Critical Security Controls with Australia's Defence Signals Directorate advice.Answer

IT content and vendor engagement evaluation survey

When IT professionals, such as you, have an IT project at their organization, there is a need to research multiple pieces of content from a variety of sources including vendors, third-parties and experts. This survey will allow TechTarget to identify the type of content that you prefer when conducting research related to your IT projects, and how you prefer to engage with vendors.Survey

How to reduce IT security risk with IT asset management

IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk.Tip

Information Sharing and Analysis Centers: Getting started with ISACs

Joe Granneman explains how ISACs enable cybersecurity information sharing and the basic requirements for joining an ISAC.Answer

four eyes principle

The four eyes principle is a requirement that two individuals review and approve some action before it can be taken. In a business context, the two individuals are often the CEO and the CFO. However, the principle can be applied to decisions at all levels and in a wide variety of environments. The four eyes principle is sometimes called the two-man rule or the two-person rule.Definition

confidentiality, integrity, and availability (CIA)

Confidentiality, integrity, and availability (CIA) is a model designed to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people. The model is sometimes known as the CIA triad.Definition

PayPal CISO: Laws must foster better cybersecurity information sharing

PayPal's Michael Barrett says many firms fear misuse of shared cybersecurity data. He also discusses the evolution of PCI DSS and mobile payment security.Video

How to address password change frequency, reuse for third-party apps

Expert Michael Cobb explains how password change frequency and reuse for third-party apps should be addressed in enterprise password policies.Answer

Black Hat 2013 keynote: Alexander details NSA surveillance programs

In his keynote at Black Hat 2013, Gen. Keith Alexander said NSA surveillance programs have strict oversight, despite many inaccurate media reports.News | 01 Aug 2013

Ten years later: The legacy of SB 1386 compliance on data privacy laws

A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.Column

Mullen: Cybersecurity threats demand leadership from Capitol Hill

Adm. Mike Mullen criticized U.S. politicians for a lack of leadership on vital cybersecurity issues and called the NSA PRISM leak a 'huge breach.'News | 11 Jun 2013

Beyond privacy policies: Practical privacy for websites and mobile apps

Posting a privacy policy is not enough. Here's practical advice for privacy on websites and mobile apps.Feature

For CISOs, California Right to Know Act would raise privacy emphasis

The proposed California Right to Know Act may compel CISOs to develop additional privacy policies or create new privacy officer roles.News | 09 Apr 2013

Bruce Schneier: China cyberwar rhetoric risks dangerous implications

Video: Bruce Schneier explains why ongoing China cyberwar rhetoric evokes the wrong responses and may damage personal privacy, and ultimately freedom.Video

'Internet underground' fight demands better cybersecurity intelligence

Former U.S. national security advisor Greg Rattray believes better cybersecurity intelligence is needed to combat a growing "Internet underground."News | 22 Mar 2013

DoD security panel calls for new cyber-defense, offense

A Pentagon advisory panel suggests both beefed-up U.S. cyber-defenses and a proactive plan for offense.News | 14 Mar 2013

PayPal's CISO on cybercrime prevention, Internet security issues

Video: PayPal CISO Michael Barrett discusses hot-button issues surrounding cybercrime prevention, Internet security and nation-state attacks.Video

Obama's cybersecurity executive order issued for critical infrastructure

President Obama issued an executive order aimed at fostering public-private information sharing among critical infrastructure sectors.News | 13 Feb 2013

IBM acquires Trusteer, forms cybersecurity software lab in Israel

IBM acquires Trusteer, a software company known for its expertise in enterprise endpoint defense and advanced malware protection.News | 15 Aug 2013

Third-party risk management: Horror stories? You are not alone

The majority of breaches occur as the result of third parties. MacDonnell Ulsch advises companies to safeguard third-party management agreements.Feature

Third-party risk management: Horror stories? You are not alone

Aveksa acquisition expands RSA's intelligence-driven security strategy

Aveksa acquisition should help RSA compete in burgeoning identity management market.News | 09 Jul 2013

IT content and vendor engagement evaluation survey

When IT professionals, such as you, have an IT project at their organization, there is a need to research multiple pieces of content from a variety of sources including vendors, third-parties and experts. This survey will allow TechTarget to identify the type of content that you prefer when conducting research related to your IT projects, and how you prefer to engage with vendors.Survey

CEO: Symantec strategy to emphasize endpoint security, partnerships

Symantec CEO Steve Bennett says future product strategy will align with the 'Symantec 4.0' blueprint, pushing core features and vendor partnerships.News | 12 Jun 2013

McAfee in agreement to acquire next-gen firewall maker Stonesoft

McAfee has announced an agreement to acquire next-gen firewall maker Stonesoft for $389 million.News | 06 May 2013

How to choose the best antimalware products: Questions to ask vendors

Mike Rothman offers 10 critical questions to ask antimalware vendors when seeking out the best antimalware products for enterprise use.Tip

Incorporating compliance teams in the request for proposals process

Procurement personnel should know when to include the compliance team in the request for proposals process.Answer

McGraw: Use VBSIMM software security model when buying software

Video: Gary McGraw explains how JPMorgan Chase and others use the VBSIMM security model to vet software purchased from third-party vendors.Video

How to develop a data breach response strategy

Don't keep quiet after a data security breach

Key steps for security incident response planning

Turn your computer incident response team into counter-threat operations

security event (security incident)

A security event is a change in the everyday operations of a network or IT service, indicating that an security policy may have been violated or a security safeguard may have failed.Definition

Formulate a more effective information security incident response plan

In this Hot Type podcast, author Neal McCarthy discusses how enterprises should create and maintain an information security incident response plan.Hot Type

Understanding the insider threat

In this video, Dawn Cappelli, a member of the Technical Staff in CERT at Carnegie Mellon University's Software Institute, outlines three different types of intentional insider threats.Video

Robert Westervelt, News Director

Robert Westervelt is News Director for the TechTarget Security Media Group.News Director

SEC guidance clarifies cybersecurity disclosure requirements

Companies need to factor security risks and incidents in their financial disclosures, agency says.Magazine

Symantec tunes up DeepSight service, unveils authentication capabilities

Move is part of an industry trend that turns threat intelligence data into actionable information.News | 18 Oct 2011

exit interview

An exit interview is a meeting between management representatives and someone who is leaving an organization. Businesses and other organizations such as educational institutions use exit interviews to gather useful feedback that can help guide future practices.Definition

IT security strategy 2.0: Adjusting for a shifting infosec landscape

Seismic shifts in the infosec landscape can no longer be ignored. Ernie Hayden explains how to update an IT security strategy to account for change.Tip

Whistleblower policy: Preventing insider information leak incidents

NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks.Tip

IT content and vendor engagement evaluation survey

When IT professionals, such as you, have an IT project at their organization, there is a need to research multiple pieces of content from a variety of sources including vendors, third-parties and experts. This survey will allow TechTarget to identify the type of content that you prefer when conducting research related to your IT projects, and how you prefer to engage with vendors.Survey

Reframing discussions about return on security investment

According to expert Joe Granneman, return on security investment is a misnomer. Here's a better way to view security expenditures.Answer

IT security risk training for executives: How to get started

Executives don’t have time for formalized security risk training, so the onus is on the security team to become involved with core business processes.Answer

Using SANS Securing the Human security awareness tools

Learn how to use tools from the SANS Securing the Human program to boost the effectiveness of an enterprise security awareness program.Answer

A HIPAA compliance checklist for corporate mergers and acquisitions

Learn about the important HIPAA compliance best practices that can help maintain compliance before and after a corporate merger or acquisition.Tip

To nullify targeted attacks, limit out-of-office message security risk

Expert Michael Cobb details how to reduce out-of-office message security risk --and thus targeted attacks -- by limiting personal info given.Answer

Block Windows Help files to help prevent social engineering attacks

Expert Nick Lewis explains how to prevent social engineering attacks that utilize Windows Help files by blocking attachments with the .hlp extension.Answer

Black Hat 2013: Experts urge elliptical curve cryptography adoption

A session by a team of crypto experts at Black Hat USA 2013 argued that RSA and Diffie-Hellman should be abandoned in favor of ECC.News | 02 Aug 2013

Black Hat 2013 attendance nears 7,500, tops 2012

Brief: GM Trey Ford said Black Hat 2013 attendance was up by 8% compared with last year's event. Ninety-eight new tools were introduced.News | 01 Aug 2013

2013 Black Hat conference: Feds welcome!

Despite DefCon founder's blog telling Feds to stay home, Black Hat says they're 'welcome' at the show.News | 12 Jul 2013

Vendors showcase MAM products that ease BYOD challenges at RSA 2013

RSA exhibitors offered a range of mobile application management solutions, intended to ease the challenges of monitoring BYOD environments.News | 27 Feb 2013

RSA 2013: Charney optimistic about the future of information security

In his RSA Conference 2013 keynote, Microsoft's Scott Charney struck an optimistic note when talking about the future of information security.News | 27 Feb 2013

Big data 2.0: CISOs push need to identify attack campaigns

CISOs at RSA Conference 2013 say identifying attack campaigns means taking security big data to the next level. The hard part? Finding data analysts.News | 27 Feb 2013

Coviello pitches 'transformational' information security strategy

In a talk critical of cyberattack finger-pointing, Art Coviello stressed the need for infosec strategy to emphasize big data, interconnectivity.News | 26 Feb 2013

Security B-Sides presenter questions value of penetration testing

At Security B-Sides San Francisco, Brett Hardin asked why organizations hire penetration testers and assessed the value of penetration testing.News | 26 Feb 2013

RSA Conference 2013: Analysis, video and news from RSA

Updated throughout RSA Conference 2013, visit here often for the latest analysis, video and news from RSAC in San Francisco.guide

offensive security

Offensive security is a proactive and antagonistic approach to protecting computer systems, networks and individuals from attacks.Definition