Information Security Management

Information security roles and the cloud

How will security pros’ jobs change as cloud use grows?News | 13 Mar 2012

Information Security magazine editorial calendar

Check out our Information Security magazine editorial calendar to learn what's planned for future issues.Editorial Calendar

Security startups to unveil new security technology at RSA 2012

One firm will leave RSA 2012 with the “Most Innovative” title, but industry experts say they all contribute in bringing the security industry up to par with sophisticated malware and hacking techniques.News | 16 Feb 2012

Robert Westervelt, News Director

Robert Westervelt is News Director for the TechTarget Security Media Group.News Director

The lack of computer security: We’re all responsible

We all have an explanation for weak security, but everyone needs to do their part to improve it.Magazine

McAfee DeepSAFE technology not yet a game changer, say analysts

Deep Defender examines memory processes, enabling enterprises to block or deny actions to provide rootkit protection. Analysts say there may not be great demand for the protection.News | 20 Oct 2011

NSA’s Sager on trends of 2011 security breaches, advanced persistent threat hype

The NSA’s Tony Sager discusses macro trends of 2011 security breaches, why advanced persistent threat hype isn’t justified, and infosec lessons learned from his wife and kids.Video

Winners of the 2011 Security 7 Award have their say

Hear from the winners of this year's Information Security magazine Security 7 Award.Magazine

Security 7 Award: Seven security standouts

This year’s Security 7 Award winners represent a bright spot in an industry beset by bad news.Magazine

Vulnerability management program has unexpected benefits

Security 7 Award winner, Brian Wishnousky of Rogers Communications explains how to get the best actionable data from a vulnerability management program to fill patching gaps and uncover rogue devices.Magazine

Geer: More redundancy, manual processes can cut IT infrastructure risk

Luminary Dan Geer says IT infrastructure risk can be reduced by boosting Internet resiliency and by planning backup processes should the Net go down.News | 19 Apr 2012

Industry is doomed by automation, misguided IT security strategy, experts warn

Blunt experts at InfoSec World said enterprise IT security strategy often misses the mark, but some attendees suggested the experts are out of touch.News | 04 Apr 2012

How to manage the compliance cycle to improve your compliance strategy

Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue.News | 06 Mar 2012

More than hype: Security big data helps bank to boost security program

At RSA Conference 2012, Zions Bancorporation detailed how it harvested security big data using a Hadoop-based security data warehouse.News | 01 Mar 2012

Can SMBs sue their bank and recover losses from a hacked bank account?

RSA Conference 2012 panelists discussed court rulings on liability for hacked bank accounts, and gave advice to security pros for protecting financial assets.News | 01 Mar 2012

Longstanding network security problems plague enterprises, Trustwave finds

While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked.News | 07 Feb 2012

Robert Westervelt, News Director

Robert Westervelt is News Director for the TechTarget Security Media Group.News Director

How to implement an enterprise threat assessment methodology

Learn how incorporating an assessment of external threats can increase the accuracy and comprehensiveness of risk assessments.Tip

Building a compliance culture means learning from mistakes

In this bonus to our "Compliance scorecard" Security School lesson, Eric Holmquist covers the importance of learning from failure by assessing how and why mistakes happen.Tip

SEC guidance clarifies cybersecurity disclosure requirements

Companies need to factor security risks and incidents in their financial disclosures, agency says.Magazine

PCI QSA

Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting servicesDefinition

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.Answer

Balancing compliance with information security threat assessment

Compliance is often the driver for security spending rather than real risks. Learn how to incorporate current threats into a compliance program.Tip

Compliance and Cloud Security

This comprehensive guide to compliance and cloud security covers all the angles in order to help clarify security and compliance issues associated with cloud computing.EBook

The effects of PCI DSS, compliance requirements on the security industry

Paul Judge of Barracuda Networks and Joshua Corman of the 451 Group discuss whether compliance hinders the creation of innovative security technologies.Article | 04 Mar 2011

PCI survey finds more compliance spending planned to meet guidelines

A survey of 500 security professionals found that although the compliance initiatives are burdensome, they are improving security at most organizations.Article | 12 Jan 2011

user account provisioning

User account provisioning is a business process for creating and managing access to resources in an information technology (IT) system. To be effective, an account provisioning process should ensure that the creation of accounts and provisioning of access to software and data is is consistent and simple to administer.Definition

Secure Sockets Layer (SSL)

SSL (Secure Sockets Layer) is a commonly-used protocol for managing the security of a message transmission on the Internet; it uses a program layer located between the Internet's HTTP and TCP program layers.Definition

Division of CISO responsibilities may prevent burnout

CISO responsibilities can be overwhelming, according to a new IBM survey. One solution may be to divide the role into two jobs.News | 17 May 2012

Business and IT security alignment is off

Aligning IT security with business goals is nice, but is it always realistic? Mandates from management often clash with the industry’s ideal characterization of an IT security leader.News | 09 Apr 2012

Industry is doomed by automation, misguided IT security strategy, experts warn

Blunt experts at InfoSec World said enterprise IT security strategy often misses the mark, but some attendees suggested the experts are out of touch.News | 04 Apr 2012

Book chapter: Obtain Buy-In from Stakeholders

This is an excerpt from the book Security Metrics: A Beginner’s Guide . Author Caroline Wong discussing strategies for managing a team of stakeholdersFeature

Best practices: Gaining executive support for the software security lifecycle

Recent BSIMM3 study results provide guidelines for why executive support for the software security lifecycle is so important. Michael Cobb explains.Answer

Privileged account policy: Securely managing privileged accounts

Randall Gamby discusses how to securely implement a privileged account policy within the enterprise and collectively manage sensitive account information.Answer

Why businesses should care about proposed Protect IP, SOPA pirating laws

Legislation is aimed at stopping piracy, but security professionals and industry groups say it could weaken security, hamper innovation and limit competition among small businesses and startups.News | 20 Dec 2011

Modern security management strategy requires security separation of duties

Contributor Matthew Pascucci argues that enterprises need security separation of duties to ensure an effective, modern security management strategy.Tip

Security innovation must hurdle academic, regulatory roadblocks

Regulators, lawmakers, academia share equal blame in putting the brakes on innovation in security, experts sayNews | 05 Oct 2011

MGH security director on making the security business case

Bonnie Michelman, security chief for Massachusetts General Hospital, discusses making the security business case to executives.Video

PCI assessment

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS).Definition

PCI QSA

Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting servicesDefinition

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.Answer

Cloud security among PCI Council 2012 special interest groups

The PCI Security Standards Council delineated a scope of special interest groups known as SIGS in order to help prioritize next years areas of focus.News | 16 Nov 2011

Best policy and risk management products 2011

Readers choose the best policy and risk management products 2011.Magazine

Balancing compliance with information security threat assessment

Compliance is often the driver for security spending rather than real risks. Learn how to incorporate current threats into a compliance program.Tip

Gartner: Dodd-Frank regulations demand compliance bureau

All companies, not just financials, must comply with the Dodd-Frank Act; Gartner recommends having a compliance bureau monitor the implications.News | 21 Jun 2011

Robust information security program key to PCI compliance requirements

A strong information security program that goes beyond minimum standards will ease compliance.Magazine

McAfee survey confirms compliance as key driver for IT security

A survey of more than 300 IT professionals found that 25% of IT projects begin as part of compliance initiatives.Article | 24 Feb 2011

Cost of non-compliance outweighs cost of maintaining compliance, report finds

A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.Article | 31 Jan 2011

DoS attack responses demand better business continuity plans

Expert Nick Lewis says an effective DoS attack responses demand better business continuity plans, including pre-negotiating with providers.Tip

Getting started with a DNSSEC implementation

The many well-publicized flaws in DNS make implementing DNSSEC even more vital. In this expert response, Mike Chapple explains the enterprise basics for a DNSSEC implementation.Answer

Information security roles growing in influence

Information security managers are getting more of a say in enterprise cloud initiatives and mobile device projects.Feature

Disaster recovery and contingency planning security considerations

Security must be included in disaster recovery planning to ensure sensitive data is protected.Feature

Study finds overconfidence in disaster recovery, continuity plans

Businesses that experienced a network outage suffered more than $1.7 billiion in profit loss, despite having business continuity and disaster recovery plans in place.Article | 30 Sep 2010

For Google, DNS log analysis essential in Aurora attack investigation

A malicious link in an instant message set the stage for a well-coordinated network infiltration of Google's systems. Subtle clues helped investigators trace the attacker's steps.Article | 15 Jun 2010

Disaster recovery security considerations for financial services

Financial firms need to include security in their disaster recovery planning. In this tip, Randall Gamby discusses how enterprises can ensure information remains secure during a business disruption.Tip

Feds must take action on Cyber Storm exercise lessons, expert says

Legislators, DHS and other federal agencies must use the Cyber Storm outcomes to take action rather than conducting more studies, said former federal cybersecurity czar Andy Purdy.Article | 21 Apr 2010

Updated Cybersecurity Act reshapes federal compliance, education

The proposed law now lacks an Internet kill-switch provision, clarifies certification and expands public-private cooperation on federal cybersecurity compliance.News | 24 Mar 2010

How to update a disaster recovery, contingency planning strategy

Have your disaster recovery plans fallen woefully behind the current state of your business? In this expert response, Ernie Hayden discusses how to conduct tabletop exercises to get your plans back on track.Ask the Expert

How acceptable use agreements can combat BYOD security issues

Is your organization facing BYOD security issues? Learn how the implementation of acceptable use agreements can help contain these issues.Answer

information-centric security

Information-centric security is an approach to information security paradigm that emphasizes the security of the information itself rather than the security of networks, applications, or even simply data.Definition

PCI Security Standards Council

The PCI Security Standards Council is an organization created by the major credit card companies in an effort to better protect credit card holder data.Definition

PA-DSS (Payment Application Data Security Standard)

Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance.Definition

PCI policy

A PCI policy is a type of security policy that covers how an organization addresses the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS).Definition

Can SMBs sue their bank and recover losses from a hacked bank account?

RSA Conference 2012 panelists discussed court rulings on liability for hacked bank accounts, and gave advice to security pros for protecting financial assets.News | 01 Mar 2012

RSA Conference 2012 keynote prescribes intelligence-driven security

RSA’s Arthur Coviello urged security pros to break down silos and intelligence-driven security programs, or face a tough year.News | 28 Feb 2012

SEC disclosure rules: Public company reporting requirements explained

Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.Tip

Best practices: Gaining executive support for the software security lifecycle

Recent BSIMM3 study results provide guidelines for why executive support for the software security lifecycle is so important. Michael Cobb explains.Answer

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.Answer

Praise, criticism for retiring cybersecurity coordinator Howard Schmidt

Security experts say some issues haven’t been adequately addressed by the White House security chief.News | 17 May 2012

CISPA threat intelligence bill passes House

The Cyber Intelligence Sharing and Protection Act (CISPA), clears security vendors of any liability for sharing customer attack data with federal officials.News | 27 Apr 2012

ISP’s anti-botnet code of conduct accomplishes little

Leading ISPs sign the U.S. Anti-Bot Code of Conduct, which stops short of demanding ISPs provide a clean pipe to customers.News | 26 Mar 2012

For U.S. companies, EU cookie compliance calls for website changes

With recent changes to European data privacy laws, U.S. enterprises must make website changes to meet EU cookie compliance deadlines.Tip

SEC disclosure rules: Public company reporting requirements explained

Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.Tip

Can a computer security researcher go too far?

An examination of three cases illustrates that it’s not always a clear case of good vs. evil.Magazine

Security leaders help squash SOPA, PIPA pirating laws

Prominent security and Internet thinkers and leaders have become an effective lobby on Capitol Hill and played a big role in squashing SOPA.Magazine

SOPA and PIPA pirating laws lose support in face of opposition

Security experts say there are better alternatives to copyright protection.Magazine

Information Security Magazine: FEBRUARY 2012

Learn about the latest malware threats targeting enterprises and what you can do to reduce the risk of infection.Magazine

Explaining how trusted SSL certificates and forged SSL certificates work

Web security relies on valid, trusted SSL certificates, but as Michael Cobb explains, forged SSL certificates undermine the model for trusted Web connections.Answer

BeyondTrust acquires eEye Digital Security for vulnerability management

Analysts say eEye’s vulnerability and configuration management capabilities are a good fit with BeyondTrust’s privilege management and AD integration.News | 10 May 2012

TIBCO to acquire SIEM vendor LogLogic

TIBCO, an integration software company with little security experience, will purchase one of the few remaining viable standalone SIEM vendors. Terms were not disclosed.News | 04 Apr 2012

Thoma Bravo sells next-gen firewall, UTM vendor SonicWall to Dell

Dell’s security portfolio expands with purchase of unified threat management and next generation firewall vendor SonicWall from private equity firm.News | 13 Mar 2012

Trustwave acquires M86 Security for SaaS, managed security services

The company, which has made many acquisitions in the last five years, faces integration challenges as it moves more broadly into SaaS, managed security services, analyst says.News | 06 Mar 2012

Twitter acquires Dasient in security buying spree, Android platform focus

Web-based antimalware vendor Dasient is the second security firm acquired by Twitter in recent months. In November, Twitter acquired Android security vendor, Whisper Systems.News | 24 Jan 2012

Advice for developing a vendor compliance checklist for a vendor review process

Charles Denyer offers advice for developing a vendor compliance checklist to support a vendor review process or a third-party vendor audit.Answer

Readers' Choice Awards 2011

Best Antimalware Products 2011

Will independent endpoint protection review improve products?

ICSA Labs recently announced a new endpoint security certification. Could it help improve endpoint security products?Answer

Information Security magazine online July-August 2011

This issue of Information Security looks at how organizations can build counter threat operations.Magazine

Robert Westervelt, News Director

Robert Westervelt is News Director for the TechTarget Security Media Group.News Director

SEC guidance clarifies cybersecurity disclosure requirements

Companies need to factor security risks and incidents in their financial disclosures, agency says.Magazine

Symantec tunes up DeepSight service, unveils authentication capabilities

Move is part of an industry trend that turns threat intelligence data into actionable information.News | 18 Oct 2011

Information Security magazine online July-August 2011

This issue of Information Security looks at how organizations can build counter threat operations.Magazine

Turn your computer incident response team into counter-threat operations

Fending off modern computer attacks requires actively hunting down intruders.Magazine

Key steps for security incident response planning

Security incidents are going to happen. Don't get caught flat footed.Feature

Hoglund: Malware protection and defense needs fresh approach

Traditional malware analysis can not keep up with new malware, said noted malware expert Greg Hoglund, founder of HBGary Inc. Hoglund is pushing for new defense techniques.Article | 09 Nov 2010

How to develop a data breach response strategy

Targeted attacks on corporations and their crown jewels have become routine. Companies need to be prepared.Feature

Perimeter defenses deemed ineffective against modern security threats

Targeted attacks like Operation Aurora require organizations to change up their security strategy, experts sayArticle | 30 Jun 2010

For Google, DNS log analysis essential in Aurora attack investigation

A malicious link in an instant message set the stage for a well-coordinated network infiltration of Google's systems. Subtle clues helped investigators trace the attacker's steps.Article | 15 Jun 2010

Using social engineering testing to foster anti-social engineering training

Worried your users could easily be pwned? Learn about improving social engineering testing to foster anti-social engineering training.Answer

Book chapter: Insider theft of intellectual property

This is an excerpt from the book The CERT Guide to Insider Threats describing entitlement-based attack models and how to implement controls.Feature

Employee risk assessment: Helping security spot high-risk employees

Expert Ernie Hayden offers a brief primer on employee risk assessment using CERT guidelines to help security teams spot high-risk employees.Tip

Security policy and international employment laws for hiring overseas

Before opening an office abroad and hiring employees in other countries, learn how to adapt your security policy to international employment laws.Tip

Anti-social engineering training: The first line of defense against human error

Security team member Jeffrey Catalfamo details the key elements of a successful anti-social engineering training program.Tip

Firms struggle to address social networking security risks, survey finds

Many firms rely on antivirus and antimalware technologies to address social networking risks, according to a survey by the Ponemon Institute.News | 03 Oct 2011

5 Common Missteps with Trusted Insider Privileges

Insiders with elevated privileges are trusted with the keys to the kingdom; they're also prime targets for abuse from outsiders. In this podcast, you’ll learn five quick fixes to lessen the risk posed by trusted insiders.Podcast

Spear phishing examples: How to stop phishing from compromising users

Spear phishing targets the weakest link in most security programs: users. These spear phishing examples can help your enterprise thwart attacks.Tip

URL shortening security best practices

Expert Michael Cobb weighs in on risks you may not know about with shortened URLs from TinyURL or Bit.ly.Answer

Former CIA official cites rise in government cybersecurity awareness

Former CIA ops director Cofer Black urges the security community to educate decision makers and validate how cyberattacks endanger national defense.News | 03 Aug 2011

HP releases new SIRM platform for risk management

HP released a new security intelligence and risk management platform, integrating security technologies from its portfolio of security products.News | 14 Mar 2012

Jim Reavis on cloud transparency, cloud security trends

In this video from RSA Conference 2012, CSA Executive Director Jim Reavis talks about the group’s projects and building cloud security trust.Video

Tim Rains on cloud computing security standards, provider transparency

In this video from RSA Conference 2012, Microsoft’s Tim Rains talks about emerging cloud security standards efforts and customers need for visibility into cloud provider security.Video

How to manage the compliance cycle to improve your compliance strategy

Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue.News | 06 Mar 2012

Experts say Android malware research can help Android app security

Android malware research experts at RSA Conference 2012 say using free tools to spot Android malware trends can help foster greater Android app security.News | 02 Mar 2012

OpenDNS hires Websense CTO, readies enterprise strategy

DNS provider said it plans a big move into enterprise security market.News | 02 Mar 2012

FBI Director Mueller: For U.S., cybersecurity threats will surpass terrorism

At RSA Conference 2012, FBI Director Robert Mueller said the bureau is ramping up to fight cybersecurity threats and boost information-sharing efforts.News | 01 Mar 2012

More than hype: Security big data helps bank to boost security program

At RSA Conference 2012, Zions Bancorporation detailed how it harvested security big data using a Hadoop-based security data warehouse.News | 01 Mar 2012

Hacking back puts security on the offensive

Two penetration testers at RSA Conference 2012 explain how enterprises can hack back against attackers and stay within legal and ethical boundaries.News | 01 Mar 2012

To get help with secure software development issues, find your own flaws

RSA Conference 2012 experts say finding and sharing real internal secure software development issues is the best motivator for change.News | 01 Mar 2012