Risk & Reward

I think we have all heard the phrase, "no risk, no reward".  I think not only does it apply to life in a general sense...asking out that special someone or taking on new challenges...it also applies to the IT world as well. Specifically in the infosec arena. 

While generally risk might imply, death and destruction (ok, maybe not that bad), it isn't always doom and gloom. A lot can be learned from things like risk identification inside an organization. 

We (I am assuming here) have all heard of something called risk management. Essentially, managing the risks to the company or organization. This is a critical component in managing IT in all it's glory and splendor. 

But why is it a good thing, what does it have to offer? One thing that comes to mind is knowledge. Learning the company (the self) and learning your enemy (the hackers or the threats that come from the outside). Much like General Sun Tzu's words of "know the enemy and know yourself". 

Going through a risk identification process, which is the self-examination process that can identify the organizations assets and classify them by importance. Giving value to everything, every moving part....allowing then for that threat identification to come to fruition.

Oh my! I know admitting it is the first step right...probably hard for an organization to actually admit their threats or weaknesses. But necessary in order to protect their assets. Detecting their vulnerability and planning from there. The possibly of consequences or percentages of risks mitigated, etc. 

And again we go back to knowing the enemy and knowing the self, how much more useful things like a risk analyst would be in order to protect the self from the enemy. Hence without taking that risk of knowing the self (faults and all), the reward of protecting the self from the enemy can't happen. And possible bad things could happen on a much broader scale than if an organization had put in the time to actually analyze their assets and weaknesses (knowing the self). 

Because there really is a lot of information on risk management, risk identification, etc. here are a few links to have a look at for more information. 

Risk Management: https://www.theirm.org/about/risk-management/

Risk Identification: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification

Stay safe out there (and if you feel like it, try something new..remember risk & reward, unless it's illegal...don't do that)

ISO 2700

While ISO 2700 may sound like a new piece of technology or electronic device...it's not.  It's actually pretty neat, I shall explain why. 

When organizations hire employees they tend to like certifications for certain types of positions. Right? I mean my old A+ from CompTIA is still golden (and it never expires, unlike these new ones..hehe) 

An ISO is a certification for the organization that says, "Hey we have IT standards set in place and we are on top of this." Much like an employee's certification in something valuable, this something for the organization to have. Making it extremely valuable. 

Why? Well because you asked so nicely, I shall continue. 

In our modern world technology is advancing...rapidly. And security and competence is always a question of, "are they secure, do they know what they are doing?" While many times we can assume they are or they might be, one sure fire way to tell is to look for organizational certifications. Such as the ISO 2700. 

While it doesn't guarantee that a company/organization is perfect or that they won't have a security mishap, etc. It does, however, show that the organization has received the standard for information technology and management information systems. With this, the organization can be a trusted source of IT services and confirm a confidence in the reliability of their internal operations. 

Granted, now this doesn't guarantee that security will never be an issue, but it's at least something in place to consider when going into business with an organization that has an ISO 2700. It's like having an alarm system, it doesn't guarantee your safety or that someone won't try to break in. BUT it's one heck of a deterrent AND an establish process in place. It makes you FEEL better...that's important.

If you would like to know more about ISO 2700, please have a look at: http://www.27000.org

It does look like a lot to go through and may be a bit dry, but I believe on an organizational level it's a diamond to have in your pocket...especially if your in the IT business. I may even have to make a recommendation at my place...hmm.

Stay safe out there!

The Curious Mind

While I am naturally curious, I tend to think most IT professionals are. 

What does this do, how does that work, is there a better way...etc. And while Youtube.com has been the answer to many of those questions and searches, there might be a new contender on the block. 

Curious.com might have the answer to all those questions and more. According to Cnet, "The Menlo Park, Calif.-based e-learning site offers more than 10,000 curated short-form, interactive videos taught by 1,000 teachers on a variety of esoteric topics, ranging from macrame to triathlon training to calculus to the martial arts (Karr, Cnet.com, 2015)." 

And while even I am wondering, why not use Youtube.com... the idea of Curious.com is too bring the formality of training, much like Lynda.com and the extensive courses or randomness of Youtube.com together in a new way. 

Cnet also goes on to explain that Curious.com will offer courses ranging from technology, to food, to fitness, to language, and business. 

This is good news for us technology junkies. Anyone wanna learn how code Android applications?  Well it's a free preview and then it'll cost ya $79.99 for the course. Not bad. While it's still a new organization, I am sure more courses will arrive for free or purchase. I am hoping for some security based courses at some point, maybe more in the business realm. 

And while Youtube.com may always be a viable option for learning new things, Curious.com seems a bit less "grab your camera and film something." There seems to be a better structure and more of a sense of real-ness to it's training/learning structure. They vet each video and give their "instructors" a guideline for course development. 

In the mean time, good old fashion books might be your best bet for information security subject matter....but one day I think we might find much of this in an online training course. Heck, I take online classes! Is it really that much different..not anymore, Curious.com also allows for questions/feedback, much like an online course...not like Youtube.com. Wow. I might have to go find a free course now! (Starving student and all...ok, not really, but free is free)

Sources: 
www.youtube.com
www.curious.com
http://www.cnet.com/news/curious-much-this-e-learning-site-may-have-the-answer/

Security policies, standards, and guidelines...Oh My!

Well Happy 2015!

Maybe we should talk about security policies, standards, and guidelines.

While this is a broad topic, I do find the need for it urgent. Especially considering our environment that seems to be overrun with security breaches, among other things...again poor Sony, how many times was that in 2014 they were hacked?

Either way any organization should have a security policy in place for day to day workplace instructions on how to properly behave regarding information systems and assets. When a security policy is in place that policy should drive the standards for the organization and in turn then the standards should help develop the procedural guidelines an organization needs.

Ironically, these ideas in practice go back up the model with practices and guidelines that need to meet the standards that carry the weight of the policy. Kind of a up, down, and up approach. They are all critical and valuable to the organization.

Without these in place beside the obvious visual of IT professionals running around looking like chickens with their heads cut off (no chickens harmed in the making of this blog), we see the value in these three (3) musketeers (policy, standards, and guidelines).

Things to consider:

• Policy can not conflict with legal law. Enron anyone? 
• Policy/standards/guidelines should contribute the organization how technology-based systems, information and data are used and stored.
• Policies like these could address liability issues (if necessary)
• The definition of who, what, when, and where is defined in these policies and standards

While even the company I work for (a small software company) has these in place, not every organization lays their foundation for these three (3) musketeers. And since they definitely help keep the organization in line and on top of their game, perhaps it being the new year...a new resolution is in order for those companies out there: create your security policies, standards, and guidelines. If there is one in place, make sure updates and new revisions are made if they haven't been done in awhile to keep up with our hectic online environment. 

Stay safe out there!