Defense-in-depth, Part 2

Last post, I discussed the concept of defense-in-depth (DiD) where overlapping controls provide increased security, particularly if one of the controls should happen to fail. Now, I will give a specific example—host-based firewalls. Both the Windows and Linux operating systems have firewalling capabilities built into the OS. Frequently, I will… Continue reading

Defense in Depth

Security is hard because it requires attention to detail and getting the “blocking & tackling” right.  There are lots of cool and shiny security products on the market today.  Remember a “product” is not a “solution” until it is tailor-fit to meet the needs of the organization and properly maintained… Continue reading

Security Policy Exceptions

Not long ago, I was reading a debate on a Linkedin.com forum discussing all kinds of edge cases that some participants were arguing needed to be considered in a security policy regarding some particular aspect of security.  In fact, I forget what the issue was, but it was clear that… Continue reading

Why Have Security Policy?

I have found that not everyone has considered the role of security policy in an organization’s information security management program.  Therefore, I will share some of my insights with the hope that it will help others articulate it to their organizations. A Security Policy is a written document that states… Continue reading

Lessons Learned from the JFK Jet Skier Incident

Earlier this week media outlets had a field day with the news story about Daniel Casillo, the guy who swam up to the JFK runway, climbed 8 feet of barbed wire, walked across two runways and then entered Delta’s terminal 3.  (See the ABC News Story.) Apparently this all went undetected until… Continue reading

Zero Factor Authentication

There is an important difference between “identification” and “authentication.”  Identification is how a particular object (such as a person, a device, or a program) is referenced.  The name badge worn by doctors and nurses in a hospital is a good example.  Because of the way that identities are used to… Continue reading

What does trust have to do with it?

NOTE: This is cross-posted from the HIMSS Blog at http://blog.himss.org/2012/06/07/psst-what-does-trust-have-to-do-with-it/ Here is latest installment from the HIMSS Privacy and Security Committee…called PSST!. Keep reading to learn more about the column and this month’s topic – Patient Trust by Kenneth G. Hartman, CISSP, CPHIMS, GSEC The HIMSS Privacy and Security Committee… Continue reading

Are We More Secure Today?

Yesterday I was asked a question in passing.  The question was this —Are we more secure today?  My reflexive answer was “yes, we get more secure every day.”  After all, how else could I justify my employment?  This question challenged me on many levels.  The first thoughts were how can… Continue reading

My Security Philosophy

A brand is a promise that is made to the company’s customers.  Over time, customers trust the brand based on the trustworthiness of the company.  Security plays an important role in protecting that trust by managing risks to confidentiality, availability, and integrity.  Customers expect that the information systems that they… Continue reading