14 Mar 2008

More from Securiosis...

While Rich was away he brought in David Mortman who wrote this gem.

I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.

I believe the take-away quote is this:

"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."

I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.

Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.

While Rich was away he brought in David Mortman who wrote this gem.

I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.

I believe the take-away quote is this:

"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."

I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.

Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.