Friday, July 1, 2011

NIST - Patch Management Program

Special Publication SP800-40 version 2 is 75 pages of creating a very robust Patch and Vulnerability Management program.

Not to fear, the last 25 pages of it are Appendix.  Glossary, Index, and...
Appendix D - A great list of resources with websites!

Thursday, June 30, 2011

PCI Compliance

Ive been going through PCI Compliance training for the last few weeks.  Interesting stuff - kind of.
All of it is just basic "good information security" practices.  Antivirus on your workstations, periodic scanning of your environment and dont transmit people's card information over the internet unencrypted.  While these are just a few items looked at in an assessment, they sound pretty straight forward to me.

Talking to a QSA (Qualified Security Assessor) for PCI, there are so many merchants out there that are a literal train wreck.  Kind of scarey.

The latest PCI Security Standards can be found HERE.

Depending upon how many transactions the merchant performs in a 12 month period, a QSA might not be needed.  This would then require a self assessment to determine if the merchant is in compliance.  I am assuming that the merchant provider would be helping their customers through all of this.

Another standard to make sure people are doing the right thing...

Saturday, April 2, 2011

Twitter and Facebook

I attended a seminar a few weeks ago in order to get some CPE for my CISSP and CISM certificates.

The presenter displayed his contact information with references to Facebook, Twitter, and Linked IN.  He asked how many people were on twitter, and only about ten out of about 200 people raised their hand.

After talking with an information security practitioner that I really respect, she said that she doesn't do Facebook or Twitter.  They are just not secure for so many reasons.

I started to think - are the majority of information security professionals out there NOT using social media?
Is LinkedIn really that evil?

Ive been using various social media outlets for a number of years now and have been careful what I put out there and who I associate with.  Maybe that is the key.

The only thing I really worry about is twitter to see who is following ME!  That could be a daunting task if my follower list grows into the thousands.  Somehow, I don't think I will ever have that problem though.

Sunday, March 27, 2011


A dear friend of mine practices surgery, handling cases where people need surgical reconstruction because of traumatic injury - an automotive accident - or a cancer diagnosis - commonly breast cancer.  Always interested in the medical field, I enjoy hearing stories of cases he is currently working on.

One day he said something very profound in response to a question I had about a basic case he was working on:  "They need to see me more than I need to see them."

This definitely could be correlated to leadership and management.

Ive noticed over the years that some managers are reluctant to give their people the face time that they need.   I'm sure they don't even know the are doing it!

Lets face it - most of the time when your employee wants to talk, there is a problem.  Who wants to hear about a problem??  That's human nature at work!

I've found that having regular conversations with your people will allow them to get things off of their chest as they come up.  These conversations are a lot easier to manage and talk through than a conversation prompted by them - wrapped in built-up tension over the past few weeks.

Next time you realize that you havent had a casual conversation with an employee of yours, go have one!  Im certain that you will dig up some issues that you dont really feel like dealing with, but look at it this way - they will be delivered to you a lot smoother than if they have to approach you - dripping in emotion!

Think you dont have time to be this proactive?  Well, Im sure you wont when an employee calls with: "um... do you have a minute...?"

Try to be as visible as possible to your people.  You will be more approachable and will probably get a sense of things that are about to come up anyway.

Wednesday, March 9, 2011

Leader or Manager

I love interview questions that cause the applicant to really dig deep for an answer.  I dont think the question "Are you a Leader or a Manager" is one of those questions.  Any applicant would more than likely say "Leader" whether they are or arent really a leader.

This caused me to think - from an employer standpoint: Are we necessarily looking for a leader in this position?

As far as I am concerned, if you are hiring for some kind of management or supervisory position, you always want a leader in that position.  Now, the real question is: Do you hire a manager and groom them to be a leader? or just hire the leader?