In InfoSec risk management, one area that does not get much press is risk transference. That is, using insurance (or agreements) to transfer the risk to a third party. Brian Krebs makes the case, anecdotally, on his blog.

After an incident in which the attackers raided a company’s bank for $750K, “The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest…” 

http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

Cloud transition is about how to gracefully lose control over computing assets.
http://securityblog.verizonbusiness.com/2009/05/06/on-clouds-and-the-evolving-role-of-the-ciso/

This is a good article. It traces the history of security from the military-minded security pros of yesterday, to the risk management security pros of today, to the great unknown of tomorrow. Given information security is about guarding information assets, InfoSec may shift toward vendor management and away from technological prowess. "For example, even in the case of stuff covered by compliance (you know, that critical Confidentiality stuff we’d never move to the Cloud), vendors will be quick to sell certified solutions (we’re already seeing this, actually)."

"Now in addition to worrying about measuring things like control effectiveness, A/V coverage, and risk, we’re going to have to understand things like: what level of Governance information are we going to require from which vendors? Once we have that Governance information, what are we going to actually do with it in order to make decisions?"

This is an optimistic article, perhaps even a search for a silver lining. The recent economic news has been troubling. Companies have let go scores of workers, frozen projects, and delayed infrastructure updates. This puts Information Technology (IT) and Security departments in a difficult position. After being project-driven for so long, what does the department do when projects are delayed? And for the Information Security (InfoSec) professional, how can the security posture be improved without a budget?

Read more in this quarter's edition of the Security Journal.

"Leading investment firm announces gains in productivity by deploying Modulo´s IT Governance, Risk and Compliance software."
http://www.modulo.com/press-release/press-release.jsp?p=20090202

"Effective risk management and control imply the development and maintenance of a process that enables the identification, analysis, evaluation and treatment of risks that may impact an organization. 'The only time you know a system is secured is when you check. Modulo Risk Manager automates auditing, which enables us to check more systems more regularly. The software's risk console also gives us a score and reporting mechanism. These reports focus our efforts and prioritize our remediation,' said Goerlich."

Contact: Cynthia Meinke
Ph: 248-373-8494
Date(s): 9/18/08
Time: 6:00 PM
Location: Cisco Systems, 2000 Town Center, Suite 450, Southfield, MI 48075

Event Description:

The Motor City Chapter of the Information Systems Security Association (ISSA) will be hosting their September meeting with a presentation on Practical Risk Management. Their speaker,  J. Wolfgang Goerlich, CISSP, CISA,  is an information security professional with over a decade of experience in IT.  Currently Mr. Goerlich is the Network Operations and Security Manager for a large financial institution in Michigan.  In this presentation, Mr. Goerlich will describe some of the challenges he faced while developing an enterprise risk management program and explain how he ultimately solved them with a leading governance risk and compliance (GRC) technology. This presentation will discuss the practical implementation of GRC technology, discuss its uses, and review lessons learned.

This event is open to non-members.  Please RSVP to secretary@issa-motorcity.org.  For further information, please contact Cynthia Meinke at 248-373-8494 ext. 405. 
 

Executives run businesses based on risk versus reward, right? To get action, we need to convey the dollars at stake and the likelihood there will be a loss. You’ll often see this as Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO).

The difficulty I run into is that there is not much hard data on the likelihood of an attack and the typical cost. We can guess, but then the figure ends up being skewed and the rationale does not stand up to scrutiny by senior management. I am hopeful that the recent disclosure laws change this by providing solid statistical information.