Practical Information Security

So where I last left off - 2000 a time of transition for a number of things, the "red hot" internet properties of the '90's started the downward slide that became the recession of the early 2000's and many "internet millionaires" became bankrupt or lost much of their projected net worth. During this time many companies had been focused on growth and establishing an "internet" presence without really having a business plan or an approach to sustain or support the number of systems that were being deployed to the networks. Corporate malfeasance leads to regulation - Enron, WorldCom, Tyco and other companies caused public outrage due to accounting fraud of various magnitudes and the attempted cover-up and complacency of Sr. Management. The result is the Sarbanes-Oxley Act of 2002. While mostly corporate accountability legislation, this triggers a number of compliance initiatives that impact Information Security and compliance. Continued ema

Hello folks,it's been a while but I wanted to start sharing some thoughts on again on a more regular basis, so I will try and post every couple weeks, or more often as I can. Today I wanted to highlight a couple issues that I as a consultant often see with my customers.  When I perform an assessment of their environment, I'm often asked a couple reoccurring questions. ""How do you think we would do in an incident?" "Do you think we need to buy XYZ tool or technology?" Often the Information Security teams I am working with are new and are in the process of building/rebuilding due to some type of change (merger/acquisition, change in staff, divestiture, or program/leadership change). In almost every case my answer to the first question is going to be, everyone needs to continue to prepare and be vigilant, even organizations where they believe they are ready for an incident will struggle a bit when the event finally happens (or more accurately onc