Controls are logical mechanisms applied in an effort to reduce risk. This may feel vague because the term is primarily an abstract, logical entity that has specific implementations and humans like more concrete, implementable things. Architecturally these entities sit at the logical layer but have concrete instances that are implemented by contextualizing the qualities of… Continue reading What Are Controls (Safeguards)?
Category: Risk Management
Humans are STILL a Weak Link in Risk Mgmt
Checking out today’s current events from Feedly I ran across Bruce Schneier’s comments around a social engineering attack that resulted in ~ $300,000 loss to Apple in products. If you don’t care to follow the links, Mr Parrish attempted to purchase equipment using debit cards that were declined and then offered to call his bank… Continue reading Humans are STILL a Weak Link in Risk Mgmt
What is Compliance?
I read and hear the term “compliance” used liberally in infosec, often without a clear context. The graphic above is intended to illustrate some business drivers such as statutory laws, regulatory agencies (e.g. GAO’s HIPAA), industry-imposed requirements (e.g. PCI DSS), customers’ and shareholders’ expectations (some of which are legally and contractually required). These plus other… Continue reading What is Compliance?