Blog Elements

Half Sized Blog Element (Single Author Style)

Half Sized Blog Element (Multi Author Style)

Taxonomy of Computer Security

2010-06-28/0 Comments/in General Security/by admin

Computer security is frequently associated with three core areas, which can be conveniently summarized by the acronym “CIA” standing for Confidentiality — Ensuring that information is not accessed by unauthorized persons; Integrity — Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users; Authentication — Ensuring that users are the persons they claim to be.

IT Security Audits: A Necessary Evil…

2010-06-28/0 Comments/in General Security/by admin

As I prepare to conduct my next IT security audit at a client’s site, I realize some things have not changed in the past few years. The client’s reaction towards the security audit is always amazing the day before the on-site visit as they exhibit a sense of fear. For the most part, it has […]

Taxonomy of Computer Security

2010-06-28/0 Comments/in General Security/by admin

IT Security Audits: A Necessary Evil…

2010-06-28/0 Comments/in General Security/by admin

Full Sized Blog Element (Big Preview Pic)

Taxonomy of Computer Security

2010-06-28/0 Comments/in General Security/by admin

Additional areas that are often considered part of the taxonomy of computer security include:

Access control — Ensuring that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receive

Nonrepudiation — Ensuring that the originators of messages cannot deny that they in fact sent the messages

Availability — Ensuring that a system is operational and functional at a given moment, usually provided through redundancy; loss of availability is often referred to as “denial-of-service”

Privacy — Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for

IT Security Audits: A Necessary Evil…

2010-06-28/0 Comments/in General Security/by admin

From my experiences, the client will start applying required security patches that should have been applied months ago the weekend before the audit. Sometimes, it works out fine, and as you may know, sometimes it does not and causes additional issues for the system administrators. Many times, the Security Point-of-Contact (SPOC) will use a security scanning tool such as Nessus to conduct their own network scan to get a view of how they fair up. Conducting your own security scans are fine, being proactive is a good thing, but the day before an audit may not the best time to do so. Then the disclaimers start rolling in from the client. “Well… We know of this issue and that issue.”

I guess I cannot blame their anxiety. It’s not a good feeling to have strangers (IT Security Auditors) come into your organization to review the controls and practices you put in place and possible tell you that you are doing it wrong.

However, IT Security Audits are a necessary process that needs to occur to ensure compliance to organizational and/or federal regulations. Some of the more notable regulatory compliances are FISMA, HIPAA and the Sarbanes-Oxley Act that specifies how organizations must deal with information.

Unfortunately, many organizations treat security and audit as an after thought rather then a process … Preparation is the key to successfully passing a security audit.

For a full detail review on security assessments and IT security audits, check out www.securityorb.com.