The Expert’s Number for Security Risk Assessments

You know I just love this article, and often refer to it when I’m speaking. However I couldn’t remember who had written it, the title, or when. Well mystery is over, whilst cleaning out my hard-disk, I found it. It was published in 2008, have fun reading 🙂
The Experts Number for Security Risk Assessments

What is Requirement for ISO 27001 Accreditation?

Did you know that ISO 27001 was updated to ISO 27001:2013 last year? The new standard has only 119 controls, as apposed to over 130 before. Added are controls on mobility and agility. The control framework though is being expanded beyond by combined work with the Cloud Security Alliance I think its being mapped out as 270018, still uncompleted when I last checked. This is a good description of what is ISO 27001:2013, the high level process.

When I Say Privacy, You Say…

Well I didn’t know that privacy was the word of the year for did you?

I’ve been digging around in my archives and found something that has sort of been lost. There is the traditional security triad, of Confidentiality, Integrity, Aviability (CIA). Which has also been revised to the following, at least 8 years ago. I found this on Bruce Schneier’s blog anyhow.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)

Also was added Admissibility because it was deemed that “this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user”.

I have been thinking a little. This keeping to 5 ‘A’s makes understanding this not straightforward. If we were to look at these again… the first 2 are to do with the identifying party, the next 2 are to do with the data, and the final one is to do with the endpoint. The first 3 ‘A’s I feel comfortable with, the last 2 feel like a workaround to keep 5 ‘A’s… hey the marketing guys would be happy with this 😉

I’ve changed Authenticity to what it was originally in the CIA triad, Integrity, and the last one to Trust, as this is basically what it is all about, do you trust the endpoint device.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Integrity (is the data intact)
Trust (is the endpoint trusted)

So that gives us AAAIT if we go from the identity to the endpoint, or TIAAA from the endpoint to the identity.. well marketing wouldn’t like this at all, but I like it and I think it’s easy to remember 😀