Duepexpetry
1
Hi, all participants discussed , very cool forum.
Security Design: Be an enabler not a blocker
- 31 July, 2012 16:11
- Comments (1)
- Bookmark
Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years.
Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling
When liaising on projects, as a security architect it’s important to not spring surprises on your project manager. Most project managers tend to react with an involuntary facial twitch to "new requirements", these are often are associated with project delays and cost overruns.
So to avoid surprises and make your engagements with a project smoother, consider the following:
- Engage early
- Draw out compliance requirements early in the business case phase
- Develop detailed security requirements that are specific and technology agnostic. Also, detail the importance and difficulty/cost of the controls at a high level. (Eg. not so much: “the system must be secure”, but more like: “the system must support TLS for protecting transit of classified information”.
- Give the project options even when they are limited. For example: "You need this control for compliance purposes but it’s difficult to implement in the project timeframe, can I help you apply for a temporary security policy exemption?”
- Choose standardisation over specialisation. A standard security control inherited from an environment is more likely to be maintained than a custom one deployed only for a single project.
CSO Corporate Partners
Get exclusive access to CSO, invitation only events, reports & analysis. Most Read
- 1
Dell targets ANZ security opportunities as SecureWorks debuts locally
- 2
AusCERT 2013: Cloud-based scanner identifies new malware by its ancestry
- 3
AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave
- 4
ACMA database keeps finger on Australia’s malware pulse
- 5
Lethal medical device hack taken to next level
CSO Directory
Media Releases
Latest Jobs
Solution Centres
Security Awareness Tip
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
Security ABC Guides
Warning: Tips for secure mobile holiday shopping
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.
