Risk

Information security governance should not be treated like corporate governance, IT security steering committees must have the right stakeholders and the board can remain largely unaware of security issues. Those are key strategies for effective security governance, says IT security and assurance manager at Sydney Water, Stephen Frede.

Amit Yoran was the Department of Homeland Security's first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office. But by September 2004 he was frustrated by what he saw as a lack of concern and commitment to Internet security. So he quit his post.

Social networking and cloud computing threats abound, our annual Global Information Security Survey finds, making information security important once again to business leaders.

Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.

It seems like a question ripped from the back of a cheap sci-fi novel: What happens when the robots are turned against us?

We keep hearing about Denial of Service attacks, and how they can bring large organisations to a standstill, yet do we really understand the full range of events that the term encompasses? What does make up a DoS (or distributed DoS) attack, how it is done, and what can you do to prevent it happening to you?

Looking through the holidays into 2010 there are four clear priorities for risk management that cut across all tiers with financial institutions. Over the last year the pendulum has swung from the exotic to the pragmatic, from chaos to order within financial services. The four priorities for risk in 2010 can be derived from the word D.A.T.A.(data, analysis, transparency, accuracy).

Consultant and author Mike Ackerman's 10 counterterrorism principles for business.

Two experts break down critical considerations in merger and acquisition activity.

The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

In the first column of this year, I discussed computer security outlook and hopes for 2008. I forecast more of the same that we saw in 2007: more spam, more malware, more bad guys basically owning the Internet and our connected computers. I don't see any trends or new leaders with significant power to change the status quo.