- I know this is an old one and has also been covered here in the Forums, but gees it’s worth another look and laugh; “Queensland Police plans wardriving mission“. ROFL at; “Detective Superintendent Brian Hay of the Queensland Police, who today was honoured by security vendor McAfee with an “International Cybercrime Fighter Award”. I need to get one of those. How do I apply McAfee? Gees, what can you say? ICFA for short? 
- Thanks to Matthew Hackling for highlighting this link to APRA’s site and discussion paper on “Management of IT Security Risk“. Now this is interesting. Firstly, it seems to be pretty closely based on the Monetary Authority of Singapore (MAS) “Internet Banking and Technology Risk Management Guidelines“. Not a bad thing! Just 8 or 9 years behind the game in terms of Asia Pacific regulators APRA. (But hey, we already knew that). Wondering how they plan to enforce any of this or is it just a project to make them look like they’re on top of their game? Did I mention 8 or 9 years behind other regulators in Asia? Ah yes, I did. Who needs regulation in the Banking sector anyway?
- I’ve got an article posted at Tek-Tips; “Overcomplicating Information Security and Risk Management“. Keen on your thoughts and thanks to the guys on Twitter who’ve already sent through their comments.
- I’ll be reviewing the CFP responses for the Lightning Presentation session for the upcoming AISA National Annual Seminar Day on the 3rd of December, 2009. If you’ve done some really cool stuff or want to share some really interesting information about something in our industry (but don’t want to talk for 40 minutes), please send through your presentation overview.
With the Rick Mercer Report online, you%’l never be farther than a mouse click away from a good Mercer rant. Banking Details
Must be getting a bit forgetful in my old age:
http://beastorbuddha.com/2009/05/11/apra-releases-discussion-paper-on-it-security-risk-management/
Wondered why I hadn’t seen that before supposedly.
I think I suffer from the overcomplication of info risk syndrome. I blame immaturity
I suppose if it’s so easily forgotten, it can’t have been that exciting or worth the attention to begin with but you would expect that it should be.
Good article. IMHO the value in any process is the way that it is used.
I use an enterprise risk management framework to assess risks across all parts of the enterprise; security being one of them. At times the risk can justify the capital investment, other times a number of risks can be shared across a single capital investment (value maximisation through increased asset utilisation). A risk management framework can help support these decisions and identify these opportunities.
I don’t think that investments in anything should be made without a level of rigor and appropriate due diligence. Any risk management framework should provide a foundation for better decision support and not be subsituted for the next new security widget.
@Dane, how do you cover off that “holistic oversight” to strong level of knowledge to provide for the basic success of your framework? Do you have strong backing by the business to give you holistic view?
@SG42:
It all comes down to relationship management; that is with the busines and technical stakeholders.
I used the ERM framework to get a seat at the business table and I use education and awareness as a tool to maintain it. Now all levels of the organisation contribute.
If you are up against the proverbial wall as far as the organisation is concerned – re: lack of interest – then you may need to look at an organisational change approach (e.g. the Kotter 8-step change process). The caveat is, you need to identify where the blocks are and where the change process needs to be focused. Sell it, sell it and sell it again.
Dane, that is where I was leading. Sounds like in your case you are in a position to be working with the business and seeing the “business”. That is rare and well done to have gotten it to that. I trust they appreciate and understand how important that is to them?
They do now; but the journey was far from clear blue ocean. I had to latch on the organisational metaphor and change the organisational culture from one that was risk ignorant to one that was risk aware (I used the Kotter approach and a bunch of other tools).
Now the program has an inertia of its own and everyone feels responsible for risk and security management.
I just take ‘em out to coffee.
Dane, you are the man! CSO gun for hire.
All inquiries here for CSO services.
I’ll take the usual “management fee” mate.