no more cubes

Author: Andreas

  • SOMAP

    Security Officers Management and Analysis Project. A Swiss non-profit organization.

  • Value at Risk (VAR)

    The Value at Risk (VAR) framework knows four stages:

    • Identify threats
    • Estimate likelyhood
    • Estimate VAR
    • Mitigate risk

     

  • P.U.S.H.

    The four phases of PUSH are:

    • Preparation
      Defining audience and purpose of risk assessment.
    • Universe definition
      identifying and characterizing most critical assets, risks and controls.
    • Scoring
      choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
    • Hitting the mark
      ensure risk assesment fulfils the purpose set out in the planning phase.

  • Risk Assessment Methodolgies

    • OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
    • FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
    • NIST is a qualitative risk assessment methodology established with healthcare in mind.
    • Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
    • CRAMM is an IT risk analysis method used in the British Government.

  • Methodological Frameworks

    • ISO 27000 is a series of of standards to manage information security
    • ITIL is comprised of a series of books aiming to improve IT service management and IT processes
    • COSO is a framework for financial reporting and disclosure
    • COBIT is a four domain model for IT governance and has 214 control objectives

  • Baselines, Procedures, Guidelines & Policies

    • Baselines define a minimum technical standard that should be maintained across the organization
    • Procedures are step-by-step instruction on how to comply with security requirements.
    • Guidelines give discretionary guidance on how to comply with security requirements best.
    • Policies define security requirements broadly.

  • email ain't work.

    email is one of my favorite topics when it comes to modern ways of working. There were a few articles on this blog concerning email to be abolished by major organizations in favour of social media (which won’t solve the underlying problem…)

    Communication is essential to most jobs, but so is productivity. Claire Diaz Ortiz wrote a nice comment on why it is both work and why it ain’t at the same time.

    email ain’t work.

    This is the opinion that I tend to prefer, coming from an engineering education. email will distract anybody trying to focus on some real problem, will create an obligation to do something non-productive. email can be considered something additional, that should not become the majority of the actual work. To send designs, architecture, plans or status updates, but it is for sure outside the scope of engineering centric job descriptions.

    unless you’re paid for it.

    The situation is much different should you work in customer support, service, sales or even product marketing or management. These roles live off the conversation with customers, clients, partners and peers, sometimes even competitors. These roles need to know what others, the market, wants to see as a product or a service, and this is something you can get off a drawing board.

    So it depends (a bit)

    After all, email has a very different meaning, depending on the role someone is in. Still the medium itself is very difficult to handle and too time consuming, even for roles depending on communications. Just imagine all the (obvious) spam, newsletters, notifications and so on. Not to say about the increasing practice to CC everybody and his brother. This is what makes email an ultimate productivity killer for everybody.

    In response to: Why Email Isn’t Work. (And Why It Is.).

  • Lessons Learneds – Flight Projects Directorate Code 400

    Raum- und Mondmissionen sind berühmt für hervorragendes Projektmanagement und so finden sich bei der NASA auch schöne Dokumente zu dem Thema. Besonders schön zu lesen sind die 128. von Jerry Madden, Retired Associate Director (400), niedergeschriebenen Erfahrungen (Lessons Learned) zu lesen. Bezüglich Meetings hat er eine ganze Reihe von Ratschlägen. Einer hat meine ganz besondere Aufmerksamkeit gefunden.

    115. Reviews, meetings, and reality have little in common.

    (more…)

  • Bügeleisen infizieren per WLAN PCs mit Malware

    (Chinesische) Bügeleisen infizieren per WLAN (russische) PCs mit Malware

  • Lightbeam

    Vor etwa einem Jahr hatte ich hier ja schon einmal Collusion. Lightbeam scheint dir Weiterentwicklung davon zu sein.

    [vimeo=http://vimeo.com/77340206]