The Digital Security Poverty Line

James TaralaAssurance, Governance, Metrics

Like many information security practitioners, this week marks the return to the office and reflection after attending the annual RSA Conference in San Francisco. Every year there are interesting speakers, some better than others, crazy parties, and a vendor show the size of a small city. And every year I admit I get a little contemplative at the end of … Read More

Steps to Creating a New Metrics Program

James TaralaAssurance, Governance, Metrics

Metrics definitely seem to be a buzz word in information security circles these days. It seems that I can hardly give a presentation or meet with clients without the topic coming up at some point in our discussion. But to be fair, I think these discussions are healthy and I’m glad to see so many people beginning to ask the … Read More

Basic Steps for Executive Engagement

James TaralaAssurance, Governance

Recently a met with an organization who mentioned to us that they had identified executive engagement in information security (or lack thereof) the biggest risk to their organization. It’s not to say that the organization’s executives didn’t care. The issue was that this organization had its hands in a number of other important activities, and securing the organization’s assets simply … Read More

Elements of an Information Security Charter

James TaralaAssurance, Governance, Project Management

Part of any solid project / program management effort is a program charter that defines the program in order to ensure its success. Too many times projects begin without a clear definition of success and as a result it becomes very difficult to measure success or often even to make progress on the project in any way. Information security programs … Read More

New SANS Audit Course (407) Live

James TaralaAssurance

The rumors are true, there is a new SANS audit class on the SANS courseware bookshelf. The course is Audit 407 – Foundations of Information Systems Audit. It’s a prequel to the SANS Audit 507 course and is meant to prepare auditors with the baseline of knowledge necessary to take them from being just a security professional to being an … Read More

Script for Network Adapter Configuration Baselines

James TaralaAssurance

So in this series of blog articles so far we have identified a number of different baseline scripts written in PowerShell. We hope that auditors and others will be able to take this scripts, modify them for their own purposes and use them for baselining the systems that they are evaluating. This week we found ourselves in the position of … Read More

Script for Network Share Baselines

James TaralaAssurance

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.) As we discussed earlier as well, we are going to rely primarily on PowerShell to … Read More

Script for Locally Installed Software Baselines

James TaralaAssurance

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.) As we discussed earlier as well, we are going to rely primarily on PowerShell to … Read More

Script for Local User and Group Baselines

James TaralaAssurance

In keeping with my New Year’s resolutions, I want to continue posting information on how an auditor might take advantage of baselines when performing an Information System (IS) audit. Certainly I hope system administrators will be able to take advantage of this information as well when performing their own Control Self Assessments (CSAs). For a primer on why you might … Read More

Examples of System Baselines

James TaralaAssurance

Ok, it sounds like we should have one more point of clarification. In our last blog post we posted about a process to follow for creating and maintaining system baselines. But after thinking about it, one more thing auditors, or administrators performing Control Self Assessments (CSAs) might want to consider what types of baselines could be gathered to comprehensively asses … Read More