http://www.itbusinessedge.com/cm/index.jspa?view=discussions Most recent forum messages en Sat, 21 Nov 2009 00:55:25 GMT Clearspace 2.5.5 (http://jivesoftware.com/products/clearspace/) 2009-11-21T00:55:25Z en http://www.itbusinessedge.com/cm/message/2019?tstart=0#2019 I think Royce makes a great point when he says that these controls will not always prevent disaster from striking but will protect the company from any ensuing fines or lawsuits.  When I used to work for a credit card processing company, certain Sat, 21 Nov 2009 00:55:25 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2019?tstart=0#2019 2009-11-21T00:55:25Z 9 hours, 32 minutes ago http://www.itbusinessedge.com/cm/message/2018?tstart=0#2018 It matters where you get your controls to an extent.  Warrick was right, enough time and effort has been spent on creating proven controls so as long as your controls come from a solid source such as ISO17799 and CobiT the company should be fine.  When Sat, 21 Nov 2009 00:44:47 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2018?tstart=0#2018 2009-11-21T00:44:47Z 9 hours, 43 minutes ago http://www.itbusinessedge.com/cm/message/2017?tstart=0#2017 Mille, I do agree that companies should acknowledge threats and focus on the best interest of the organizational system and technical, operational, and management security controls should be considered. However, I also think that depending on the type Fri, 20 Nov 2009 04:57:25 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2017?tstart=0#2017 2009-11-20T04:57:25Z 1 day, 5 hours ago http://www.itbusinessedge.com/cm/message/2016?tstart=0#2016 Yes, it does matter where controls are obtained. When choosing which controls to implement, organizations should focus on the greatest risks and work to mitigate them at the lowest cost with minimal impact on the company mission. In implementing Fri, 20 Nov 2009 04:50:22 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2016?tstart=0#2016 2009-11-20T04:50:22Z 1 day, 5 hours ago http://www.itbusinessedge.com/cm/message/2015?tstart=0#2015 Great point to acknowledge the standardized controls which should be used should depend on what system you are trying to assess. It makes since to use whatever controls that are most suited for your business.  I like the fact that there are so many Fri, 20 Nov 2009 04:48:54 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2015?tstart=0#2015 2009-11-20T04:48:54Z 1 day, 5 hours ago http://www.itbusinessedge.com/cm/message/2014?tstart=0#2014 It do not matter where you get your controls as long as you acknowledge your threats and your focus is on the best interest of the organizational system.  As it was mentioned Cobit (Control Objectives for Information and related Technology) uses a set Fri, 20 Nov 2009 04:35:01 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2014?tstart=0#2014 2009-11-20T04:35:01Z 1 day, 5 hours ago 1 http://www.itbusinessedge.com/cm/message/2012?tstart=0#2012 /* Style Definitions */table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; Fri, 20 Nov 2009 04:00:58 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2012?tstart=0#2012 2009-11-20T04:00:58Z 1 day, 6 hours ago 1 http://www.itbusinessedge.com/cm/message/2013?tstart=0#2013 Dawit, I agree with your geographic assesment. I found the comparison chart rather informative. The ISO 17799 standard is very useful since it appears to have wide acceptance. I agree with your assesment of a  standardization of controls for comparison Fri, 20 Nov 2009 04:13:28 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2013?tstart=0#2013 2009-11-20T04:13:28Z 1 day, 6 hours ago http://www.itbusinessedge.com/cm/message/2011?tstart=0#2011 Jeff,   You make a good point.  Maybe my criticism of the regulatory industrywas a little harsh.  Their intended purpose is a good one, and for the most part they serve to protect consumers and clientele just as much as the company's that invest in Fri, 20 Nov 2009 03:17:28 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2011?tstart=0#2011 2009-11-20T03:17:28Z 1 day, 7 hours ago http://www.itbusinessedge.com/cm/message/2010?tstart=0#2010 i. Region(s) of operation i.e. City, State, Country, Continent,   International ii. Industry i.e. Medical, Manufacturing, Government etc. iii. Size of organization iv. Command and Control topology i.e. Centralized, Autonomous etc. you made nice point Thu, 19 Nov 2009 23:32:26 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2010?tstart=0#2010 2009-11-19T23:32:26Z 1 day, 10 hours ago http://www.itbusinessedge.com/cm/message/2009?tstart=0#2009 Yes it really matters where we get our controls form my whole perspective is focus on regional matters for instance if we doing our risk assessment for a company lets located in japans we have to take in consideration of the compliance that is Thu, 19 Nov 2009 23:24:30 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2009?tstart=0#2009 2009-11-19T23:24:30Z 1 day, 11 hours ago 1 http://www.itbusinessedge.com/cm/message/2008?tstart=0#2008 Royce,   Keep in mind all of the "standards" are based onproven strategies and are to be used as a guide that is documented and has been thoroughly put into practice and been tested. When adding a safeguard, all anyone can go on is what has been Thu, 19 Nov 2009 23:06:41 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2008?tstart=0#2008 2009-11-19T23:06:41Z 1 day, 11 hours ago 1 http://www.itbusinessedge.com/cm/message/2007?tstart=0#2007 Peace of mind is a huge factor.   The sources and types of controls used obviously have a tremendous impact on the likelihood of the occurrence of a particular risks/threats.   However, nothing is full proof.   The controls are meant to mitigate Thu, 19 Nov 2009 21:29:13 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2007?tstart=0#2007 2009-11-19T21:29:13Z 1 day, 12 hours ago 2 http://www.itbusinessedge.com/cm/message/2006?tstart=0#2006 "How do I sell executive management on developing a Architecture program?" Thu, 19 Nov 2009 21:26:18 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2006?tstart=0#2006 2009-11-19T21:26:18Z 1 day, 13 hours ago http://www.itbusinessedge.com/cm/message/2005?tstart=0#2005 As stated in previous posts.   A company may obtain controls from a variety of sources.   Risk analysis/assessment/management has been in use for quite some time now.   Such techniques are used as a means to perpetuate the positive flow of business Thu, 19 Nov 2009 21:08:33 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/2005?tstart=0#2005 2009-11-19T21:08:33Z 1 day, 13 hours ago 1 http://www.itbusinessedge.com/cm/message/1998?tstart=0#1998 Jeff,      I agree, regulatory compliance is a major driver for the adoption of many controls. Most compliance reglations have been mandated based on the consensus that general implementation of these standards will create transparency for business, Tue, 17 Nov 2009 03:24:54 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/1998?tstart=0#1998 2009-11-17T03:24:54Z 4 days, 7 hours ago http://www.itbusinessedge.com/cm/message/1997?tstart=0#1997 Great points Warrick. When selecting controls there is "no need to recreate the wheel". Usually the time constraints on meeting these requirements wouldn't allow for that much piloting and testing anyway.   The factors you mentioned along with the Tue, 17 Nov 2009 02:10:57 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/1997?tstart=0#1997 2009-11-17T02:10:57Z 4 days, 8 hours ago http://www.itbusinessedge.com/cm/message/1996?tstart=0#1996      As an information security professional I believe that the source of a companies IT controls is of extreme importance. As with any structure that is purpose built and meant to stand the test of time, serious consideration must be put into it's Tue, 17 Nov 2009 01:57:06 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/1996?tstart=0#1996 2009-11-17T01:57:06Z 4 days, 8 hours ago 2 http://www.itbusinessedge.com/cm/message/1995?tstart=0#1995 Yes. Today the main driver of security practices are usually led by some regulatory compliance requirement. This is not to say that companies are not concerned with overall general security like ensuring their environment is meeting an internally driven Mon, 16 Nov 2009 13:39:08 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/1995?tstart=0#1995 2009-11-16T13:39:08Z 4 days, 20 hours ago 4 http://www.itbusinessedge.com/cm/message/1994?tstart=0#1994 I agree that an infinite amount of time can be spent identifying every possible threat and creating boundaries is a nice way to manage time when brainstorming these threats.  I understand that some threats that people may think of have a very unlikely Sat, 14 Nov 2009 15:27:17 GMT webadmin@itbusinessedge.com http://www.itbusinessedge.com/cm/message/1994?tstart=0#1994 2009-11-14T15:27:17Z 6 days, 19 hours ago