1. No I haven't abandoned the blog.
2. Yes I am going to finish the FMEA stuff.
3. Ubuntu is quite nice.
Oh Snap
24 September, 2008
28 June, 2008
Mortgage - Doddgate = more homeless
Look if we remove the risk and impact on mortgage companies of defaulted loans the result will be more defaults and therefore foreclosures. The result of congress bailing out the mortgage companies will be more foreclosures not less because they will have less incentive to negotiate with borrowers who are on the line.
This holds especially true in variable rate loans where the borrower is able to make initial payments but the increased payments are out of reach. In these cases neither the borrower or the lender should have made the agreement in the first place but if you remove the downside of the default from the vendor why would they ever entertain the idea of negotiating with someone who was making payments earlier.
This article misses the point in the end but I agree with the bailout point. Government involvement is exacerbating the problem and it isn't a solution.
This makes Doddgate even worse. Dodd's FOA status might lead directly to more people getting kicked out of their houses.
We need to make it clear to Congress and the Senate that they need to be very careful about how they walk when it comes to solutions that take away one side of the bargaining position. In this case our side.
This holds especially true in variable rate loans where the borrower is able to make initial payments but the increased payments are out of reach. In these cases neither the borrower or the lender should have made the agreement in the first place but if you remove the downside of the default from the vendor why would they ever entertain the idea of negotiating with someone who was making payments earlier.
This article misses the point in the end but I agree with the bailout point. Government involvement is exacerbating the problem and it isn't a solution.
This makes Doddgate even worse. Dodd's FOA status might lead directly to more people getting kicked out of their houses.
We need to make it clear to Congress and the Senate that they need to be very careful about how they walk when it comes to solutions that take away one side of the bargaining position. In this case our side.
18 June, 2008
FMEA Step 1
Develop the Ratings table/index
The ratings table consists of 3 columns.
Severity Rating
Occurrence Rating
And Detectability Rating
You typically have a scale from 1 to 5, 7 or 10 depending on the level of granularity that is needed in your organization
Anyone who has done a real BIA would get the Severity section almost immediately.
In short the trick here is to tie each escalating level of severity to some specific series of business impacts.
Brand/Reputation - TJX, Hannaford ... what else needs be said
Direct Financial Loss - Fraud, Equipment Damage, Theft, Embezzlement, Lost Sales ...
Indirect Financial Loss - Cost of Data Recreation, Lost FTO time, Lost future sales, Project Delays
Legal Liability - often part of direct and indirect but also includes, Legal costs, Fines, Cost of increased regulatory oversight ...
Compliance - The costs associated with failed compliance
Many more ... when you develop the ranking table do it with the business leads and let them define their concerns
Occurrence, and Detection Continued later
I will stress this one more time this is not a risk assessment it is a risk priority ranking. The risk guru's will definitely get the distinction right away but if you don't get it and you are doing this you will eventually run into the all powerful cost justification argument. It is powerful when dealing with audit and those pesky internal budget decisions.
Because it focuses primarily on priority it is faster, easier and more agile. Think 10 meetings vice 100 with 20 people instead of 200. (obviously adjust those for company size)
The ratings table consists of 3 columns.
Severity Rating
Occurrence Rating
And Detectability Rating
You typically have a scale from 1 to 5, 7 or 10 depending on the level of granularity that is needed in your organization
Anyone who has done a real BIA would get the Severity section almost immediately.
In short the trick here is to tie each escalating level of severity to some specific series of business impacts.
Brand/Reputation - TJX, Hannaford ... what else needs be said
Direct Financial Loss - Fraud, Equipment Damage, Theft, Embezzlement, Lost Sales ...
Indirect Financial Loss - Cost of Data Recreation, Lost FTO time, Lost future sales, Project Delays
Legal Liability - often part of direct and indirect but also includes, Legal costs, Fines, Cost of increased regulatory oversight ...
Compliance - The costs associated with failed compliance
Many more ... when you develop the ranking table do it with the business leads and let them define their concerns
Occurrence, and Detection Continued later
I will stress this one more time this is not a risk assessment it is a risk priority ranking. The risk guru's will definitely get the distinction right away but if you don't get it and you are doing this you will eventually run into the all powerful cost justification argument. It is powerful when dealing with audit and those pesky internal budget decisions.
Because it focuses primarily on priority it is faster, easier and more agile. Think 10 meetings vice 100 with 20 people instead of 200. (obviously adjust those for company size)
17 June, 2008
FMEA
Failure Mode Effects Analysis
I mentioned it a few weeks ago.
In a nutshell it is a relatively fast and dirty way of weighting and assessing relatively relative priority of risks. It is not a risk assessment and certainly not a ALE but if you combine it with a good series of BIA's linked empirically to the Failure Effects that are assessed against it can close a lot of gaps with not much work. If I were a consultant looking for a quick way to add risk prioritization value to a client I would certainly look into it. If the ratings table is properly developed it also significantly reduces the controversy of the rankings quite a bit.
More later
I mentioned it a few weeks ago.
In a nutshell it is a relatively fast and dirty way of weighting and assessing relatively relative priority of risks. It is not a risk assessment and certainly not a ALE but if you combine it with a good series of BIA's linked empirically to the Failure Effects that are assessed against it can close a lot of gaps with not much work. If I were a consultant looking for a quick way to add risk prioritization value to a client I would certainly look into it. If the ratings table is properly developed it also significantly reduces the controversy of the rankings quite a bit.
More later
11 June, 2008
Musical Religious Jux
I might be a bit schizo
Though if you listen one is the promise the other the fear.
another one that has no video is here http://music.yahoo.com/track/16308352
15 May, 2008
Sometimes a soul is perfect before birth and God decides it is time
Nathan Green Cupps
Born May 14 2008
Died May 14 2008
Tough Week
Born May 14 2008
Died May 14 2008
Tough Week
16 April, 2008
03 March, 2008
SCADA Topic - Source
Looks like an interesting conference.
http://www.sourceboston.com/
Write to me if you are interested in going.
An for all of you other bloggers that I haven't been engaging with as well as I should please forgive me and link to either this post or the conference for me.
http://www.sourceboston.com/
Write to me if you are interested in going.
An for all of you other bloggers that I haven't been engaging with as well as I should please forgive me and link to either this post or the conference for me.
18 February, 2008
Evolution
In the next few generations our peripheral vision is going to improve several fold.
Call it the blackberry selection factor.
Call it the blackberry selection factor.
14 February, 2008
Year of SoD
From a security perspective
If '00 and '01 were years of the worm;
'02 through '04 the years of SoX, Compliance, and executive oversight
'05 through '07 the years of organized crime and Identity theft
Then
In the Security Realm these will be the years of Segregation of Duty.
Why?
7 Billion Dollars
Wall Street Journal
http://online.wsj.com/article/SB120168827173528415.html?mod=googlenews_wsj
CNN
http://www.cnn.com/2008/WORLD/europe/01/30/french.bank.ap/
Reuters
http://www.reuters.com/article/businessNews/idUSWEB304120080124
Bloomberg
http://www.bloomberg.com/apps/news?pid=20601085&sid=aSy8ZDtkdcow&refer=europe
On the Sub-Prime Side
Guardian
http://www.guardian.co.uk/business/2008/jan/30/subprimecrisis.creditcrunch?gusrc=rss&feed=networkfront
Financial News
http://www.financialnews-us.com/?page=ushome&contentid=2449684760
Information Security has a unique role that it can play in protecting a company from these issues. That role is due to the convergence of information. The information security team is the only location that all of the data exists that can be used to properly control for these types of complex issues.
Addressing them requires the proper combination of ID management, Roles Based Controls, and Analytic Business intelligence. (the latter is the primary reason I championed the Analytic Environment standards over a year ago).
This is an area that Info Security can not only serve as a minimum barrier to prevent downtime or confidentiality loss but can also add legitimate value to the business in the form of information, reports and preventative controls to enable increased trust to the actual people performing the real day to day work without the risk of a massive failure.
On the opposite end SoD control failures are massive and systemic. Not only do they result in dramatic items like the ones mentioned above but also ubiquitous often unintentional losses. From system down time to improperly placed orders or paid claims the incremental small losses exist in every organization.
The real question now is can we position ourselves so that we are ready as these waves break?
If '00 and '01 were years of the worm;
'02 through '04 the years of SoX, Compliance, and executive oversight
'05 through '07 the years of organized crime and Identity theft
Then
In the Security Realm these will be the years of Segregation of Duty.
Why?
7 Billion Dollars
Wall Street Journal
http://online.wsj.com/article/SB120168827173528415.html?mod=googlenews_wsj
CNN
http://www.cnn.com/2008/WORLD/europe/01/30/french.bank.ap/
Reuters
http://www.reuters.com/article/businessNews/idUSWEB304120080124
Bloomberg
http://www.bloomberg.com/apps/news?pid=20601085&sid=aSy8ZDtkdcow&refer=europe
On the Sub-Prime Side
Guardian
http://www.guardian.co.uk/business/2008/jan/30/subprimecrisis.creditcrunch?gusrc=rss&feed=networkfront
Financial News
http://www.financialnews-us.com/?page=ushome&contentid=2449684760
Information Security has a unique role that it can play in protecting a company from these issues. That role is due to the convergence of information. The information security team is the only location that all of the data exists that can be used to properly control for these types of complex issues.
Addressing them requires the proper combination of ID management, Roles Based Controls, and Analytic Business intelligence. (the latter is the primary reason I championed the Analytic Environment standards over a year ago).
This is an area that Info Security can not only serve as a minimum barrier to prevent downtime or confidentiality loss but can also add legitimate value to the business in the form of information, reports and preventative controls to enable increased trust to the actual people performing the real day to day work without the risk of a massive failure.
On the opposite end SoD control failures are massive and systemic. Not only do they result in dramatic items like the ones mentioned above but also ubiquitous often unintentional losses. From system down time to improperly placed orders or paid claims the incremental small losses exist in every organization.
The real question now is can we position ourselves so that we are ready as these waves break?
11 February, 2008
GLB
Anyone want to chime in on what their take is on this quote from GLB?
"was, or is reasonably believed to have been, acquired by an unauthorized person"
What is reasonable?
Any case law people can link to?
How about other State Laws.
Oh yea a good table to have if you are a CISO, Director of Security or a Compliance lead. Not sure how up to date it is. But the current was November of '07.
"was, or is reasonably believed to have been, acquired by an unauthorized person"
What is reasonable?
Any case law people can link to?
How about other State Laws.
Oh yea a good table to have if you are a CISO, Director of Security or a Compliance lead. Not sure how up to date it is. But the current was November of '07.
29 January, 2008
Fatal Meme's
“There is, a thought that stops thought. That is the only thought that ought to be stopped.” - Chesterton
24 January, 2008
Subscribe to:
Posts (Atom)
