24 September, 2008

Ubuntu Rules

1. No I haven't abandoned the blog.
2. Yes I am going to finish the FMEA stuff.
3. Ubuntu is quite nice.

Oh Snap

28 June, 2008

Mortgage - Doddgate = more homeless

Look if we remove the risk and impact on mortgage companies of defaulted loans the result will be more defaults and therefore foreclosures. The result of congress bailing out the mortgage companies will be more foreclosures not less because they will have less incentive to negotiate with borrowers who are on the line.

This holds especially true in variable rate loans where the borrower is able to make initial payments but the increased payments are out of reach. In these cases neither the borrower or the lender should have made the agreement in the first place but if you remove the downside of the default from the vendor why would they ever entertain the idea of negotiating with someone who was making payments earlier.

This article misses the point in the end but I agree with the bailout point. Government involvement is exacerbating the problem and it isn't a solution.

This makes Doddgate even worse. Dodd's FOA status might lead directly to more people getting kicked out of their houses.

We need to make it clear to Congress and the Senate that they need to be very careful about how they walk when it comes to solutions that take away one side of the bargaining position. In this case our side.

18 June, 2008

FMEA Step 1

Develop the Ratings table/index

The ratings table consists of 3 columns.

Severity Rating

Occurrence Rating

And Detectability Rating

You typically have a scale from 1 to 5, 7 or 10 depending on the level of granularity that is needed in your organization

Anyone who has done a real BIA would get the Severity section almost immediately.

In short the trick here is to tie each escalating level of severity to some specific series of business impacts.

Brand/Reputation - TJX, Hannaford ... what else needs be said
Direct Financial Loss - Fraud, Equipment Damage, Theft, Embezzlement, Lost Sales ...
Indirect Financial Loss - Cost of Data Recreation, Lost FTO time, Lost future sales, Project Delays
Legal Liability - often part of direct and indirect but also includes, Legal costs, Fines, Cost of increased regulatory oversight ...
Compliance - The costs associated with failed compliance

Many more ... when you develop the ranking table do it with the business leads and let them define their concerns

Occurrence, and Detection Continued later

I will stress this one more time this is not a risk assessment it is a risk priority ranking. The risk guru's will definitely get the distinction right away but if you don't get it and you are doing this you will eventually run into the all powerful cost justification argument. It is powerful when dealing with audit and those pesky internal budget decisions.

Because it focuses primarily on priority it is faster, easier and more agile. Think 10 meetings vice 100 with 20 people instead of 200. (obviously adjust those for company size)

17 June, 2008


Failure Mode Effects Analysis

I mentioned it a few weeks ago.

In a nutshell it is a relatively fast and dirty way of weighting and assessing relatively relative priority of risks. It is not a risk assessment and certainly not a ALE but if you combine it with a good series of BIA's linked empirically to the Failure Effects that are assessed against it can close a lot of gaps with not much work. If I were a consultant looking for a quick way to add risk prioritization value to a client I would certainly look into it. If the ratings table is properly developed it also significantly reduces the controversy of the rankings quite a bit.

More later

11 June, 2008

Musical Religious Jux

I might be a bit schizo

Though if you listen one is the promise the other the fear.

another one that has no video is here http://music.yahoo.com/track/16308352

15 May, 2008

16 April, 2008

03 March, 2008

SCADA Topic - Source

Looks like an interesting conference.


Write to me if you are interested in going.

An for all of you other bloggers that I haven't been engaging with as well as I should please forgive me and link to either this post or the conference for me.

18 February, 2008


In the next few generations our peripheral vision is going to improve several fold.

Call it the blackberry selection factor.

14 February, 2008

Year of SoD

From a security perspective

If '00 and '01 were years of the worm;

'02 through '04 the years of SoX, Compliance, and executive oversight

'05 through '07 the years of organized crime and Identity theft


In the Security Realm these will be the years of Segregation of Duty.


7 Billion Dollars
Wall Street Journal

On the Sub-Prime Side
Financial News

Information Security has a unique role that it can play in protecting a company from these issues. That role is due to the convergence of information. The information security team is the only location that all of the data exists that can be used to properly control for these types of complex issues.

Addressing them requires the proper combination of ID management, Roles Based Controls, and Analytic Business intelligence. (the latter is the primary reason I championed the Analytic Environment standards over a year ago).

This is an area that Info Security can not only serve as a minimum barrier to prevent downtime or confidentiality loss but can also add legitimate value to the business in the form of information, reports and preventative controls to enable increased trust to the actual people performing the real day to day work without the risk of a massive failure.

On the opposite end SoD control failures are massive and systemic. Not only do they result in dramatic items like the ones mentioned above but also ubiquitous often unintentional losses. From system down time to improperly placed orders or paid claims the incremental small losses exist in every organization.

The real question now is can we position ourselves so that we are ready as these waves break?

11 February, 2008


Anyone want to chime in on what their take is on this quote from GLB?

"was, or is reasonably believed to have been, acquired by an unauthorized person"

What is reasonable?

Any case law people can link to?

How about other State Laws.

Oh yea a good table to have if you are a CISO, Director of Security or a Compliance lead. Not sure how up to date it is. But the current was November of '07.

29 January, 2008

Fatal Meme's

“There is, a thought that stops thought. That is the only thought that ought to be stopped.” - Chesterton

24 January, 2008

Buckaroo Banzai

They are comming to take me away

Ha ha

He he

ho ho

10 Reasons