I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable. In this particular environment they were already ‘aligned’ and had…
Author: Phil
Making sense of pen testing, part two
This is the second in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. Part one is available here. In this post I will explore some of the issues I see in pen testing, it’s something…
Making sense of pen testing, part one
This is the first in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. In this post I will apply a framework to understanding the process of pen testing. In the next post here I discuss…
ORGCon 2012
I attended the Open Rights Group Conference (ORGCon) this year. We are at a weird moment where the Internet and the associated digital technologies it has spawned and supported are wreaking changes to the social, cultural and economic environment that don’t easily fit the current models of law and governance.…
Documenting an As-Is Security Architecture, part two
This is a continuation from part one. Documenting current environments This activity is focused on identifying the physical and logical environments in scope for the business architecture. A logical and physical model will be created to hold entities describing physical facilities, wide area networks and systems that store, process or…