« November 2006 | Main | February 2007 »

January 2007 Archives

If you like it here, please consider subscribing to the RSS feed or spreading the news among your friends who also care about security.

January 18, 2007

How are your security procedures working in case of an emergency?

Been a while — if I said it's been a very busy end of the year, would you possibly believe that? Anyways, I'm here again, so stay tuned!

Imagine a fire alarm. How much would it take to trigger one in your building? Use an alarm button? Trick like three smoke sensors at a time? Make a small campfire of your own maybe?

Of course, in case of fire, all occupants need to leave the building. And they need to do this immediately. They will obviously crowd in tight staircases, halls and doorways. There is going to be really lots of them. Way to many to notice if everyone has their ID card on them. Not to mention, in a hurry it’s so easy to lose one.

To let people safely leave the building, all the doors need to get unlocked. No-one gets in, but everyone has to get out.

Doesn’t it sound ridiculously easy for a cleaning person to leave the building with the CEO’s laptop full of confidential data and just vanish once they’re out?

So, maybe it’s worth having a closer look at emergency situations that lower the physical security level? Worth not less, then the information that may be stolen when the emergency situation is abused.

January 23, 2007

One SOX to rule them all

Why is SOX your friend during an assessment? For the same reason as every established set of rules or requirements — it leaves as little space for interpretation as possible and gives an assessor a foundation on which they can rely. Of course, such a strict set of guidelines cuts both ways, just like every checklist. But what it can do for you is change your trouble gathering information into business owner’s trouble providing it.

It simply serves as an excellent excuse for insisting on being provided certain evidence of appropriate security controls being in place. And an evidence in this case really means evidence, meaning an admin going “It’s there man. For real. Got my word for that” is not enough no matter how much you happen to like him and believe his words. It’s official, everybody knows that and there is no place for discussion — either evidence is provided or the SOX gap is reported.

And it is in the best interest of a Business Owner to have as little SOX gaps as possible, obviously.

© 2006-2007 Michał Sobiegraj. All rights reserved. The views expressed here are my own, and not necessarily endorsed by any former or current employer.

About January 2007

This page contains all entries posted to Michal Sobiegraj | Security Consultant and Evangelist in January 2007. They are listed from oldest to newest.

November 2006 is the previous archive.

February 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34