Sunday, April 19, 2015

Reasonable Assurance Does Not Make Me Sleep Better

That was the title of a presentation I gave a few days ago at the Lansing Chapter of the Institute of Internal Auditors.  The idea for the theme came to me because I continue to hear the phrase "reasonable assurance" applied in several ways to audit work.  It just struck me that any audit of information technology security performed to a level of reasonable assurance does not make me feel any better about the actual security of the system.

Our adversaries are not "reasonable" in the lengths to which they will go to abuse the systems that we as IT professionals have worked so hard to build. Business customers and citizens interacting with government just want functionality to be able to get a product, a service or communicate with the organization.  But, because that's where the money is, criminals prefer to see these systems and applications as opportunities to steal money or proprietary information, embarrass the organization or bring them down.

If auditors are just trying to ensure that management has done a reasonably good job at implementing reasonable controls that are reasonably effective, we're sunk.  Of course, it's not the job of Audit to identify every vulnerability.  Audit is considered a third line of defense.  Stakeholders might believe Audit has their backs covered, but that's a different problem.  Audit is responsible to ensure stakeholders understand the true risk so that risk can be accepted, mitigated or transferred.  I believe this effort too often fails and I hope this presentation is useful in providing a perspective that may make it easier to achieve that limited goal.

The presentation can be downloaded from the share here:
If you go to my Downloads page, you'll be able to compare the sha1 checksum.

Slide 1 illustration courtesy of artist George Grie, from

Tuesday, January 27, 2015

Big updates to ISC2 CISSP Exam coming soon

The recently announced changes to the ISC2 CISSP exam are the most significant I've seen in years. They're moving to re-align test coverage to the newest issues in information security and current job practice areas. Some of the previous security domains have been expanded, while others have changed completely or been eliminated.  The new domains are:

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

  • Asset Security (Protecting Security of Assets)

  • Security Engineering (Engineering and Management of Security)

  • Communications and Network Security (Designing and Protecting Network Security)

  • Identity and Access Management (Controlling Access and Managing Identity)

  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

  • Dr. Eric Cole, author of SANS MGT414, is presenting the new curriculum through the vLive format in early March and other presenters will be field-testing it between now and September 9th when I launch the Mentor sessions in East Lansing, Michigan.

    If you saw my earlier post about the Mentor session I'm presenting for the CISSP exam prep, I've updated it to link to the new flyer and registration page.

    original post:

    Wednesday, January 14, 2015

    SANS Mentor Information Security Training in Mid-Michigan

    If you are planning information security training for yourself or employees this year, I hope you'll consider the CISSP® exam preparation course I'm presenting in East Lansing, Michigan, beginning Thursday, March 19 

    UPDATE: SANS Institute is in the process of updating the curriculum for this course to align with the changes being announced by ISC2 for test candidates beginning April 15, 2015. You want the newest course content that will get you through the new test.  Since we need to move the Lansing Mentor session for this test prep course, the best opening to do it looks like September, starting on Wednesday the 9th.  Hopefully, this means a few more people who were considering the course will be able to register.

    If you aren't familiar with the SANS Mentor course format, rather than five days in a lecture, you attend shorter presentations one evening per week.  Bring your questions to class and be prepared for discussion with your peers.  In between sessions you have time to study and digest the materials. You still get all the curriculum you would get at a large SANS conference costing thousands of dollars more, but without the need to take time away from the office.

    Details are at  Be sure to get the discount and registration codes from the flyer on my downloads page, or directly via: