Ed’s latest E-Commerce piece:

The human brain is able to compensate for the natural blind spots in our eyeballs by filling in the missing pieces of data and interpreting what’s already there to get to a more complete picture. With the appropriate organization, the same can be done in IT, and the results can mean better use of data you already have.

For the rest of the article, please click here.

Tech-heavy regulatory audits are nobody’s definition of a good time. But they happen, and taking the time to prepare for them is time well-spent. It’s certainly not advisable to have your IT department spend inordinate amounts of time and effort just to get ready on the off chance that an auditor should show up, but a few relatively easy exercises and policies can save you worlds of headache later on.

here’s no shame in admitting that audits are hard. For those of us in IT, hearing the word “audit” probably brings up a groundswell of negative connotations and the corresponding aggravation and headache: We know from having lived through it that tech-heavy regulatory audits — annual PCI assessments, HIPAA audits, ISO, etc. — cut directly into our staff’s ability to get their already-busy jobs done.

For the rest of Ed’s recommendations on how to make your audit process more efficient, please click over to Technology News.

Ed’s latest column for ECT/TechNews World takes a look at the benefits of challenging your technology assumptions:

One of the many pitfalls of information security is the illusion of permanence that surrounds many longstanding tools, policies and ways of doing business. Too often, the fact that “it’s always been done that way” clouds our judgment and blinds us to a system’s holes. To avoid that mistake, it’s time to learn how to second-guess yourself.

Read the rest of the article here.

I came across a Computer World article this morning about “new standards” for doing security vendor assessment. I got all excited for a few minutes until I got to the part about how it’s a BITS initiative, but I decided to keep an open mind and do some research on it anyway. After all, I’ve said all along that I think the goal of having a common vendor score-card would be good for the industry (not to mention that it’s a good way to make money for those of us in the scoring business). Needless to say, I was disappointed by what I found.

Overall, I found the FISAP documents on the BITS site to be lacking in specificity (the FAQ, the program overview, etc.) The real “coup de grace” came, though, when I found out that the FISAP program is really (more or less) the BITS outsourcing workgroup with a new name; they’ve taken the long, vague, and toothless outsourcing documents we’ve all grown to love and “presto chango” made them into the core of the FISAP program. Seriously, this is from the program overview:

The Financial Institution Shared Assessments Program was conceived by the BITS IT Service Providers Working Group and leverages two groundbreaking outsourcing guides: the BITS IT Service Provider Expectations Matrix, a risk management tool for financial institutions, and the BITS Framework for Managing
Risk for IT Service Provider Relationships.

Bummer. I know a lot of people worked hard on these documents, so I really hate downplaying their achievements – but sometimes you just have to say what needs to be said. These documents are painful (I can say this without worry of hurting anybody’s feelings since these documents are all written by commitee anyway.) They’re skillfully worded not to prescribe anything, they state the obvious in the “eat your vegetables” kind of way, and they’re incredibly long – they’re like the “muzak” of security guidance.

Is that too harsh? Look, time is valuable. A 125 page document that doesn’t tell me anything wastes my time. This kind of long valuless document (nicely worded though it may be) is worse than useless to me. Useless would be if it required a small investment in time to read and provided a correspondingly small value – in that case, the energy spent reading it would roughly equal the value I got from it (“net zero”.) “Worse than useless” is when a large investment in time is required (like the time it takes ot read 125 pages) and provides minimal value – that’s a “net negative” – meaning I would have been better off if I had not read it. If you still think it’s too harsh, take a look for yourself – I don’t find it valuable, but that’s just me…

So how seriously do I think the industry will take FISAP? Maybe about as seriously as they take the BITS certification initiative. As per the BITS site, there are three products certified by BITS in their decade-long history (that’s an average of one every 3 years 4 months). Ouch.