by Jesper Kråkhede, Sweden
Posted in Compliance, Security Architecture on Dec 3rd, 2007
PSD, Payment Service Directive is a very interesting directive from EU regarding opening up for payment flows all over EU. Read more here: http://register.consilium.europa.eu/pdf/en/07/st03/st03613-re02.en07.pdf This of course will create changes in the current systems on how money is tranfered within EU today. From my point of view the possible need for changes in the security […]
Posted in Security Architecture on Jul 31st, 2007
Even if I really appriciate WSSRA and have had quite a lot of use for it, sometimes I run into issues where it is not as clear as one could hope. The description and relationship of the following words: Threat, Threat Agent, Vulnerability, Exploit and Risk are, in the big picture, correct and you understand […]
Posted in Security Architecture on Jun 18th, 2007
During my years within the IT industry working with security I have taken pride in never just say no, but say no and give an explanation. By doing that my no later on could be a yes because the customer could explain what they wanted and I could help dem create a secure solution. Sadly […]
Posted in Security Architecture on Jun 16th, 2007
Security professionals shudder and CSO:s turn their heads away when Shadow IT is mentioned. This is a part of IT that is not regulated and therefor is dangerous… or is it? I agree that Shadow IT indeed could pose a threat if for example some employees or managers opens up corporate information for the whole […]
Posted in Security Architecture on May 2nd, 2007
I had a rather long discussion with a good friend and former collegue today regarding simplicity in security. It is a well know fact that when your solution is to complex you probably have done it wrong. But the issue he had was that if you do not implement a security solutions so it is […]
Posted in Security Architecture on May 2nd, 2007
Now and then I get engaged in discussion regarding if security should be driven by business or by risk. Meaning that either security issues should be risen when business wants a new function or changes in an existing function or security should only be risen as an effect of riskanalysis. This is not a simple […]
Posted in Security Architecture on Mar 10th, 2007
You now have the value of every asset. Lets start with the hard stuff: Deciding what assets to protect first. Even if it sounds simple to just make a list from certain criterias the dependencies between resources have made this a lot harder. Virtualization will not make it easier. WSSRA SA states that factors you […]
Posted in Security Architecture on Mar 1st, 2007
The process for determine the assests to protect is named Asset Assessment and Valuation. First thing is to identify the assets you have. In my last post I defined the criterias for identifing assets. Lets take a closer look on the assets and determine what parts of an asset that really needs to be protected. […]
Posted in Security Architecture on Feb 23rd, 2007
IT-Architecture is all about having a common language to describe an IT-environment. WSSRA SA defines a few words that are commonly used throughout the document: Assets, People, Process. Assets are divided into two groups: Data asset and Tier Asset. Data assets are the information stored within your databases, your spreadsheets and your worddocuments. That is […]
Posted in Security Architecture on Feb 20th, 2007
Last few weeks I have found quite a lot of companies hiring consultants with knowledge about WSSRA, Windows Server System Referency Architecture. Even if I like the concept of architecture it could be qute hard to grasp sometimes for an inexperienced person. During the following weeks I will write short notes about key concepts regarding […]