According to Higgins (2010) “Risk appetite is the amount of risk an organization is willing to take on or is prepared to accept in pursuing its strategic objectives”, (p.16). This willingness is influenced factors such as financial resources, objectives, risk capacity, existing risk profile, risk tolerance and risk attitude (Wendell, 2012) and (COSO, 2012). Conducting it is important as it provides a vital piece of information; it can provide bounds (upper and lower) on the strategies and decisions that are utilized to pursue the organization's objectives. According to COSO (2012), risk tolerance is The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity ...

On another note, with respect to incident response management, the purpose is to provide a plan for a clear path of resolving a security breach. According to the Special Publication NIST 800-61 Rev. 2, the first thing that an organization should do is establish a clear organizational meaning of the word “incident”. It provides a guide to incident handling and recommends establishing response capabilities, incident response policies, an IR plan, procedures, information sharing mechanisms, team structure and even collaboration with external groups. The team’s structure, the services they provide along with the policies and procedures are established. This team consists of: internet service providers, incident reporters, law enforcement agencies, software and support vendors, customers and media as well as other teams. The recommended incident handling procedure consists of: preparation, detection and analysis, containment, eradication and recovery. During the preparation phase, the s...

Although there may be numerous methodologies available today for developing software whether it is based on a sequential, prototyping or even iterative model, the absence of security at each phase will render applications being vulnerable and easily exploitable when deployed. NIST 800-64 Rev. 2 provides a guide that incorporates security into a sequential model of a SDLC. Currently, at my organization this type of model is preferred since there are small development teams. One of the first recommendations made by is NIST 800-64 Rev. 2 is based on policy and guidelines. It states that there should be a written SDLC policy tailored to suit whether the business develops its own software or outsources software development and even maintenance. At my organization, there is a mesh of both. Large complex enterprise systems are usually outsourced while smaller manageable applications are developed in-house where there may not be an alternative available at a low cost. For example, human re...

According to the University of Sheffield, University Wire magazine, "Often in an organization, the weakest link is not the software on the systems or the hardware that makes it up; the weakest link is the individual." This thought seems to be the trend proliferating throughout modern organizations. Security awareness is measured as the degree at which the employee understands and acknowledges the necessity and importance of information security according to (Kruger & Kearney, 2006).   The purpose of security awareness is to ensure that an organizations information security policy is adhered to. It enables employees to appreciate and consciously follow outlined adopted best practices and procedures of the organization. Security awareness should stem from C-level decision makers who should know how important and vital security awareness is for return on investment and longevity of an organization. This thinking should trickle down to entry level of the organization and in ...

Businesses function to provide a service, product or even experience to their customers. The services and production of these products are supported by the implementation of information management systems. This relationship can be seemingly simple and straightforward. However, in a world where there is increasing competitiveness and criminal elements working to endanger an organizations reputation (espionage) and business viability companies need to embed controls, practices, procedures policies to protect the core functions. Security of information systems needs to be embedded as part of the policies, procedures and practices of an organization so that it is seamless and integrated. Organizations today would attribute to the effects of implementing a control in terms of numbers (financial cost). (Wilson, 2008) For example, the cost of not implementing encrypting a database in an organization that stores personally identifiable information should outweigh the encryption costs...

Description of the technology (Urias, Stout, & Loverro, 2015) Software defined networks (SDNs) is an emerging technology that is changing the defense and networking paradigm. (Hande, Jadhav, Patil, & Zagade, n.d.) Traditionally, network devices like switches and routers, using protocols (on the control plane) such as Open Shortest Path First(OSPF), Border Gateway Protocol(BGP) and Spanning Tree Protocol(STP) determine the best port or interface to forward packets (on the data plane). These routing protocols use static information such as hop count to determine the best path through the network. Moreover, (Ali, Sivaraman, Radford, & Jha, 2015) this decentralized method of network management is the leading cause of network faults and bugs due to errors during configuration. Not to mention, a proliferation of ’internet ossification phenomenon’ which is basically the stagnated network innovation. Additionally, there was no segregation of control and data plane which is har...

This is a summary of book entitled 'Tallinn Manual on the International Law Applicable to Cyber Warfare'.   In 2008, the NATO CCD COE brought together a group of independent International Group of Experts to produce a manual to clarify the ambiguities surrounding cyber operations, particularly focusing on applications of jus ad bellum and just in bello. The book identified the international law and its applicability to cyber warfare and produces 95 rules to govern cyber conflicts. Each rule is supported with commentary provided by the experts and observers.  Its scope is in relation to cyber-to-cyber operations only. The book can be viewed here for free:  Tallinn Manual

Report: Available Here Review: Being someone new to information and cyber security I was expecting a juicy technical account of what happen during the USA elections. I quickly hurried by moccachino and sandwich to sprint back upstairs to my office to read the JAR (Joint Analysis Report) prepared by the Department of Homeland Security and the FBI. The report mainly highlights a lot of boilerplate recommendations that organizations should be aware of in protecting their networks. It contains mainly cyber security best practices and top mitigation practices. In addition, it lists a names aliases that were detected in executing the hacks. This report maybe a political ploy? But it does contain some useful information.