risk

Help Shape the CGRC Exam – Formerly Known As CAP

As practitioners know all too well, it is paramount to remain up to date with the changing landscape of cybersecurity. We regularly conduct Job Task Analysis (JTA) studies to review exam content and outlines to ensure the accuracy, relevance and excellence of all (ISC)² exams. The Certified in Governance, Risk and Compliance (CGRC), formerly known as the Certified Authorization Professional (CAP) exam, was last refreshed in 2021. The certification is undergoing a name change to more accurately reflect the knowledge, skills and abilities required to earn and maintain this certification. As part of our regular updates to exams, it is…

January 9, 2023
0 comment
Read More >>

Latest Cyberthreats and Advisories – January 6, 2023

The LockBit ransomware gang apologizes, Google settles privacy lawsuits and cybercriminals impersonate brands and the U.K. government. Here are the latest threats and advisories for the week of January 6, 2023. Threat Advisories and Alerts Cybercriminals Impersonate Brands with Search Ads And Fake Sites The U.S. Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are directing internet browsers to malicious sites via search ads. How does the scam work? Bad actors build a fake website that impersonates a legitimate brand and then advertises it to appear at the top of search results. Once browsers click the ad,…

January 6, 2023
0 comment
Read More >>

Risk is …

 … when threat exploits vulnerability causing impact… tough to measure, express and control… the product of probability and impact… the gap between theory and practice… the root of pessimism and optimism … the once-in-a-hundred-years e…

August 8, 2022
0 comment
Read More >>

CISO workshop slides

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title ‘CISO Workshop: Security Program and Strategy’ with ‘Your Name Here’ suggests it might be a template for use in a workshop/cou…

August 6, 2022
0 comment
Read More >>

Risk management trumps checklist security

While arguably better than
nothing at all, an unstructured approach to the management of information security results in organisations adopting a jumble, a
mixed bag of controls with no clear focus or priorities and – often –
glaring holes in the ar…

July 24, 2022
0 comment
Read More >>

Security in software development

Prompted by some valuable customer feedback earlier this week, I’ve been thinking about how best to update the SecAware policy template on software/systems development. The customer is apparently seeking guidance on integrating infosec into the develop…

July 22, 2022
0 comment
Read More >>

Skyscraper of cards

Having put it off for far too long, I’m belatedly trying to catch up with some standards work in the area of Root of Trust, which for me meant starting with the basics, studying simple introductory articles about RoT.As far as I can tell so far, RoT i…

July 18, 2022
0 comment
Read More >>

Complexity, simplified

Following its exit from the EU, the UK is having to pick up on various important matters that were previously covered by EU laws and regulations. One such issue is to be addressed through a new law on online safety.”Online safety: what’s that?” I hear …

July 10, 2022
0 comment
Read More >>

The discomfort zone

Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this  morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 “Identification of applicable legislation and contractual requirements”, members generally ask wh…

July 5, 2022
0 comment
Read More >>