Video Screencast Help

Security Response

Showing posts tagged with IT Risk Management
Showing posts in English
khaley | 09 Nov 2009 22:08:08 GMT

One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response teams after the incident. And consumers get antivirus software after they’ve had a virus infect their system.

People, here is a chance to turn that all around. We’ve seen several incidents of mobile phones being hacked. So far it’s been by old school hackers, those that are doing it just to prove that it can be done. But history shows us that the cyber criminals follow closely behind the old school hackers, and they will not be doing it for kicks—they’ll be doing it to rip you off.
 
Security professionals approach any situation like this by a risk assessment; in other words, they try to figure out what bad things could happen. Then they can hope for the best, but prepare for the worse. If...

Ben Nahorney | 17 Jul 2009 15:00:44 GMT

In Security Response, our primary objective is to provide virus definitions and firewall signatures to protect our customers from threats in the wild. On the flip side of the coin is Symantec’s Support organization, where we help customers install and configure their security software and, in cases where the worst has happened, help remove threats from a computer or network.

Symantec’s Support organization often receives requests to provide threat outbreak information. In some cases the request is for content aimed at a management level, detailing what their security teams have to do in these cases, which they could use to explain the situation at say, the next board meeting. In other cases the requests come from small business folks who are not necessarily IT or Security managers, but may be the office “computer guy/girl” put in charge of cleaning up an outbreak.

It can be difficult to comprehend what’s happening when a computer is...

Alessandro Deidda | 16 Jul 2009 12:20:28 GMT

Organizations of all types are concerned with threats that could compromise information security. Managing this aspect is usually a primary concern for information technology (IT) departments. In this context, Information Security Risk Management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an Information Security Management System (ISMS). In fact, a systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective ISMS.

The ISO/IEC 27005:2008, a new standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the Risk Management Process and its activities for information security and provides guidelines for Information Security Risk Management and supports the...

Grant Geyer | 16 Apr 2009 16:31:54 GMT | 0 comments

Editor's Note: This is the final installment of a four-part series.

 

In the three blog articles I have posted so far, we reported on findings from a recent survey to understand security professionals' perception of the threat environment, the loss associated with cyber attacks, and the challenges organizations are facing in handling cyber security. In this final installment, we’ll look at the use of outsourcing to help solve security challenges.

When you...

Grant Geyer | 01 Apr 2009 15:06:51 GMT | 0 comments

Editor’s Note: Part three in a four-part series

 

In the first two blog posts in our series on the Managed Security in the Enterprise report, we established that cyber security is still a problem and respondents have experienced real loss (see It’s Tough Out There and Threats Equate to Actual Loss). Exacerbating the problems of frequent cyber attacks and mounting losses is the fact that 49 percent of American organizations reported that it is getting somewhat/significantly more difficult to provide security. Our survey respondents attributed their challenges to four...

Grant Geyer | 31 Mar 2009 15:09:41 GMT | 0 comments

Editor’s Note: Part two in a four-part series

In part one of our blog series based on Symantec’s new research report, Managed Security in the Enterprise, I provided an overview of the challenges organizations are facing from cyber attacks. While we aren’t surprised that almost all U.S. respondents (88 percent) stated that their organizations have experienced cyber attacks over the past two years, the cyber loss they’ve experienced is staggering.

Incredibly, 97 percent of respondents reported real, tangible loss as a direct result of cyber attacks. When asked about the kind of cyber loss experienced, 46 percent of respondents in the United States claimed that they experienced downtime of their...

Grant Geyer | 27 Mar 2009 15:33:08 GMT | 0 comments

Editor’s Note: Part one in a four-part series.

Most security practitioners won’t be surprised to hear this: security is tough, and getting tougher. In fact, at times, I’m sure it seems like a perfect storm of problems; the threats are getting worse, losses are mounting, and—in the midst of the global downturn—there are very real concerns around staffing and budgets.

Earlier this week, we announced the findings of a new study, Managed Security in the Enterprise, based on surveys of 1,000 IT managers in U.S. and European enterprises in January 2009. We used this to complement the Symantec Internet Security Threat Report, vol. XIII in order to obtain qualitative data through feedback from security practitioners about changes in the...

Samir Kapuria | 19 Mar 2008 07:00:00 GMT | 0 comments

This is an issue I explored in a blog post several months ago, IT Risk and the Millennials, which really seemed to resonate with customers and industry peers. Feedback ranged from "great article," to "how are others addressing this choice vs. control dilemma?" to skepticism about this theory and the desire to see more quantifiable research validating my previous thoughts.

So, with all of this in mind, we did just that. We went out and commissioned a study with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies. The study was conducted with 600 people, including three groups of 200 respondents each: IT decision makers, millennial workers (born after 1980), and older workforce (born before 1980). Our goal was to measure millennial workers' perceptions and...

Jeremy Ward | 12 Feb 2008 08:00:00 GMT | 0 comments

So you think IT risk management is a science? Or maybe you’ve never thought about it—you've just assumed that some clever expert has worked out all the angles. Unfortunately that’s not the case. The latest Symantec IT Risk Management Report gives some figures about how organizations manage (or fail to manage) their IT risk. It makes for interesting reading and includes some data about real incidents, analyzed jointly by Symantec and MIT’s Center for Information Research. However, what is clear is that IT risk management, although not a science, is evolving as a business discipline.

Correlation analysis of the data in the report shows that organizations are beginning to follow a natural progression in the way that they treat the management of their IT risk. They tend to start by looking at the security risk, then move on to consider availability and delivery risk, and finally address performance and compliance risk by implementing the more strategic controls. Experience...

Jeremy Ward | 06 Feb 2008 08:00:00 GMT | 0 comments

So, you think that there’s a magic bullet to deal with IT risk? In fact you probably wish there was, but since you don’t believe in Santa Claus, you know there isn’t! Of course that doesn’t stop people from looking for a quick technology fix. However, the latest Symantec IT Risk Management Report reveals that technology is not necessarily the issue. The report cites a study conducted jointly by Symantec and MIT’s Center for Information Research, showing that the majority (53 percent) of IT incidents have a process-based cause. Interestingly, the report also shows that organizations believe their technological effectiveness is declining. Last year’s number one effective control set was network, protocol, and host security. It’s still up there at the top, but there’s been a reduction of 16 percent in those who think they’re more than 90 percent effective (down from 47 percent to 31 percent).

Experience shows that it’s a balance of technology, process, and people that is...