Presented at
DeepSec 2014 „Do you want to know more?“,
Unknown date/time
(Unknown duration)
Risk assessment should reflect the overall security knowledge and experience accumulated over the years in the company. This knowledge is company-specific, and applying it should not be dependent on/bound to any proprietary methodology, vendors and their products. Never-ending queset for the "best" tool or methodology is a futile exercise.
Existing commercial or free tools are (often) done by programmers, process/audit/compliance "gurus" and other people who were never managing security in a real company.
The consequence of which is that you'll spend 80% of your time on things which solve only 20% of your real security needs.
In the end it is you, the security specialist, who adds the most value to a risk assessment / threat modelling process for your company. The practical your risk management process supported with a custom-made tool is a vehicle through you can actually demostrate how to link security to business goals.
The presentation will demonstrate that it is quite easy to capture your overal security knowledge in a home-made, free-of-charge tool. The examples will be done by using a specific variant of open-source wiki.
Presenters:
-
Vlado Luknar
- Orange Slovensko a.s. (France Telecom Orange Group)
for the last fifteeen years Chief Security Officer for Orange Slovakia, specializing in ISMS and risk assessment
before 1999 - at Digital Equipment, MBA in information systems, CISSP, CISM, CISA, ISO 27001 Lead Implementer, CSSLP.
Links:
Similar Presentations: