Search results for: risk management

Yet another reminder that Real risk management may not be too different from management. In that, as said before (here), one would need to start at the start to make progress, like changing the ones responsible, through making them responsible. Which cannot be done other than through job descriptions. Like this one, the reminder. So, … Continue reading “Start at the start, first in line is on the job”

Yes you, my dear reader [can just as well put that in single not plural…] who are in the information security arena. Per this piece. Where “It is time to acknowledge the wisdom of the “bean counters.” is of course a fat joke. But in continuation, there’s much to agree with and then worry about … Continue reading “You are unimportant”

Reken maar, op de bijeenkomst. Post gescheduled voordat het programma bekend werd dus eens zien hoeveel punten we scoren…: ] Niet De bijeenkomst. Wegens: En ook de posts van de afgelopen tijd, waaronder (deze, als u goed leest,) deze, deze en deze plus deze toch vrij helder moge wezen. En voor degenen die nog verder … Continue reading “De heat maps vliegen in het rond”

Recent kwam het idee in het nieuws (nou ja) om ‘compliance’ als een broccoli aan te pakken: of liever – omdat het idee is dat het principe aan de basis staat, en wordt vertaald (‘stapsgewijs verfijnd’ én wordt omgezet in de taal van die droevige gebruikertjes die geen benul hebben van de taal van de … Continue reading “Compliance is Broccoli – of nie? Voer voor risi’ci”

Gisteren stond er de post over wat er niet mis is aan risk heat maps. Voorwaar een (kennelijk) helder stukje, het kreeg vele hits en Likes. Echter, het bleek dat sommige mensen de post ook daadwerkelijk opende en er zelfs wat in snuffelden. Gezien de reacties was de post klaarblijkelijk nog niet helemaal helder. De … Continue reading “Heat maps lezen: Zo doe je dat”

Lately, there has been a slight resurge of the Leaders vs. Managers ‘debate’ [since I’m unsure it’s a debate as much as it is manager-bashing and oh the ideal is to be a Leader; later on that below], including some detail issues like language. Contra this, first this, and then this. Plus this, and this. … Continue reading “Even leaders manage”

Hey yeah you know, it’s still a quite (too) popular thing to talk about People – Process – Technology when it comes to control(s) types in the IS risk management / audit corner of the universe. If you think about it … keep in mind that these factors are almost always presented as nearly disjunct … Continue reading “Venn for People – Process – Technology”

‘Because’ that’s not a word yet. But one might miss this presentation here, at one’s loss – if only for the return of this little gem: It is difficult to get a man to understand something when his salary is dependent on his not understanding it. [Upton Sinclair Jr] If only, not only, semantics [i.e., … Continue reading “Note: In-fosec-centives”

Since you don’t have the real chapters in place. Not even on paper. Since those initial chapters of just any standard you can dream of (Alptraum, you know) have the essence, the principle-based stuff. Whereas the latter ‘chapters’ of any standard regard guidelines or even-mere examples for the lazy, of what needs to be done … Continue reading “You’re so non-compliant …!”

Further to yesterday’s post, here’s some sidelines on ‘control’s. Where typical ‘ORM’ would take risks one by one, and treat them all in the same fashion. Take one risk, see what you can do qua preventative controls, and then .. a long time of bickering and arguing until some arm twisting leads to hap-hazard (sic) … Continue reading “The uncontrollable dynamics of controls”