Author Archives: Russell Doty

The last post concluded with the cry “there has to be a better way!”. So far we have established: Security Guides are a good idea and exist in almost all organizations. Security audits are good and widely used. Security guides … Continue reading →

The last post laid out guidelines for a security guide. We’re now at the point where we can discuss a system audit. We have defined what an audit is, what security requirements are, and what a security guide is. At … Continue reading →

The previous post explored the kinds of information that might be in a security guide. Let’s lay out some basic requirements for a security guide: The security guide must exist. It must be available, updated, and maintained. The security guide … Continue reading →

The last article introduced the concept of a security guide – but what is it? In many cases a security guide is a binder full of often vague, occasionally overly specific and sometimes conflicting requirements. It has usually grown and … Continue reading →

The previous article introduced security audits, which are actually audits of security specifications. There are many potential sources for security specifications. Some of them are government standards. For example, in the United States, HIPAA, the Health Insurance Portability and Accountability … Continue reading →

In conversations with large companies and small companies, literature review and looking at best practices for security, one of the most common tools that essentially everyone uses is a security audit. In most cases the security audit is performed regularly … Continue reading →

The password managers we discussed in the last post are a good start. If you only use one system a local password database is all you need. Most people have multiple “devices” – a PC, a laptop, a smartphone, a … Continue reading →