Feeds:
Posts
Comments

Archive for the ‘CISA’ Category

January is a time of reflection and renewal, thinking about the past year and the present one.  We use this time to measure ourselves and set or renew goals, pointing our inner compass needles towards our own True North.

Looking back, 2010 was a successful year for me.  I didn’t get to do some things or attend all the conferences I wanted, but other items were handily accomplished and some good work got done!

Foremost, I partnered with IOActive, Consciere, and Insyndia to do consulting work.  This led to interesting security audit, risk assessment and vulnerability assessment work and I was fortunate to meet and work with some great people.  Shouts-out to Erin Jacobs, Glenn Kaleta, David Baker, Tab Pierce, and Joel Scambray in particular!

I also earned my CISA which gives me a stronger understanding of formally auditing information security environments.  Now, I’m thinking of how to use this new-found knowledge and where I’ll go next.

What will 2011 bring?  As I chart this year’s course, I intend to visit new shores, make new acquantances, and continue to grow as a person and infosec professional.  I welcome the journey and it’s challenges!

Be well friends…

by Bill Wildprett, Suspicious Minds blog, Copyright 2011

Advertisements

Read Full Post »

No, I’m not thinking about porn or any other nasty stuff, just reflecting that like during Fall when we clean our house gutters, it’s appropriate to think about how we think and remove clogs and other impediments.

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

After waiting two months to the day following the Certified Information Systems Auditor exam (CISA), I just learned that I PASSED!

Now I need to submit my Application for Certification to ISACA and wait another two months (so they say) for it to be approved before I can use my new certification title.

Reviewing my test scores by subject area told me that I didn’t do as well in some areas and better in others.  So, more studying is in order…

Oh Happy Day!  🙂

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Image courtesy of Pentax Salon

Read Full Post »

The calendar says its Summer although here in the Pacific Northwest, we’re not sure ~ its a cool Summer, which makes it fine for reading security books in the hammock or doing laptop stuff from the deck.

So what’s cooking?  I re-encountered a tool I first learned about from Russ McRee’s Toolsmith column in the September 2008 ISSA Journal ~ Practical Threat Analysis.  I’d looked at it before, but not in enough detail so have embarked on using it for a deeper understanding.

The 2010 Verizon Data Breach Investigations Report is out and its chock-full of good statistics and commentary.  I especially like the partnership with the U.S. Secret Service and the shared incident data.  Another nice tool from Verizon Business is VerIS, the Verizon Incident Sharing Framework which presents how metrics are captured and used in preparation of the DBIR.

I took the Certified Information Systems Auditor (CISA) exam on June 12, 2010 and am patiently waiting to learn my fortune or fate!  The process stimulated a new appreciation of ISACA Auditing Standards, Procedures and Guidelines  and CobiT 4.1, prompting me to send the former to FedEx for printing and to order the latter in book form from the ISACA Bookstore.  My wife picks it up and says “Can’t you find a good novel to read?  Its Summer!”

I guess you had to be there to appreciate it…

Cheers mates!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

It’s a cool, rainy Spring here in the Pacific Northwest, a fine time to stay indoors and read instead of cleaning gutters, gardening, mowing the verdant expanse out back, etc.,

Reading and study efforts have been and are focused on preparing for the June 12th CISA exam first and foremost.

Following that, here’s what’s top-of-mind for me:

OSSTMM 3 updates

Security Tools Screencast Demos from SearchSecurity.com

Never Eat Alone – Keith Ferrazzi: Building personal networks isn’t about how many connections you have in LinkedIn, it’s about maintaining and growing relationships in meaningful ways.

As the old saw goes, ‘All Work and No Play…’ so breaks in the ‘Blue Room‘ are taken with Daisy:

One Happy Golden!

Read Full Post »

It’s a great time to be a security professional, always so much to keep learning and to do!  I’ve been working on personal and professional growth, looking for ways to define myself as a consultant and differentiate myself from the ‘Big Guys’.

I’m all about providing excellent customer service and really becoming a partner with my clients.  Part of the process is identifying who your target market(s) are and what they really need.  To this end, my friend and career mentor Mike Murray turned me on to an outstanding book ~ ‘Book Yourself Solid’ by Michael Port.  I haven’t finished reading all of it yet because it is a process-oriented work, with lots of exercises and a workbook.  I simply cannot say enough about how helpful this book (and the companion website) is; it’s all about what it truly means to be a service professional and strategies for romancing your potential clients into ongoing fruitful relationships.

It all just resonates so much with me ~ do what you said you’d do, listen first, ask lots of questions, act with integrity and purpose, provide stellar service, be helpful without any expectations.  Whether you’re in business for yourself, or an employee, the principles and guidance are the same.

Read this book!

Other than that, I’m studying CISA materials for the exam next June and am re-reading NIST SP-800-53 and SP-800-53A.

Be well people!

Bill

Read Full Post »

As I’ve said before, one of the main things I love about information security is the need to keep learning ~ the field keeps expanding, Big Bang-like and it behooves one to stretch themselves, out of their comfort zones and in new directions.

Friends of mine had been recommending I learn more about IT auditing, to gain a better perspective on how controls are applied, and why.  To that end, I took a three-day Certified Information Systems Auditor (CISA) training course from CertTest in early November.

Wow, that was pretty cool!  I learned a lot of new stuff and reviewed things like NIST SP-800-53 and ISO 27002 that I knew something about, but not in the same depth.  So, I’m now embarked on a study cruise towards the June 2010 CISA exam from ISACA.  Maybe I’ll work as an IT auditor, maybe not, but either way, I’ll know a lot more about the business side of the proverbial ‘house’ and it’s GRC drivers.

All this dovetails with my ongoing study of CobIT 4.1, NIST SP-800-53, and the ISO 27K series ~ I’m focused on becoming the best Governance, Risk Management & Compliance professional I can be!

If you have any helpful hints, suggestions, study advice, please ping me.

Shouts-out and props to Dave Cannon at CertTest for being an awesome and inspiring instructor!

And, I ate some Serious ‘Que at the Hard Eight in Irving TX with my CertTest classmates…

Later friends!

Read Full Post »

Older Posts »