Information Security News
Weekends are usually a good time to catch up on the dreaded âDâ word of IT professionals everywhereâ¦. Documentation. Security is a process, and as such requires good documentation to drive those processes. All organizations have (or should have) documentation to support their efforts and guide their work, typically in the form of a Site Security Plan, Change Control processes, Roles and Responsibilities, etc., etc. These process are in place to support constantly changing systems. Updating the documentation is often a painful process that is left for less mundane and intriguing tasks, thus it is relegated to weekend work.
The landscape of technology, requirements, threats, and vulnerabilities is changing every day, so the processes we use to support these need to adapt as well. One key to managing the documents is establishing an annual review process of the document library. These reviews can be broken up over the calendar year, to spread out the work; the larger documents can be sectioned out to team members for draft input and review over a period of time. The review process, if possible, should include an objective review from a peer or colleague to assist in providing objective feedback and analysis.
Any process works best when it is known, documented, and implemented, and Security processes require the same care and feeding as the systems they serve.
tony d0t carothers --gmail
Â(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
After the OpenSSL Heartbleed vulnerability  that sent lots of products scrambling to issue a patch to prevent data leakage, the Linux Foundation formed a new initiative  with some of the major technologies leaders, to support critical open source projects to like OpenSSL to provide funding and ensure greater reliability.
"The first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests."
Do you think this kind of initiative will improve open source project?
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.