With the massive flooding in Houston from Hurricane Harvey, we're re-publishing this very relevant post from 2016 by Steve Poppe about how local governments can apply FAIR modeling to plan for megastorms.
[fa icon="calendar'] Aug 29, 2017 9:40:00 AM / by Steve Poppe posted in FAIR, Risk Management
With the massive flooding in Houston from Hurricane Harvey, we're re-publishing this very relevant post from 2016 by Steve Poppe about how local governments can apply FAIR modeling to plan for megastorms.
[fa icon="calendar'] Jul 5, 2017 3:19:58 PM / by Steve Poppe posted in FAIR
The idea of the “criticality” of an asset or resource appears in many cyber security standards, including NIST, ISO 27001, and the AICPA’s SSAE 16 criteria.
Of the standards that define criticality, the best is in NIST SP800-53r4: “A measure of the degree to which an organization depends on the information or information system for the success of a mission or business function.”
[fa icon="calendar'] Mar 6, 2017 8:30:00 AM / by Steve Poppe posted in FAIR, Risk Management
“When will you be home?”
I have finally learned how to respond to text messages like this – and more pointedly how not to.
[fa icon="calendar'] Jan 23, 2017 8:30:00 AM / by Steve Poppe posted in FAIR, Risk Management
If you are confused by what standards and reputable sources mean by “vulnerability,” or “a vulnerability,” take heart. You have company. Our profession has done a great job in confusing itself. Let’s sort it out.
[fa icon="calendar'] Aug 22, 2016 4:30:00 PM / by Steve Poppe posted in FAIR, Risk Management
Some people think that administrative controls are weak compared to technical controls because people are relatively unreliable in following policies and procedures.
[fa icon="calendar'] Apr 13, 2016 4:00:00 PM / by Steve Poppe posted in FAIR, Risk Management
What is risk?
"Risk is the likelihood of loss times the amount of loss if the event occurs."
[fa icon="calendar'] Apr 8, 2016 1:00:00 PM / by Steve Poppe posted in FAIR, Risk Management
In this note, I’ll dissect and expose exactly is meant by making a decision among risky alternatives, and what we should expect the management of an organization to be able to do in making these decisions.
[fa icon="calendar'] Mar 31, 2016 4:30:00 PM / by Steve Poppe posted in FAIR, Risk Management
All the traditional risk management frameworks use “heat maps” or some variant – a color-coded matrix of “likelihood” against “impact.”
[fa icon="calendar'] Mar 22, 2016 10:04:56 AM / by Steve Poppe posted in Risk Management
Estimating unknowns
We often run into the problem of estimating a number about which we seemingly have no idea. For example, how many severe defects probably remain undiscovered in software that is now being deployed to production?
[fa icon="calendar'] Mar 17, 2016 10:07:51 AM / by Steve Poppe posted in FAIR, Risk Management
The FAIR taxonomy uses the term “vulnerability” in a special way that differs significantly from how it is used by CERT and many network and software scanners.