Commentary - Audit & Risk: Seeing the Forest from the Trees. The Carnegie Mellon CyLab survey on "Governance of Enterprise Security" released in December, 2008 raised a very interesting issue. The survey measured the Board of Directors' involvement in and understanding of the security...

"Simplify, simplify..." The Information Security Handbook is founded on the principle that information security (IS) needs to be simplified down to its essential elements. Currently there is far too much "stuff" out there for any IS practitioner to assimilate. Consider the CISSP Certification, the most widely used credential in the IS community. The better CISSP exam preparation books are in excess of 600 pages long, yet all they do is provide an introduction to the areas of competency. Worse, the CISSP mostly focuses on the "what" in information security, leaving it to the practitioner to figure out the "how".

Services - Certichron, Inc. provides information security training and risk management consulting services.

Contact me.

Why can't anyone make this simple? Actually, the answer is right in front of us, we just choose to ignore it and give in to the tendency in IS to obsess about individual trees, instead of stepping back and looking at the forest. We quibble endlessly about the details and ignore the fundamental principles. All the elements of a commonly accepted IS methodology are there, we just have to step back and view them as a logical whole.
Risk Model


Towards the goal of simplifying IS, I have developed two methodologies:

  • The Simple Risk Model - A distillation of several techniques for measuring information security and operational risk that yields a simple, concise and intuitive model for assessing risk in your business.
  • A Framework for Information Security - Another distillation of existing thinking that provides a manageable structure for an information security program.
IS Framework


©2009 ISRMC, LLC