Results ordered by term relevance.

March 27, 2017 | Certifications and Training
By David Kolb, IANS Faculty

 Get What You Need: Hints and Tips for Negotiation

Information security professionals are involved in negotiations every day, whether it's working with software developers to adopt safe coding practices or selling employees on mobile device management. In this report, IANS Faculty David Kolb and Chief Research Officer Stan Dolberg detail the process of negotiation and persuasion within an organization and offer specific examples to help infosec professionals understand the dynamics at play and get to a result that's beneficial to all parties. 

Read More »


January 27, 2017 | Team Structure and Management
By Stan Dolberg, IANS Faculty

 Where CISOs Report: A Snapshot

While most CISOs report to IT leadership today, this is not the ideal reporting relationship for managing information-security risk. In this Ask-an-Expert written response, IANS Chief Research Officer Stan Dolberg reviews data from IANS CISO Impact research, which demonstrates that an experienced CISO is positioned for maximum influence when reporting into an organization's senior management. 

Read More »


November 21, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Secure Development Practices for Mobile Applications

Best practices around the secure development of mobile applications are still evolving because of the rapid evolution of the mobile platforms themselves. In this Ask-an-Expert written response, IANS Faculty Jason Gillam outlines the key differences between the secure development of mobile and web applications, and details standard accepted practices around encryption and authentication.

Read More »


January 18, 2017 | Directory Services
By Jason Gillam, IANS Faculty

 Selecting an Access Management Solution

Access management within an organization can often be non-standardized, decentralized, mismanaged and unreliable. In this Ask-an-Expert written response, IANS Faculty Jason Gillam describes three potential solutions to this problem of access management and offers recommendations for when organizations should consider leveraging vendor solutions. 

Read More »


February 28, 2017 | Privacy
By Aaron Turner, IANS Faculty

 Protecting Data Transferred From Canada

While Canadian regulators in the past typically followed U.S. precedent on data protection standards, the country has moved closer toward the EU model over the past few years. In this Ask-an-Expert written response, IANS Faculty Aaron Turner recommends companies handling Canadian citizen data follow the EU General Data Protection and offers some technical guidance for implementing the necessary controls. 

Read More »


March 16, 2017 | Embedded Systems and Internet of Things
By Aaron Turner, IANS Faculty

 Balancing Business Benefits with IoT Dangers

Some say IoT stands for Internet of Threats, but businesses and consumers are rushing headlong into the adoption of everything from wearables to smart buildings. In this report, IANS Faculty Aaron Turner examines the enterprise risks of IoT and explores defensive tactics to help build a short- and long-term strategy to effectively and securely employ IoT technology. 

Read More »


December 9, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Understanding the Relationship Between Physical and Logical Information Security

The relationship between physical security and cybersecurity can be more closely linked than some organizations might think. In this Ask-an-Expert written response, IANS Faculty Rich Guida details specific instances (i.e., insider threats) where the two types of security come together and offers insight into the practice of "incrementalism."

Read More »


November 18, 2016 | Team Structure and Management
By Dave Shackleford, IANS Faculty

 Security Operations Maturity Chart

For security organizations, understanding where you stand from a maturity perspective can offer valuable insight into which processes and procedures need to be improved. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford charts benchmarks for certain aspects within information security, from event detection and incident management to metrics and data visualization

Read More »


November 10, 2016 | Converged Infrastructure
By Aaron Turner, IANS Faculty

 Bluetooth Security Risks: An Overview

When it comes to evaluating Bluetooth security risks, it's important to divide up the technology into different sections and examine the potential risks of each. In this Ask-an-Expert written response, IANS Faculty Aaron Turner evaluates Bluetooth security from the perspectives of physical-layer, protocol implementation and application-layer vulnerabilities.

Read More »


November 7, 2016 | Vendor and Partner Management
By Marty Gomberg, IANS Faculty

 Identifying Vendor Risk Red Flags

When it comes to evaluating vendors, there are a number of factors organizations need to keep in mind, from integration costs to uptime guarantees. In this Ask-an-Expert written response, IANS Faculty Martin Gomberg lays out some of the major red flags organizations should look out for when evaluating vendors, from the due diligence phase to the questionnaire process.

Read More »


October 31, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Application-Level DoS: Are You Ready?

Application-level DoS attacks can be difficult to detect, challenging to diagnose, and when effectively exploited, they can render your application completely inaccessible. In this report, IANS Faculty Jason Gillam explains how application-level DoS works and offers some key mitigation strategies. 

Read More »


October 27, 2016 | Insider Threats
By John Strand, IANS Faculty

 Going from Reactive to Proactive with Insider Threats

Honing your response to an insider threat is difficult enough, but building on the program to proactively identify and thwart potential malicious insiders is fraught with risk. In this Ask-an-Expert live interaction, IANS Faculty John Strand outlines the importance of partnering with HR, choosing the right tool set and funding the program adequately.

Read More »


October 20, 2016 | Encryption, Digital Signatures, Certificates, Tokenization
By Dave Shackleford, IANS Faculty

 Assessing Key Management Services Within AWS

There are a number of key management tools and services that organizations can use within the AWS cloud. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford breaks down some of the major players in the space, including Amazon's own key management service, HyTrust DataControl and Vault.

Read More »


October 18, 2016 | Mainframe and Legacy Systems
By Philip Young, IANS Faculty

 Mainframes, APIs and the False Sense of Security

Mainframes usually hold companies’ most sensitive, mission-critical data. As more organizations decide to open up their mainframe “crown jewels” to participate in today’s mobile/cloud world, however, is mainframe security keeping up? In this report, IANS Faculty Philip Young details the riskiest areas of the mainframe and explains how best to secure them against today’s threats.

Read More »


October 6, 2016 | Security Policies and Strategy
By Michael Pinch, IANS Faculty

 5 Ways to Improve Security While Cutting Costs

Attacks and malware continually evolve, forcing organizations to react by implementing an ever-expanding tool set. Unfortunately, few budgets expand in kind. In this report, IANS Faculty Michael Pinch details five key ways to immediately improve your organization’s security posture, without breaking the budget.

Read More »


October 6, 2016 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q3 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q3 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


October 4, 2016 | Data Breaches
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q3 2016

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


October 3, 2016 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q3 2016

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


October 1, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Best Practices for Risk Registers

When it comes to building a risk register, there are a number of important steps organizations must take. In this Ask-an-Expert written response, IANS Faculty Rich Guida details the process of constructing a risk register and offers specific criteria for determining how accurate and successful it is.

Read More »


September 29, 2016 | Threat Intelligence and Modeling
By Aaron Turner, IANS Faculty

 Breaking Down Cyber Threat Trends in Mexico

For organizations that operate in Mexico and Latin America, it's important to keep tabs on the current cyberthreat trends taking hold in these countries. In this live Ask-an-Expert response, IANS Faculty Aaron Turner details the current threat landscape in Mexico and Latin America, from ATM attacks to state-sponsored cybercrime.

Read More »


September 12, 2016 | Risk Management
By Adam Ely, IANS Faculty

 IT Governance Everyone Can Live With

Building a quality, efficient, multi-entity governance, risk and compliance (GRC) structure that doesn’t slow business units and allows for consistent and effective risk mitigation is hard but achievable. In this report, IANS Faculty Adam Ely explains how to determine costs, handle staffing and empower stakeholders to create a GRC program that efficiently mitigates risk and garners support from line-of-business leaders.

Read More »


September 1, 2016 | Software Development Lifecycle (SDLC)
By Jason Gillam, IANS Faculty

 Ensuring a PCI-Compliant SDLC Review Process

Establishing a review process for PCI DSS compliance is something organizations should do in a strategic, ongoing fashion, rather than as a once-per-year activity. In this Ask-an-Expert written response, IANS Faculty Jason Gillam details the Building Security in Maturity Model (BSIMM) and demonstrates how organizations can consult this framework to build a continuous compliance review process within the software development lifecycle.

Read More »


August 26, 2016 | Cloud Application and Data Controls
By George Gerchow, IANS Faculty

 Securing Microsoft Office 365 and OneDrive for Mobile Access

Moving to Office 365 and other cloud applications presents both security and compliance challenges. In this Ask-an-Expert live interaction, IANS Faculty George Gerchow recommends using a CASB, together with Microsoft's own DLP and SharePoint data classification schemes to keep corporate data safe while easing access for mobile and cloud users.

Read More »


August 23, 2016 | Intrusion Prevention/Detection (IPS/IDS)
By Dave Kennedy, IANS Faculty

 Detailing the Benefits of Network- and Host-Based IDS/IPS Solutions

Both network- and host-based IDS solutions are critical for organizations when it comes to quickly identifying threats. In this Ask-an-Expert written response, IANS Faculty Dave Kennedy breaks down the advantages and limitations of each and offers recommendations for organizations to get the most out of their IDS/IPS solutions.

Read More »


August 15, 2016 | Incident Response Planning
By Bill Dean, IANS Faculty

 Creating Effective Tabletop Exercises

Designed correctly, tabletop exercises can help you determine how well your people, processes and technologies are prepared for an incident – and improve that preparation over time. In this report, IANS Faculty Bill Dean steps you through the process of designing, planning and executing effective tabletop exercises. 

Read More »


August 9, 2016 | Security Analytics and Visualization
By Dave Shackleford, IANS Faculty

 User Behavior Analytics: A Tools Overview

Over the past few years, a number of organizations have begun to implement a user behavior analytics program in an effort to combat things like insider threats. In this live Ask-an-Expert interaction with the security team at a large financial services organization, IANS Faculty Dave Shackleford assesses the current landscape of user behavior analytics tools and offers tips and pitfalls to consider when implementing such a program.

Read More »


August 9, 2016 | Team Structure and Management
By Rich Guida, IANS Faculty

 Prioritizing Risk to Manage the Security Team’s Workload

When it comes to managing the workload of the security team (particularly if it only has a few members), prioritizing organizational risks is an important first step. In this Ask-an-Expert written response, IANS Faculty Rich Guida offers tips for developing a true risk register, compiling critical metrics and getting the various business units to own risks.

Read More »