Trust is Not Really a Control, Neither is Luck

August 9, 2009 by ADMIN · Leave a Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

This risk is often hidden in plain sight, poses a genuine clear and present danger to the business and information security objectives, and one that is often overlooked. This issue is change control.

Application Virtualization and IT Security

July 4, 2009 by ADMIN · Leave a Comment

By Derek Crawford, Director of Sales Engineering at Tripwire

From an IT Operations perspective it would seem there is a pretty powerful argument to virtualize and distribute applications like this rather than have to install and maintain them on every users PC or laptop.

Audits and the Change Management Process

June 29, 2009 by ADMIN · Leave a Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

If the auditor observes that no one is showing up to the change management meetings, authorizations are rubber stamped without any real evaluation, unauthorized changes and unplanned outages are occurring regularly, then she will likely flag this as a potential high risk area.

(Never) Always Set Up QA Before Production

June 23, 2009 by ADMIN · Leave a Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

And then the code is then deployed into production, which then fails spectacularly. Now the problem isn’t that the QA schedule is slipping. Now the problem is that a potentially mission-critical service is down, and we have a potential Sev 1 outage, requiring the best Ops, QA and Development people to figure out how to restore service.

Gene Kim on Meaningful Security Metrics

June 2, 2009 by ADMIN · 1 Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

There are many efforts to create meaningful security metrics, which is a worthy goal. After benchmarking over 1000 IT operations and security organizations in the past four years, I’ve formed some very strong conclusions and opinions, some of which goes against security common wisdom.

Infosecurity Europe Update: What Recession?

May 26, 2009 by ADMIN · 2 Comments

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

If you think that all these hard-earned dollars are being spent on truly creating continuous compliance, this is money well spent. Yay. If you think that these capital dollars are being thrown at a huge Band-Aid, and that information security breaches will continue to occur, and that equal dollars will be need to be spent passing next year’s audit, then not so much. Boo.

Have You Ever Had This Happen to You?

May 12, 2009 by ADMIN · 1 Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

I look blearily at the clock that says it’s 3am, and I regret the decision I made twelve hours ago not to cancel this whole damned release and initiate a rollback. Now, it’s too late. We’re in so deep that we’ll be lucky if we have everything running by the time the East Coast customer start trying to access the systems in three hours. I just knew something really bad was going to happen when the deployment team kept saying, “I just need another hour”, and I had already given them five hours. At some point, we should just put down the shovel and step away from the hole.