Risk Topics

Risk Topics Blog

scranos weaponized malware
So, this Scranos is a mutable piece of malware with a great deal of capability and it's still just getting warm.
CIA no more
Whoopsie, I seem to have forgotten to renew my Certified Internal Auditor designation.
two day retreat
For the past two days, I joined a client's executive team and board on a strategic retreat that started with "What do we do as a company?" (which led to a substantial revelation) and followed that all the way to which executives would own what crucial initiatives this year, and which would follow on through the next two years.
let's encrypt for free certificates
I've now put SSL encryption on all four of my websites.
on execution
Today I read an excellent post on getting things done, by a City of Toronto executive.
oracle cloud is unavailable
I'm jobsearching, and came across this odd warning when following a lead: As my friend and former colleague Adrian put it, "Nice, a dinosaur caught in a tar pit".
CIA for five years
It's been five years since I wrapped up a year—and five hundred hours of study—toward the Certified Internal Auditor designation.
website transition is complete
At long last, I've implemented the flattening tool on risktopics.
a new look for risktopics
I've redesigned risktopics.
a new website
I've put together a new website for my consulting business.
keeping desktop applications up to date
I've installed something called Glary Utilities to mind my PC's stability and security.
five years of risktopics.com
I've had this site on the go for five years, now.
fracking the human being
Discretionary energy is a term used to describe optional effort that an employee might put into their job.
privacy at Facebook
The recent flap about the Cambridge Analytica breach at Facebook has people talking about privacy issues pertaining to that website.
the planning fallacy
Today, while pursuing one of my hobbies, I discovered something called the planning fallacy.
Valentine's day vm backup plan
I'm working on a project in which the data set is so sensitive that backups to long-term media – or outside the production network segment – aren't permitted.
Facebook is troubling
The other day, I realized that my regular use of Facebook as part of my advocating for safe cycling infrastructure in Toronto was having some negative effects.
the unsafe workplace and the body's response
Simon Sinek gives some interesting insights into how unsafe environments (such as a workplace with infighting) has a deleterious effect on our health through changing the chemical balance of our bodies.
ISACA article is live
I've had permission from ISACA to re-publish my article, which appeared in ISACA's Journal earlier this year (volume 5, 2017).
ISACA's sent me some copies of the issue of their Journal that includes my article.
the Equifax breach
I've gotten questions from a variety of people about the Equifax breach, and what it means to them in terms of potential ID theft.
Tracking Vulnerability Fixes to Production
As an IT auditor at a software company, I discovered that security vulnerabilities in our bespoke product had not been getting released to clients on a timely basis.
evaluating third party cyber risk
The Investment Industry Association of Canada has issued new guidance on evaluating cyber security readiness in third parties.
getting it wrong with R
I'm taking a "MOOC" on Coursera in data science.
de-identifying health information
I currently have a contract with a firm that "de-identifies" health information prior to it being shared with third parties such as marketers, drug manufacturers, and researchers.
that's a lot of tracking!
I have this browser plugin that blocks third-party tracker systems from the websites I visit.
gaming Google news
two of four articles are spam? Kudos to whoever figured out how to game Google's aggregator this badly.
privacy in this day and age
Sometimes people get emails that make it clear their personal network is known to various websites or agencies.
another record breach
A data analytics company leaked personal information on 200 million voters.
writing an industry standard
The Investment Industry Association of Canada is producing a two-document guide on evaluating cyber risk in their third party (vendor) arrangements.
ISACA article accepted
The ISACA article has been accepted.
Covey time-management quadrants
Where oh where has the four-quadrant Franklin Covey time management system been, all my life? It puts many of my thoughts into a concise guide! Franklin Covey time matrix .
safe harbor de-identification of health data
The health industry works with a standard called the "Safe Harbor" for de-identifying personal information.
an ISACA article
Tomorrow's the deadline for the next issue of ISACA's "Journal".
my guide on managing third party risk
I've written a guide on managing third party risk, that is, the risk that comes with sharing your data with third parties such as service organizations.
PMP for five years
Today is the five year anniversary of my long slog through the PMP exam.
metrics that matter
The article I placed on LinkedIn about losing my job has now been read well over 1,000 times.
720 reads in 48 hours
My previous post (which was cross posted to LinkedIn) regenerated over 700 reads in under two days.
I lost my job
Last Tuesday, I lost my job during a restructuring at PortfolioAid, a compliance solutions firm.
farewell, SIRA board
My first term as a non-profit board member ends on March 31.
the message and the medium
A former colleague on the SIRA board published this article to LinkedIn.
an interesting take on consulting
I've started reading Peter Block's "Flawless Consulting".
the ever-expanding sh*tlist
These are the 64 IP addresses that I current block on my websites.
claiming professional expenses in Canada
In Canada, anyone on the treadmill of maintaining professional designations gets a couple of tax incentives.
get cyber safe
The government of Canada has produced some guidance for small-medium enterprises which is a) quite good and b) surprisingly readable.
the flight of the wealthy
It looks like the wealthy are planning on pulling the plug on the US.
virtual kidnapping
In addition to CEO fraud emails, now there's virtual kidnapping.
financial industry vendor management
Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk.
securing your life
The New York Times recently ran a piece with practical information about protecting your online life.
yet another reason to patch
Today I had an illuminating call with our insurance broker and carrier about an exclusion in our errors &omissions insurance pertaining to unlicensed data and software.
DNS subdomain discovery
This weekend, I found this interesting little tool called DNS Dumpster.
fintech and information risk
An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech.
on failed persons
The Basel definition of operational risk is this: "Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
how to sabotage innovative projects
One of my favorite books on internal control; sorry, the only good book I've ever encountered on internal control is "Intelligent Internal Control and Risk Management" by Matthew Leitch.
no fix for cyber security in our lifetime
An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime.
gane's law on the passage of data and meaning
Gane's Law: "Any information that must be passed through two levels of management shall be mooted by the voyage, for it shall be diluted and misconstrued.
is risk management a profession
A risk practitioner vastly senior to me posited the question on LinkedIn whether risk management is even a profession.
the problem of entitlements
Virtually every organization has the problem of managing IT asset entitlements.
failed your PMP exam?
That sucks.
people really do plug in the USB devices they find
In case there was any question: people really do plug in the USB devices they find.
evaluating a vendor's SOC-2 report
Someone asked me how to evaluate a service organization's SOC-2 report.
head of state, athlete, billionaire, or drug lord
A headhunter once put it simply as he could: "What's your career trajectory, CEO, COO, or CFO?" I recoiled at the thought at the time, though I now know the answer and I'd have to put "missed" or "failed" in there somewhere.
SOC-2 versus SIG
My team has been spending some time reviewing the forthcoming SOC-2 control standards.
governance and board positions
I've joined the board of Cycle Toronto, an advocacy association of city cyclists who are pushing for a safer city in which to ride.
case study on advanced persistent threats
In the middle of 2015, I produced an analysis of my employer's readiness regarding risk due to "advanced persistent threats" in the cybersecurity space.
management consulting vs internal audit
I've just completed a three day intensive course on management consulting, which covered the twin streams of a) diagnosis and b) change management.
concentrated volunteerism
In the past few months, I've dropped three of the professional associations I'd belonged to.
at least five problems with security metrics
Last year, I participated in a panel on "metrics that matter" at RSA.
the risk of false brand identity
A colleague from the CMC posted some thoughts on brand based on one of Seth Godin's periodic utterances.
studying contractual and financial risk management
It's true that you get like the people you live with; I've spent a lot of time in the financial industry, and it seems I've picked up a thing or two.
on paneling
Tonight I moderated a panel of experts on the role of the board in setting strategy.
Vtech data breach
I sent a friend a note about the latest data breach that's in the news: Vtech.
the straightjacket
I'm constantly amazed at how difficult it is to break free of the straightjacket of the immediate.
hiring for many talents
I've repeatedly been faced with the difficult task of hiring for ambiguous roles where a range of different skills are required.
why ERM versus traditional risk management
I'm studying for a course on risk financing, and have a quibble with an answer "in the book".
agility and risk
Dave Thomas, one of the originators of the "Agile Manifesto", gave a talk in January that explains where the Agile movement has gotten off the rails (no pun intended).
using a cache server to secure WordPress
Securing a website that runs on WordPress can be a challenge.
On the Ashley Madison list? Blame it on Target
It's occurred to me that if someone's name turns up on the user list at Ashley Madison, they can just blame Target.
In an audit of my employer's cybersecurity stance, I found things to be generally quite good.
the common law of business practice
Someone* once said this of choosing a vendor's solution based on price alone: "There is hardly anything in the world that someone cannot make a little worse and sell a little cheaper, and the people who consider price alone are that person's lawful prey.
risk assessment in a nutshell
A pithy quote on risk assessment.
hiring on LinkedIn
I recently posted two job openings to LinkedIn.
my pilgrimage is complete
Someone at RSA called it a pilgrimage that is mandatory but that you only have to do once.
I skipped another afternoon of "keynotes" to meet with a succession of people.
RSA Conference panel
1,200 people showed up for our panel at RSA.
using malware to persecute whistle-blower
A colleague passed this along.
on "How to avoid a breach"
I recently saw a LinkedIn post to an article titled, "Data breaches – how to effectively avoid them and manage them if they happen".
speaking at this year's RSA Conference
I've been asked to join a panel at this year's RSA Conference in San Francisco.
cutting off your nose
This article suggests that we should no longer use email, because it's not safe.
beyond risk-listing and the ISO31k diagram
Matthew Leitch is a risk management researcher in the UK I've leaned on more than once when I needed guidance.
what the SEC thinks about information risk
As a "knowledge worker", it's important to understand how one's output is used.
It looks like "cybersecurity" is here to stay
I'm not wild about the word "cybersecurity".
Cybersecurity as a systemic risk in the financial industry
Outsourcing technology service arrangements carry considerable risk to both parties.
the risk of time sheets incomplete
I work in an industry where records of time spent on distinct projects are required of knowledge workers.
SIFMA makes the first move
Over the past couple of years, I've been watching for a "guidance note" from one of the regulators on cyber security.
An experiment in risk culture programming
A large part of my duty as a risk manager is to guide the organization’s approach to risk.
a risk practitioners' uprising
I took a couple of vacation days to go to Minneapolis and join the third annual conference of the Society of Information Risk Analysts, an interesting group of risk practitioners that is putting together what seems to be not exactly a people's uprising but a practitioners' uprising in the information risk management field.
Are audit reports all about marketing
Are audit reports all about marketing? I am writing a dissertation on the impacts of implementing an enterprise risk function at service organizations.
Are risk registers obsolete
Are risk registers obsolete? I founded the risk management function at PortfolioAid—a provider of technical solutions to the financial industry—just as the firm was entering a period of aggressive growth.
Risk, opportunity, and the service organization
Risk, opportunity, and the service organization Specialist information technology services organizations play a substantial role in regulated industries such as finance.
how to avoid being C-3PO
I recently came across a bullet list of the three principle jobs of the risk manager.
solving the BYOD riddle
This article presents a policy that allows employees to bring their own mobile devices to work, while at the same time avoiding the security and support issues raised.
© 2013 - 2019 werneburg information risk management inc.