Kirt Cathey, NH2GX, JG1FXZ

What is so different about J-World and a private cloud? What is so different about any web service out there and a public cloud?
Answer: A lame consultant that doesn’t have the technical skill to sell any other service.

Share on Facebook

Hi All!! Still alive and kicking. Been a couple weeks since the last posting but have been hard at work putting together another platform iteration of WorkPapers software. So far, I have created the audit working papers management software solution in Cocoa and RealBasic, so this time around thought I would try one more iteration [...]

Share on Facebook

Over the past couple of days I have concluded that enough (bad) breath has been spent ranting about how system and security auditors really are missing the mark. However, one cannot reasonably just point a finger in one direction – it takes two to tango, so it is now time to point out what CIOs and administrators of secure environments should start to consider in order to prevent incidents. And along the way add a rant or two about how the average CIO is (too) an administrative paper-pushing, policy guru that does not really have real systems administration experience – most come from a consulting background and have not had to own a system for more than a year.

Share on Facebook

Actually, SANS has been in the dialog, but they put out an article that reinforces the issue of how IT and Infosec auditors – and many consultants alike – are not delivering the proper value to the market. I wrote this article last year that ranted on the issue, and many responded through email and comments to show support of the view. This was an issue that I noticed about five years ago as ISC2, ISACA, and other organizations really focused on increasing membership

Share on Facebook

I’ve tackled this subject a couple of times in recent posts in a cursory manner, but feel that it is probably time to elaborate on the subject. An IT auditor’s challenge out in the field is not getting any less complex. Systems are evolving to become seamless, integrated cloud services to the end-user, while the internals of such systems are integrated in a complex computing architecture. The risks associated with this complexity are amplified when the professionals that are checking the integrity of these systems do not understand the technology, have no practical administration or configuration experience, and do not have the necessary knowledge to understand how these systems interact.

Share on Facebook

Forewarning – this is yet another rant. The views expressed herein are personal and do not reflect any viewpoint of my current employer. But I do feel bad because we have an advertisement right on the facing page of the article that I point out in this posting…. In my seven years as a member of the IIA and a Certified Internal Auditor, the II

Share on Facebook

This title is a bit misleading since I stopped development of this software back in late 2006. Due to an overwhelming number of requests from potential users for me to hurry up and setup a Sourceforge site and pull the registration encryption, we are now offering the software for download (both Mac and Windows) with a free version registration key.

Share on Facebook

A couple of weeks ago I wrote this post because I had just found out that a group of security ‘professionals’ and ‘consultants’ (not from our company) that were assigned to one of my projects did not have the technical ability to download user records, or any other records, from Active Directory (AD) and perform the appropriate ID management analysis. While I am senior management, I do take the pride of being able to do about anything required, including the technical work that is necessary to figure out via Google, MS Support sites, or any other resource – a skill that my Japanese counter-parts don’t seem to possess. Donald Trump’s “Your fired!” expressions cross my mind every time I look at one of these so-called professionals that says, “I don’t know how….”
In this blog posting I will briefly outline what this involves, include the necessary reference links, and provide any insights.

Share on Facebook

セキュリティメトリクを報告する、パーセントや序数などの具体的な単位で表すことが望ましいです。何人かを対象にして、リスク評価の質問に個人別に１～５と回答するようなプロセスではなく、今までの「評価」活動と違います。下記の図表にCOBITのフレームワークからいくつかのメトリクを指しています。このメトリクを報告することによって、セキュリティプログラムの状況を報告するには重要ですが、COBITに基づいてIT管理の状況に関しても役に立つ情報も盛り込まれます。 Share on Facebook

Share on Facebook

One of the other tasks on my preparation checklist involves formatting a Japanese newsletter for two purposes – to announce my new career move, and to send out a monthly digest of seminars in the Tokyo/Osaka area, and a digest of interesting blog items that I archive during a month. I have a couple of [...]

Share on Facebook