Our agile journey towards a fancy ISMS – Part 1

We, Avisi, have started an agile journey. A journey with one destination: a fancy ISMS for Avisi. I gladly take you along on our trip, by blogging about the adventures we’ve been through. So fasten your seatbelt securely, we will travel through a roadmap to remember.

What is an ISMS?

ISMS stands for Information Security Management System and its purpose is to offer a solid foundation which consists of organization’s main policies (where I prefer to call it principles, rather than policies) when it comes to securing information. Continue reading

Announcement: data breach!

Last week I went to a fair about Information Security. I signed up for two presentations about an adjustment in the law ‘Wet bescherming persoonsgegevens (Wbp)‘ called ‘meldplicht datalekken‘. This law obligates organizations from January 1st 2016 to report data breaches that affect personal data to the ‘College Bescherming Persoonsgegevens (CBP)‘ and the persons affected. The presentations were very interesting, so why not share my obtained knowledge with you. Continue reading

Security: Easy to Preach, Pretty Hard to Practice

Recently I registered for an IT Security event, hosting trade shows and seminars addressing IT-security. After registration and logging in on their website with the credentials which were sent to me (by e-mail, in plaintext) something occurred to me: I was missing the ‘green lock’ in my browser’s address bar (green lock). It turns out that the website happily lets you fill in your personal information and credentials over an unencrypted HTTP connection. Worse: it doesn’t even support HTTPS at all. How can an organisation which is dedicated to IT-security justify such a potential information leak?

Once more it became clear to me that security is easy to preach, but pretty hard to put into practice.

Data destruction done right

In the fall of 2013 we decided it was time to rebuild our infrastructure from the ground up. New hardware, a new server rack and a brand new infrastructure. As you can read here, it was quite the project. When we finished rebuilding the new infrastructure at the end of last year, we obviously had a few beers to celebrate. And then…we noticed a pile of around 80 old hard drives (that had been replaced by new HDD’s with more capacity).

Continue reading

W3Conf 2013 – Day 2

Thursay Febuary 22nd, San Francisco CA

W3Conf is W3C’s an­nual confer­ence for web pro­fes­sion­als who want­ to hear the lat­est news on HTML5, CSS, the open web platform and their place in it…

See day 1 resume here

Yesterday was a very interesting day… so expectations are high for today! Here we go!

Continue reading

HTTP Strict Transport Security

For reasons of convenience most secure websites are accessible through both HTTP and HTTPS. On request, the HTTP site simply redirects the user to the HTTPS site. This method, however convenient, does pose a considerable security risk. Indeed hackers can easily perform a ‘man in the middle attack’ based on the HTTP request.

Continue reading

Security is Important, but how Important is It?

Is security important? Of course it is, but it seems like a lot of people don’t really occupy themselves with it too much. I understand that of course because security can definitely be a hassle. I guess the most important thing regarding security though is that people are consequent in their actions.

So let’s do a bit of self reflection on the issue:

Continue reading

Hard Tokens – A Brief Update

For almost a year now I’ve been testing a Yubikey hard token. Basically, it’s USB-key that adds strong two factor authentication to the process of logging in to my computer. You can check out my previous blog post on exploring hard tokens and the need for better identity management.

Now it’s time to update you on my experiences thus far…