Position yourself on Security Maturity Grid

I wrote up the Security Maturity Grid the way quality management is usually presented. The grid is a simple 5 x 6 matrix that shows different stages of maturity of the company’s security management against six different security management categories (management understanding of security, problem handling, cost of security, etc). The lowest stage of maturity is called ‘Uncertainty’ – the organisation is inexperienced, security management is a low priority and reactive, etc – then as security management matures it goes through the stages of ‘Awakening’, ‘Enlightenment’, ‘Wisdom’, then the highest level, ‘Certainty’. Each point – maturity versus category – on the grid has a brief description of how that combination appears in the company.

I keep the grid on a separate page, Security Maturity Grid, so have a look and try to position yourself or your company on the grid. Then wait for the software security goons to show up :)

dilbert-software-improvement-goons-dt050912

TrueCrypt

truecryptSince the anonymous team behind TrueCrypt has left the building, security aware people were left wondering what’s next. I personally keep using TrueCrypt and as long as it works I will keep recommending it.

Recently, Bruce Schneier has raised a few red flags by his strange advice that seems to indicate that he is being paid now for his “services to the community” by parties not so interested in keeping the community secure. One more thing is his advice to switch from TrueCrypt to BitLocker.

The guys that “disappeared” from behind TrueCrypt recommended to switch to BitLocker and that makes BitLocker suspect right away. Moreover, anyone working in security would be right suspecting that BitLocker, coming from Microsoft, would be backdoor-ed. And now Bruce Schneier is coming out and saying that he recommends BitLocker now instead of TrueCrypt? Great. I am not going to trust either.

TrueCrypt for the moment remains the only trustworthy application for disk encryption. There is an effort to make TrueCrypt survive and support newer features of the file systems. I hope it works and we still have some tool to trust in five years from now.

I have also stored the recent versions of TrueCrypt.