Archive for 'Controls' Category
An article review. Taking a turn at the breach steering wheel In May 2014, CareFirst BlueCross BlueShield learned that one of their information systems had been infected with malware, so they got rid of it. Or so they thought. The malware was never fully eradicated, leading to a substantial hacking incident a few weeks later. […]
Dan’s reminding us that the manifesto, Sometimes Say Never, has the word “sometimes” in it.
An article review. Beware of buzzwords Our friend and associate Joe Cychosz sent us this article a few days ago, and we thought it was worth sharing. This brief article highlights an alarming trend within the InfoSec world, where security vendors are hyping and spinning their offerings to the point of untruth! Now this may […]
But “test” is an action verb! and your approach could “Turn Awareness Inward.” Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . “With all we have going on, our auditors are not letting us abandon the Awareness Training Thing. They aren’t treating it as a “one-off.” We […]
Should we see Information Security as a normal technology adoption and, if so, do we want to be laggards if we’re in an unregulated industry?
Here’s an awareness poster directed at your CUSTOMERS, rather than your users!
Hopefully you weren’t caught in the recent Microsoft Update Fiasco! Those of us who wait a while before installing Windows Updates, and who have Windows 8, are breathing a sigh of relief that the control, once considered critical, protected us. And if you are like the many who have waived the control in the name […]
Risk Based Auditing! I am often asked, especially at the end of a year, what should we be focusing our next audit plan upon? My answer: Focus your auditing on testing YOUR controls that mitigate the most risk in YOUR environment. Don’t bother testing controls which do not mitigate risk. Other than compliance risk*, […]
For those of you who are wanting to come into lightening-speed compliance with Section 164.308(b)(1) of the HIPAA Security Ruling, start telling your vendors that they need to revise their agreements to include the following.
The art of “out-of-wallet” questions! When somebody calls wanting information that is sensitive (such as social security numbers, account numbers, account balances, the names of applications on our network, names of personnel, etc.), we must “authenticate” them prior to giving out information. “Pretext calling” is a rising attack vector used in both orchestrated attacks by professionals […]