DISC InfoSec blog

Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry: Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments […]

Version 2 Updated for Release – February 2023.  From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.  If you’re considering […]

A Cybersecurity Framework Profile Infosec books | InfoSec tools | InfoSec services

The associated risk management programs are also constantly evolving, and that’s likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISO’s today face several dilemmas: How do I define the business impact of a cyber event? How much […]

“By implementing sound #management of our #risks and the threats and opportunities that flow from them we will be in a stronger position to deliver our organisational objectives, provide improved services to the community, achieve better value for money and demonstrate compliance with the Local Audit and Accounts Regulations. #Riskmanagement will therefore be at the heart of our good management practice […]

Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way. The reason why […]

Risk Assessment and Risk Treatment Methodology The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk. The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you. There […]

The following conversation about reviewing a SOC 2 report is one to avoid.  Potential Customer: “Hi Vendor Co., do you have a SOC 2?” Vendor Co. Sales Rep: “Yes!” Potential Customer: “Great! We can’t wait to start using your service.”  The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that […]

Source: https:// doi.org /10.6028/NIST.IR.8286-draft2 ISO 31000: 2018 Enterprise Risk Management (CERM Academy Series on Enterprise Risk Management)

As if disruption to the global supply chain post-pandemic isn’t bad enough, cybercriminals are selling access, sometimes in the form of credentials, to shipping and logistics companies in underground markets. That’s a worrisome, if not unexpected, development; a cybersecurity incident at a company that operates air, ground and maritime cargo transport on multiple continents and […]

Jack draws on years of experience introducing quantified risk analysis to organizations like yours, to write An Adoption Guide For FAIR. In this free eBook, he’ll show you how to: Lay the foundation for a change in thinking about risk Plan an adoption program that suits your organization’s style. Identify stakeholders and key allies for socialization of FAIR Select and achieve […]

The US CISA has released a new tool that allows to assess the level of exposure of organizations to insider threats and devise their own defense plans against such risks. The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their level […]

In the first part of my blog post I focused on calculating the impact of a cybersecurity breach in relation to a company’s size and industry. In part two, I present an approach to better understand how often a company will experience security breaches. The probability is usually the big unknown. Not particularly helpful is that our […]

The lingering question of application code security follows, as stories of security breaches continue to pour, and remote teams across the world adopt low code for faster application delivery. Even as Gartner predicts that 65% of applications will be built using the low-code paradigm by 2024, it is important to understand the security implications that come with […]

Risk-based vulnerability management Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities […]

Steps to reduce security risk in 2021 A summary of the tactical and strategic moves CISOs can make to reduce security risk: Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection Ensure that your cloud adoption strategy is coupled with sound […]

Cyber Risk Quantification (CRQ) is now viewed as a core pillar of any effective Integrated Risk Management program. This short explainer video walks you through and gives you a glimpse into your future as a top tier cyber risk management organization.  A FAIR Approach

In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the […]

Prioritizing and communicating risk Last year, the number of active phishing websites increased 350% from January to March alone. Now that employees are connecting to the office from their own remote networks and not through their office’s secure network, the chance of a security breach is higher than ever. While risk managers know this already, securing […]

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management –  but have come away with the impression that to actually bring a quantitative risk management program to life […]