Mar 31 2022

How to read a SOC 2 Report

Category: Risk Assessment,Security Risk Assessment,Vendor AssessmentDISC @ 8:43 am
how to read a SOC 2 report
https://fractionalciso.com/how-to-read-a-soc-2-report/

The following conversation about reviewing a SOC 2 report is one to avoid. 

Potential Customer: â€śHi Vendor Co., do you have a SOC 2?”

Vendor Co. Sales Rep: â€śYes!”

Potential Customer: â€śGreat! We can’t wait to start using your service.” 

The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that have amazing cybersecurity and compliance programs have a full SOC 2 report written about them by their auditor that details their cybersecurity program. SOC 2 reports facilitate vendor management by creating one deliverable that can be given to customers (and potential customers) to review and incorporate into their own vendor management programs.

Vendor security management is an important part of a company’s cybersecurity program. Most mature organizations’ process of vendor selection includes a vendor security review – a key part of which includes the review of a SOC 2 report.

SOC 2 reports can vary greatly in length but even the most basic SOC 2 report is dense with information that can be difficult to digest, especially if you aren’t used to reading them. This article will teach you how to read a SOC 2 report by providing a breakdown of the report’s content, with emphasis on how to pull out the important parts to look at from a vendor security review perspective.

Please note that you should not use this as a guide to hunt and peck your way through a SOC 2 report. It is important to read through the entire report to gain a full understanding of the system itself. However, this should help draw attention to the particular points of interest you should be looking out for when reading a report. 

Many different auditing firms perform SOC 2 audits, some reports may look a little different from the others but the overall content is generally the same.

How to read a SOC 2 report: the Cover Page

Even the cover page of a SOC 2 report has a lot of useful information. It will have the type of SOC 2 report, date(s) covered, the relevant trust services criteria (TSC) categories, and the auditing firm that conducted the audit. 

What Type of SOC 2 Report?

There are two types of SOC 2 reports that can be issued: A SOC 2 Type I and a SOC 2 Type II. The type of report will be denoted on the cover page. The key difference is the timeframe of the report:

A SOC 2 Type I is an attestation that the company complied with the SOC 2 criteria at a specific point in time. 

A SOC 2 Type II is an attestation that the company complied with the SOC 2 criteria over a period of time, most commonly a 6 or 12 month period. 

SOC 2 Type II reports are more valuable because they demonstrate a long-term commitment to a security program – and any issues over the time frame will be revealed. It’s possible for a company to get a SOC 2 Type I report then fail to adhere to their controls. 

Key takeaway: If a company only has a SOC 2 Type I, ask if and when they are working on achieving a SOC 2 Type II. If they say they are not getting a Type II, this is indicative of a lower commitment to security. 

Trust Services Criteria

Cybersecurity for Executives in the Age of Cloud 

Tags: SOC 2 report, SOC2

Mar 12 2022

Integrating Cybersecurity and Enterprise Risk Management (ERM)

Category: Information Security,Risk Assessment,Security Risk AssessmentDISC @ 12:19 pm

Integrating-Cybersecurity-Enterprise-Risk-Management-ERM-1Download

Source: https://

doi.org
/10.6028/NIST.IR.8286-draft2

ISO 31000: 2018 Enterprise Risk Management (CERM Academy Series on Enterprise Risk Management)

Tags: ERM, ISO 31000

Nov 04 2021

Supply Chain at Risk: Brokers Sell Access to Shipping, Logistics Companies

Category: Risk Assessment,Vendor AssessmentDISC @ 8:54 am
Supply Chain at Risk: Brokers Sell Access to Shipping, Logistics Companies

As if disruption to the global supply chain post-pandemic isn’t bad enough, cybercriminals are selling access, sometimes in the form of credentials, to shipping and logistics companies in underground markets.

That’s a worrisome, if not unexpected, development; a cybersecurity incident at a company that operates air, ground and maritime cargo transport on multiple continents and moves billions of dollars worth of goods could prove devastating to the global economy.

“At the moment, the global supply chain is extremely fragile. This makes the industry a top target from cybercriminals who will look to take advantage of today’s current situation,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “The global chip shortage is resulting in major delays, with some stock unavailable or backlogged for more than six months, making it a prime attraction for cybercriminals to attempt to expose and monetize this via various scams. This includes redirecting shipments by changing logistic details or causing disruptions via ransomware.”

The actors, ranging from newcomers to prolific network access brokers, are selling credentials they obtained by leveraging known vulnerabilities in remote desktop protocol (RDP), VPN, Citrix and SonicWall and other remote access solutions, according to the Intel 471 researchers tracking them.

“No business or IT security team would willingly allow bad actors to exploit known vulnerabilities in remote access technologies, but this is exactly what is happening,” said Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, who believes much of the problem is a result of poor cybersecurity hygiene.

In one instance last August, an actor that has worked with groups deploying Conti ransomware said they had accessed “corporate networks belonging to a U.S.-based transportation management and trucking software supplier and a U.S.-based commodity transportation services company,” the researchers wrote in a blog post. “The actor gave the group access to an undisclosed botnet powered by malware that included a virtual network computing (VNC) function.” The group then used the botnet “to download and execute a Cobalt Strike beacon on infected machines, so group members in charge of breaching computer networks received access directly via a Cobalt Strike beacon session,” they said.

supply chain IoT edge trucking

Supply Chain Risk Management

Supply Chain Risk Management

Tags: Supply Chain at Risk

Oct 11 2021

An Adoption Guide for FAIR

Category: Risk Assessment,Security Risk AssessmentDISC @ 12:09 pm

Jack draws on years of experience introducing quantified risk analysis to organizations like yours, to write An Adoption Guide For FAIR. In this free eBook, he’ll show you how to:

Lay the foundation for a change in thinking about risk

Plan an adoption program that suits your organization’s style.

Identify stakeholders and key allies for socialization of FAIR

Select and achieve an initial objective, then integrate business-aligned, risk-based practices across your organization.

Tags: A FAIR Approach, Cost-Benefit Analysis, Factor Analysis, FAIR in a Nutshell, Pure Risk Reduction, Quantitative Tactical Analyses, What is FAIR?

Oct 01 2021

CISA releases Insider Risk Mitigation Self-Assessment Tool

Category: Risk Assessment,Security Risk AssessmentDISC @ 9:39 am
CISA releases Insider Risk Mitigation Self-Assessment Tool

The US CISA has released a new tool that allows to assess the level of exposure of organizations to insider threats and devise their own defense plans against such risks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their level of exposure to insider threats.

Insider threats pose a severe risk to organizations, the attacks are carried out by current or former employees, contractors, or others with inside knowledge, for this reason they are not easy to detect.

An attack from insiders could compromise sensitive information, cause economic losses, damages the reputation of the organization, theft of intellectual property, reduction of market share, and even physical harm to people. 

The tool elaborates the answers of the organizations to a survey about their implementations of a risk program management for insider threats.

“The Cybersecurity and Infrastructure Security Agency (CISA) released an Insider Risk Mitigation Self-Assessment Tool today, which assists public and private sector organizations in assessing their vulnerability to an insider threat.  By answering a series of questions, users receive feedback they can use to gauge their risk posture.  The tool will also help users further understand the nature of insider threats and take steps to create their own prevention and mitigation programs.” reads the announcement published by CISA.

Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021

Held every October, Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) co-lead Cybersecurity Awareness Month.

Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021 by [Cybersecurity and Infrastructure Security Agency]

Tags: CISA, Cybersecurity Awareness Month 2021, Risk Mitigation Self-Assessment Tool

Jun 17 2021

Calculating Your Company’s Total Cybersecurity Risk Exposure

Category: Risk Assessment,Security Risk AssessmentDISC @ 12:20 pm
Skyscrapers - Total Cyber Risk of an Organization copy

In the first part of my blog post I focused on calculating the impact of a cybersecurity breach in relation to a company’s size and industry. In part two, I present an approach to better understand how often a company will experience security breaches.

The probability is usually the big unknown. Not particularly helpful is that our abilities to estimate a probability are inferior to our abilities to estimate damage. In addition, we must consider a range of limitations to our abilities to estimate. We don’t estimate well in magnitudes very small or large. Once in 1,000 years and once in 10,000 years is harder to differentiate than once per year and once in 10 years. Also, we tend to overestimate the probability of recently occurred incidents.

The great uncertainty drives risk practitioners to reduce their risk assessments to pure impact assessments (“Estimations of probability can only be wrong!”). However, we can use what is out there on data and make comparisons.

Source: Calculating Your Company’s Total Cybersecurity Risk Exposure

Tags: FAIR

May 25 2021

A leadership guide for mitigating security risks with low code platforms

Category: Risk Assessment,Security Risk AssessmentDISC @ 8:32 am
A leadership guide for mitigating security risks with low code platforms

The lingering question of application code security follows, as stories of security breaches continue to pour, and remote teams across the world adopt low code for faster application delivery. Even as Gartner predicts that 65% of applications will be built using the low-code paradigm by 2024, it is important to understand the security implications that come with it and discuss how we can mitigate possible risks.

Most low code platforms enable non-technical users to build applications quickly and offer in-built security for various aspects of the application, such as APIs, data access, web front-ends, deployment, etc. Some go deeper with functionalities purpose-built for professional developers, with abilities to customize at a platform level. That said, no platform can claim to be the silver bullet when it comes to abstracting all security risks.

Business leaders should assess both internal and external risks that arise, and make sure there are certain guard rails enforced to secure low code-built applications. Let’s discuss some of these in detail.

The Enterprise Risk Management Program (ERMP) Guide provides program-level risk management guidance that directly supports your organization’s policies and standardizes the management of cybersecurity risk and also provides access to an editable Microsoft Word document template that can be utilized for baselining your organizations risk management practices. Unfortunately, most companies lack a coherent approach to managing risks across the enterprise:When you look at getting audit ready, your policies and standards only cover the “why?” and “what?” questions of an audit. This product addresses the “how” questions for how your company manages risk.

The ERMP provides clear, concise documentation that provides a “paint by numbers” approach to how your organization manages risk.The ERMP addresses fundamental needs when it comes to what is expected in cybersecurity risk management, how risk is defined, who can accept risk, how risk is calculated by defining potential impact and likelihood, necessary steps to reduce risk.Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from an HR perspective, the ERMP does this from a cybersecurity risk management perspective.Regardless if your cybersecurity program aligns with NIST, ISO, or another framework, the Enterprise Risk Management Program (ERMP) is designed to address the strategic, operational and tactical components of IT security risk management for any organization.

Policies & standards are absolutely necessary to an organization, but they fail to describe HOW risk is actually managed. The ERMP provides this middle ground between high-level policies and the actual procedures of how risk is managed on a day-to-day basis by those individual contributors who execute risk-based controls.

May 03 2021

Risk-based vulnerability management has produced demonstrable results

Category: Risk Assessment,Security Risk AssessmentDISC @ 7:44 am
Risk-based vulnerability management has produced demonstrable results

Risk-based vulnerability management

Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities than others.

Research has shown that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. Common triage strategies, like patching every vulnerability with a CVSS score above 7 were, in fact, no better than chance at reducing risk.

But now we can say that companies using RBVM programs are patching a higher percentage of their high-risk vulnerabilities. That means they are doing more, and there’s less wasted effort. (Which is especially good because patch management is resource constrained.)

The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019. This year, it was 27 days.

And then there is another measure of success. Companies start vulnerability management programs with massive backlogs of vulnerabilities, and the number of vulnerabilities only grows each year. Last year, about two-thirds of companies using a risk-based system reduced their vulnerability debt or were at least treading water. This year, that number rose to 71 percent.

When a company discloses that their networks have been breached and that their data has been stolen or encrypted for ransom, there is a steady drumbeat of critics. The company, these critics contend, is somehow at fault. Its security team didn’t do EVERYTHING it could have to prevent the breach. The proof of this doesn’t lie in knowledge of what preventative steps the security team did, but in the fact that it got breached. Victim blaming was alive and well in cybersecurity.

Thankfully, this mindset is fading away. But when cybersecurity companies with risk-based approaches began entering the market, they faced headwinds from the security nihilism crowd who thought if you can’t fix everything, then “why bother?”

We can now say that, when it comes to vulnerability management – a complex, yet fundamental cybersecurity discipline – the risk-based approach has produced clear results. The proof is in the data.

Enterprises that use risk-based approaches to vulnerability management are getting faster and smarter at this foundational cybersecurity discipline. They are doing less work and seeing more impactful security improvements. It’s encouraging to see these year-over-year improvements and we believe this trend is likely to continue.

Risk Based Vulnerability Management 

Risk Based Vulnerability Management A Complete Guide - 2019 Edition by [Gerardus Blokdyk]

Tags: Risk-based vulnerability management

Mar 30 2021

Risky business: 3 timeless approaches to reduce security risk in 2021

Category: Risk AssessmentDISC @ 9:57 pm
Risky business: 3 timeless approaches to reduce security risk in 2021

Steps to reduce security risk in 2021

A summary of the tactical and strategic moves CISOs can make to reduce security risk:

  • Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection
  • Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design
  • Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.

Are you doing enough? Do you understand your risks? What if the brightest aren’t always the best choice for your company?

The Smartest Person in the room
The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]

Tags: reduce security risk

Mar 29 2021

Understanding Cyber Risk Quantification – A Four Minute Journey Into Your Future

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:56 pm

Cyber Risk Quantification (CRQ) is now viewed as a core pillar of any effective Integrated Risk Management program. This short explainer video walks you through and gives you a glimpse into your future as a top tier cyber risk management organization. 

A FAIR Approach

Tags: A FAIR Approach, cyber risk quantification

Mar 17 2021

Why is financial cyber risk quantification important?

Category: Risk Assessment,Security Risk Assessment,Vendor AssessmentDISC @ 10:13 am
Why is financial cyber risk quantification important?

In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the various security lapses that accompany remote workforces.

However, something that has changed recently is how business leaders and boards of directors are viewing cyber risk. While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations.

In fact, a recent survey of 100 senior security professionals found that 70% of respondents have received pressure to produce cyber risk quantification for their business. Further, half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.

Why are executives pressuring CISOs to start financially quantifying cyber risk for their business? This process allows CISOs to identify and rank risk scenarios that are most critical to their enterprise, based on factors such as which attacks would have the biggest financial impact, and how equipped the company is to defend itself against any given attack.

Automated risk quantification makes this process even easier, removing the guesswork out of these decisions and streamlining the process of getting to actionable information. The potential for human error and subjectivity are removed completely from the equation.

Previously, security leaders have relied on theoretical models of risk like the Common Vulnerability Scoring System (CVSS). Even with this system, it can be difficult to prioritize the vulnerabilities that rank highest in terms of severity. This is even more challenging for leaders across the enterprise who may be unfamiliar with this system. Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.

By assigning a dollar value to potential cyber incidents, business leaders have better visibility into the most pressing – and costly – threats facing the enterprise. With this information, the business and security teams can align their efforts and prioritize the largest risks, rather than dedicating resources to lower priority risks.

Teams can focus their efforts on ensuring the business has adequate controls and processes in place to defend against the costlier risks and make additional investments accordingly. It can also make it easier for leaders and boards to justify spending more time or money to proactively defend against certain risks.

For CISOs, cyber risk quantification also provides an easier way to communicate the value of their work to leadership. Security leaders can calculate the return on investment of their tools and teams in the context of risk reduction for the enterprise. This gives leaders better visibility into the risks facing their organizations in terms that are understandable and actionable. Conversely, cyber risk quantification can help to identify any issues with an organization’s existing cybersecurity program and measure improvement over time.

Overall, shifting to this type of risk-led approach for cybersecurity will result in data-driven and actionable insights that will allow leaders across all business departments to understand and act on the most critical cyber risks facing their enterprise.

We know that attacks are going to continue, whether they’re state-sponsored or cyber criminals, and it is critical for an enterprise to have a comprehensive view into your risk landscape. Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.

Why is financial cyber risk quantification important?

Cyber Risk Quantification A Complete Guide

Tags: cyber risk quantification

Mar 16 2021

Risk management in the digital world: How different is it?

Category: Risk Assessment,Security Risk AssessmentDISC @ 3:33 pm
Risk management in the digital world: How different is it?

Prioritizing and communicating risk

Last year, the number of active phishing websites increased 350% from January to March alone. Now that employees are connecting to the office from their own remote networks and not through their office’s secure network, the chance of a security breach is higher than ever. While risk managers know this already, securing company data is essential to customer trust and longevity. To prioritize risk during remote work, risk managers need to involve executives and keep them updated and educated on potential problems and solutions. Prioritizing risk now will pay dividends in the long run.

Executive teams need to buy in — simply relegating all risk-related work to risk managers isn’t enough in the end. Investing time and money to form a risk-aware culture will better educate all employees on how to avoid common scams and prepare for larger-scale problems. Without prioritization and investment in risk, companies may not make it through the next major disruption and risk major security breaches.

A risk-aware culture can’t be created overnight. Risk managers and executives must first identify the risks and find out where the company stands, aligning risk culture with the existing company culture. Then, they can implement new risk management strategies that may require drastic changes, such as new software, revised policies and educational tutorials on risk. IT teams need to be on top of their game for virtual risks, educating employees and preparing them to ask the right questions. With phishing on the rise and data at a very vulnerable point, employees must be able to assess risk on their own.

Risk management in the digital world: How different is it?

Build a Security Culture

Tags: Risk management in the digital world

Feb 25 2021

Proven Use Cases to Start Quantitative Cyber Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:05 am
Proven Use Cases to Start Quantitative Cyber Risk Management

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management –  but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…

…a slow, evolutionary process.

Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms.  And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.

Proven Use Cases to Start Quantitative Cyber Risk Management

Tags: Quantitative Cyber Risk Management

Feb 24 2021

Nmap Cheat Sheet

Category: Cheat Sheet,Network security,Risk AssessmentDISC @ 9:52 am

Nmap Cheat Sheet – Infographic by SANS Institute

Tags: Nmap, Nmap network scanning

Aug 18 2020

Advice for senior management on their responsibilities towards information risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 5:55 pm

IAAC Directors’ Guides

Source:Succinct advice for senior management on their responsibilities towards information risk, courtesy of the IAAC.




Oct 14 2019

The best practice guide for an effective infoSec function

Category: cyber security,Information Security,ISO 27k,NIST CSF,Risk AssessmentDISC @ 10:48 am

Building ISMS

The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

 

Practice Guide

Open a PDF file The best practice guide for an effective infoSec function.

How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI

Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE

Conducting a cybersecurity risk assessment


Subscribe to DISC InfoSec blog by Email




Tags: isms

Oct 06 2019

A CISO’s Guide to Bolstering Cybersecurity Posture

Category: Information Privacy,Risk Assessment,Security Risk AssessmentDISC @ 8:24 pm

iso27032

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Risk Management Framework for Information Systems

How to choose the right cybersecurity framework

Improve Cybersecurity posture by using ISO/IEC 27032
httpv://www.youtube.com/watch?v=NX5RMGOcyBM

Cybersecurity Summit 2018: David Petraeus and Lisa Monaco on America’s cybersecurity posture
httpv://www.youtube.com/watch?v=C8WGPZwlfj8

CSET Cyber Security Evaluation Tool – ICS/OT
httpv://www.youtube.com/watch?v=KzuraQXDqMY


Subscribe to DISC InfoSec blog by Email




Tags: cybersecurity posture, security risk management

Jul 21 2019

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 12:11 am

Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.

Source: When It Come Down To It, Cybersecurity Is All About Understanding Risk

An Overview of Risk Assessment According to
ISO 27001 and ISO 27005





Enter your email address:

Delivered by FeedBurner




Mar 17 2019

Risk Management Framework for Information Systems

Category: Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 9:32 pm

Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2












Subscribe to DISC InfoSec blog by Email




Tags: Risk Management Framework

Mar 07 2019

How to choose the right cybersecurity framework

Category: Policies & Controls,Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 10:05 am

Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

Source: How to choose the right cybersecurity framework





« Previous PageNext Page »