Jun 01 2024

6 Expert Tips for Your 2024 Security and Compliance Management Planning

Category: Security Compliancedisc7 @ 2:22 pm

Follow these six expert tips to achieve successful security and compliance management planning.

1. Identify the assets you want to protect

Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:

  • Identify the systems, data, and people assets that you need to protect.
  • Identify the threats to those assets, and prioritize them.
  • Identify what you want to do to protect your priority assets from their most significant threats. 

2. Identify the activities you need to complete 

It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.

DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:

  • Review policies and procedures (including Acceptable Use Policy)
  • Complete a risk assessment – this should be done annually
  • Review security training – to ensure new employees, as well as current employees, are up to date on all their training
  • Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
  • Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
  • Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.

3. Assign the right people and resources (RACI Matrix)

It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.

4. Schedule all your meetings and tasks for the year (Audit/ Assessment planning)

It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.

5. Document, document, (Document Management System)

If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.    

6. Plan ahead to future-proof your security program

Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.

To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team. 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Compliance Program

Aug 29 2023

Is the cybersecurity community’s obsession with compliance counter-productive?

Category: Security Compliancedisc7 @ 9:31 am

Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we can’t fly unless we do so...

I’m starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as we’re told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.

I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). To add to this: countless “auditor” titles – roles designed specifically to assure fealty to various standards requirements.

Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:

  • An unpatched vulnerability
  • Credential theft
  • Installation of malicious software (typically via phishing)

So, let’s try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:

1. They could completely ignore standards and compliance, and they’d be given no credit for any level of compliance (and there would be no ramifications for non-compliance)

2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked

3. Their single objective was to win the game (stop the bad actors, and minimize their organization’s risk of a compromise)

How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organization’s cyber risk?

It’s not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):

  • Equifax (PCI and NIST CSF)
  • Target (PCI)
  • Marriott (PCI)
  • Anthem (HIPAA)
  • Premera Blue Cross (HIPAA)
  • CareFirst BCBS (HIPAA)
  • SolarWinds (NIST CSF)

This is, of course, not an exhaustive list. Show me a large enterprise that was breached and I’ll show you a large enterprise adhering to multiple compliance standards.

Indeed, just this month, several US government agencies were victims of an attack exploiting a vulnerability in file transfer software (albeit a zero-day). It’s fair to assume there are several regulations strictly adhered to by the agencies just breached.

So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.

And yet, there’s been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.

The less obvious reason for our community’s love for compliance is that it covers behinds. “Yes, we were breached, but we did everything we were supposed to do, so don’t blame us.” Coaches in every sport will identify that as a loser’s attitude. Champions know there’s no checkbox formula for winning, and there’s no excuse for losing, especially “we did everything we were supposed to and still lost.” It’s cliche’, but the best teams and athletes “just know how to win.”

Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isn’t working, and we in cybersecurity are the living embodiment of (not) Einstein’s definition of insanity: doing the same thing over and over and expecting a different result.

Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldn’t be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.

CISO Desk Reference Guide Executive Primer: The Executive’s Guide to Security Program

Security Awareness: Applying Practical Cybersecurity in Your World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: compliance, Security Awareness

Jun 24 2022

How companies are prioritizing infosec and compliance

Category: Information Security,Security ComplianceDISC @ 8:35 am

Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: infosec and compliance

Feb 22 2021

Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations

Category: Security ComplianceDISC @ 11:39 pm
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?

Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.

I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.

Let me give you an example:

Let’s say your company receives a California Consumer Privacy Act data access request.

First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.

You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).

In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.

To help put this process into perspective, we like to ask six simple questions:

1. Do you know where your data is?
2. Do you know who owns your data?
3. Do you know what regulations govern your data?
4. Do you know what third parties have access to your data?
5. Can you forensically prove data integrity throughout all the processes that use your data?
6. Can you easily and quickly respond to requests for your data?

Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations

Jan 19 2021

CPRA Compliance

Category: Information Security,Security ComplianceDISC @ 12:24 am

This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.

Oct 04 2019

5 Updates from PCI SSC That You Need to Know

Category: Security ComplianceDISC @ 9:39 pm

As payment technologies evolve, so do the requirements for securing cardholder data.

Source: Slideshows – Dark Reading

PCI DSS: Looking Ahead to Version 4.0

3 Primary Goals for PCI DSS Version 4.0

What is PCI DSS? | A Brief Summary of the Standard

How to Achieve PCI DSS Compliance on AWS

Subscribe to DISC InfoSec blog by Email

Tags: pci dss, PCI SSC

Oct 01 2019

CCPA – The California Consumer Privacy Act

Category: Security ComplianceDISC @ 4:51 pm

More detail on site: Steps to CCPA Compliance roadmap

Everything You Need To Know About CCPA 2018

Subscribe to DISC InfoSec blog by Email

Tags: CCPA

Sep 21 2019

How to get started with the NIST Cybersecurity Framework (CSF) – Expel

Category: NIST CSF,Security ComplianceDISC @ 11:02 am

We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

Source: How to get started with the NIST Cybersecurity Framework (CSF) – Expel

The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/09/NIST-CSF-1.1-preso.pdf” title=”NIST CSF 1.1 preso”]

Virtual Session: NIST Cybersecurity Framework Explained

CSS2017 Session 14 SANS Training – NIST Cyber Security Framework

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certification | Edureka

Free PDF download: NIST Cybersecurity Framework and ISO 27001 | IT Governance USA

Subscribe to DISC InfoSec blog by Email


Mar 17 2019

Risk Management Framework for Information Systems

Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2

Subscribe to DISC InfoSec blog by Email

Tags: Risk Management Framework

Mar 07 2019

How to choose the right cybersecurity framework

Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

Source: How to choose the right cybersecurity framework

Sep 27 2017

Data flow mapping under the EU GDPR

Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

  • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?


  • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

  • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?


  • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?


  • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.


  • Who has access to the data in question?


The key challenges of data mapping

  • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
  • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
  • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.


Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.


Order Today


Tags: data flow mapping, data privacy, data security, gdpr

Aug 11 2017

GDPR Documentation Toolkit and gap assessment tool

Category: GDPR,IT Governance,Security ComplianceDISC @ 10:46 am

Data Protection / EU GDPR Toolkits


Use this gap assessment tool to:

  • Quickly identify your GDPR compliance gaps
  • Plan and prioritize your GDPR project

EU GDPR Compliance Gap Assessment Tool


Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

  • A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
  • Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
  • Direction and guidance from expert GDPR practitioners.
  • Includes two licenses for the GDPR Staff Awareness E-learning Course.

EU General Data Protection Regulation (GDPR) Documentation Toolkit

Aug 09 2017

EU GDPR: Does my organization need to comply?

Category: GDPR,Security ComplianceDISC @ 9:36 am

By Chloe Biscoe

The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.

Who needs to comply with the GDPR?

The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.

Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.

Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.

What do US organizations need to do to comply with the GDPR?

The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.

For US organizations, the most significant change concerns the territorial reach of the GDPR.

The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.

Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.

Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield

EU GDPR & EU-US Privacy Shield – A Pocket GuideAugust’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.

Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:

  • The terms and definitions used within the GDPR and the EU-US Privacy Shield
  • The key requirements
  • How to comply with the Regulation


Data Protection / EU GDPR Toolkits


Jul 14 2011

The TickITplus Kick Start Guide has Been Launched

Category: Security ComplianceDISC @ 12:32 pm

Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched

/EIN Presswire/ — Following the release late last month of the Base Process Library (http://www.itgovernance.co.uk/products/3460), the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here www.itgovernance.co.uk/products/3469 in a PDF format or hard copy.

The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.

TickITplus (www.tickitplus.org) is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.

As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.

The Kick Start Guide can be purchased today from www.itgovernance.co.uk/products/3469

Tags: TickITplus

May 09 2011

The Business Case for Information Security Management System

Category: Information Security,ISO 27k,Security ComplianceDISC @ 2:10 pm

Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.

So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.

Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.

It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.

Mar 07 2011

Manager’s Guide to Compliance

Category: Security ComplianceDISC @ 1:45 pm

Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)

A Wall Street Journal/Harris poll revealed that two thirds of investors express doubts in the ability of corporate boards of directors to provide effective oversight. In the shadow of recent global scandals involving businesses such as Parmalat and WorldCom- Manager’s Guide to Compliance: Best Practices and Case Studies is essential reading for you- whether your organization is a major corporation or a small business.

This timely handbook places U.S. and global regulatory information- as well as critical compliance guidance- in an easy-to-access format and helps you make sense of all the complex issues connected with fraud and compliance.

‘Wide perspectives and best practices combined deliver a punch that will knock your “SOX” off! The author has blended together a critical mix necessary for effectively handling the requirements of SOX.’
Rob Nance- Publisher- AccountingWEB- Inc.

‘Robust compliance and corporate governance is an absolute necessity in today’s business environment. This new book by Anthony Tarantino is an authoritative guide to understanding and implementing compliance and regulatory requirements in the United States and around the world. From SOX to COSO to ERM- this book covers them all.’
Martin T. Biegelman- Certified Fraud Examiner- Fellow and Regent Emeritus of the Association of Certified Fraud Examiners- and coauthor of Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance

‘If compliance wasn’t difficult enough- now companies are faced with a barrage of technology vendors claiming to automate compliance as if it were a project. In his new book- Dr. Tarantino paints the reality of the situation: companies need to embrace the broader tenets of governance and use technology to embed governance policies and controls into their daily business processes. Only then can they gain business value from their compliance investments.’
Chris Capdevila- CEO and cofounder- LogicalApps

Here is a link to this book: Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)

Tags: ASX 10, BASEL II, Best Practices, COBIT, COSO, ERM, IFRS, OECD Principles, OMB's A-123, Sarbanes-Oxley, Turnbull Guidance

Sep 21 2010

ArcSight offers $49.00 entry-level audit logging package

Category: Security ComplianceDISC @ 9:25 am
Image representing ArcSight as depicted in Cru...
Image via CrunchBase

Security Log Management: Identifying Patterns in the Chaos

Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.

Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.

For more detail on the article: ArcSight offers $49.00 entry-level audit logging package

Tags: ArcSight, Consultants, General and Freelance, Identityview 2.0, Logger 5.0, Security, Security event manager

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.

  • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.

  • PCI DSS v1.2 Documentation Compliance Toolkit

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).

    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    Sep 01 2009

    Audit of security control and scoping

    Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm


    Information Technology Control and Audit

    The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

    Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

    The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

    Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

    Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

    Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.

    Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

    Aug 24 2009

    Vulnerability management and regulatory compliance

    Category: Security ComplianceDISC @ 8:09 pm

    Threat and Vulnerability Management in the Ent...
    Image by Michele Mondora via Flickr

    Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
    The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

    Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
    The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.

    Reblog this post [with Zemanta]

    Tags: Security, Security Scanners, vulnerability

    Next Page »