IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 4

Entries Tagged as 'Uncategorized'

All Businesses will be digital businesses .. the hyperbole

March 20th, 2014 · No Comments

I love technology and feel there is immense opportunity to shaping the world with it. Businesses that are serving only digital markets, and others are transforming how they do business with digital (technology). Now that this disclaimer is in the universe … The immense cacaphony of noise that “All businesses will be digital businesses” needs […]

[Read more →]

Tags: Uncategorized

Does competency matter as a CIO / CISO? Inspired by Target breach

March 14th, 2014 · No Comments

As the news cycle continues regarding the Target breach of 40ish million credit cards and 70ish million customer data records, a point came up that seemed relevant. Perhaps it was that I was just working with a global organization implementing a more integrated and responsive security program, and the concept of RACI and competency was […]

[Read more →]

Tags: Uncategorized

A different approach and RSA Tuesday update

March 5th, 2014 · No Comments

A fresh post in a long while .. So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will […]

[Read more →]

Tags: Uncategorized

Update and final GSA Rule provides value related to Vendor 3rd party audits

January 18th, 2012 · No Comments

The GSA Final Rule got a lot of attention in the government services sector as it solidified the requirements related to security and third parties.  The Final Rule makes it clear that upon winning a contract and to continue the contract ongoing performance and attestation is required of the Security program.  Specifically the language states […]

[Read more →]

Tags: Uncategorized

Does competition bread better Security, Enterprise Architecture leading IT Transformation

January 17th, 2012 · No Comments

An article published on Open Group’s site has a nice Q&A with Jeanne Ross a Scientist at MIT Center for information systems research, and an author of 3 books.  She is a speaker on how adoption of enterprise architecture (EA) leads to greater efficiencies and better business agility.  Reading the interview I had a few […]

[Read more →]

Tags: Uncategorized

Challenge base assumptions, such as pre-boot passwords, disk encryption, and their necessity

August 8th, 2011 · No Comments

When pre-boot authentication is not a safeguard … how does that change the risk landscape, the assumptions on other controls, and user behaviors? DEFCON 16 had a presentation on “Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)”.  This is available for free consumption on […]

[Read more →]

Tags: Uncategorized

Upcoming changes to ISO 27001:2005 and the ISMS Gold standard

January 28th, 2011 · No Comments

Many organizations around the world rely upon the ISO 27001 standard as the premier method of structuring and governing their information security operations.  As the world changes, so too must the standards.  The latest draft (currently the standard is in it’s 4th working stage), highlighted a few interesting improvements.  More can be read here by […]

[Read more →]

Tags: Uncategorized

Clarity on Security and Privacy, HIPAA & HITECH for Medical Providers

July 13th, 2010 · No Comments

HITECH and HIPAA Security and Privacy safeguards have been evolving over the past 14 years.  Today a large amount of information has been provided outlining guidance for Medical providers.  Specifically 2 rules outling how to qualify for the federal incentive program for electronic health records was released today (July 13, 2010) (though not in effect […]

[Read more →]

Tags: Uncategorized

What does coordinated Phishing attacks mean to your organization?

May 28th, 2010 · No Comments

A report released this month has identified one single group that is responsible for 2/3 of ALL global phishing attacks.  This is a tremendous task and requires a exceedingly large amount of sophistication.  A telling quote from the report (available here) gives a bit of background: Central to Avalanche’s success is its use of fast-flux […]

[Read more →]

Tags: Uncategorized

Federal Government centralizing Cloud certifications

April 19th, 2010 · No Comments

A great amount of efficiencies exist in the Cloud solution model, but the savings can be wasted through management waste, lax business support services, and insufficient information technology controls.  Vivek Kundra (United States Government Federal CIO) gave a presentation to the Brookings Institution on how Clouds will be a central focus of all government information […]

[Read more →]

Tags: Uncategorized