Clik here to view.
Mapping Shared Assessments to HIPAA Security
We often use the Shared Assessments Program’s Agreed Upon Procedures (AUP) to help Health Care clients provide information security assurance to their clients. The Shared Assessments Program was...
View ArticleClik here to view.
RX for the Flu? A Business Continuity Plan
How would your organization operate if it lost 5% of its employees due to flu quarantine? 10%? Could you survive it being 20% for two weeks? What if it was centered in your IT organization or your...
View ArticleOpen Source Intelligence: What It Is And Why You Should Care
A topic that’s gathering buzz in information security circles these days is open source intelligence, or OSINT. OSINT basically involves gleaning “intelligence” (aka data) from publicly accessible...
View ArticlePineapples & Information Security Management Systems
The other day my co-workers and I were having lunch and I was eating fruit. One of them noted that he really doesn’t enjoy fruit very much. When I replied that I only really like fruit that is “not a...
View ArticleDon’t Wait For “Next Time” – Prepare Now For Your Next Breach
Pivot Point Security recently conducted an investigation on behalf of a large retail client whose website was compromised. As soon as we got the call about the breach we started reviewing all available...
View ArticleOmnibus: HIPAA Now Applies to Many More Companies — Is Yours One of Them?
The new HIPAA/HITECH “Omnibus Rule” went into effect on March 26, 2013, and organizations have 180 days to come into compliance — which is not a lot of time. This new regulation modifies HIPAA in line...
View ArticleClik here to view.
Omnibus Breach Assessment Rules: 4 Steps To Compliance
The new HIPAA Omnibus Rule went into effect on March 26, 2013 — and compliance will be enforced beginning on September 23, 2013. Are you familiar yet with the new rules and how they might impact your...
View ArticleClik here to view.
How OWASP Can Prevent Your Business From Getting Stung By Hackers
In a recent blog post, one of my colleagues at Pivot Point Security wrote about a client firm that was hacked due to a vulnerability in one of its web applications. While they regularly ran network...
View ArticleClik here to view.
Hey, Is This Application Secure?
Lately a lot of clients have been asking me to provide what I refer to as “security on demand.” The client basically asks: “My users want me to give them this (commercial off the shelf software)...
View ArticleClik here to view.
Disruptive Technology: Coming Soon to Your IT Environment
Everywhere you look, technology is changing the game in terms of how businesses have traditionally operated. Lately I’ve been doing a lot of work with organizations in the taxicab industry, which is...
View ArticleClik here to view.
What Remote Employees, Happiness At Work And Hacking Your Servers Have In Common
Like many people, I find it easiest to write about my direct experience. Currently I work from home, and I spend my working time doing application penetration testing on behalf of Pivot Point Security...
View ArticleHow the New OWASP Top 10 2013 Can Benefit Your Business
Non-secure applications are a problem for nearly every business with an online presence. And the more complex and interconnected your IT infrastructure gets, the harder it can be to secure your...
View ArticleClik here to view.
Making Your Security Metrics Work for You
Recently, I came upon a blog post on TechRepublic titled, “Why security metrics aren’t helping prevent data loss,” which explores why data losses continue to increase despite the introduction of...
View ArticleMapping the New HIPAA Omnibus Rule to ISO 27001
Recently one of our ISO 27001 certified clients called me because their clients had been asking them lately about whether they were compliant with the new HIPAA Omnibus Rule. This rule institutes...
View ArticleMaking Your Security Metrics Work For You
Recently, I came upon a blog post on TechRepublic titled, “Why security metrics aren’t helping prevent data loss,” which explores why data losses continue to increase despite the introduction of...
View ArticleClik here to view.
Don’t Be Denied: Why SMBs Should Consider Denial-of-Service Vulnerability...
The potential for Denial-of-Service (DoS) and the more high-powered Distributed Denial-of-Service (DDoS) attacks against networks, websites or applications are a reality for many organizations that do...
View ArticleClik here to view.
When Troubleshooting A Performance Incident Suddenly Becomes A Security Incident
I recently participated in an investigation that serves as a cautionary tale for organizations that (knowingly or unknowingly) fail to keep log data. The incident involved a major media company that...
View ArticleUnderstanding the Nature of Cyber Threats
I conduct a lot of risk assessments to prepare clients for ISO 27001 certification. In this context I often see a misunderstanding of the scope of cyber threats for organizations and their IT systems....
View ArticleClik here to view.
3 Reasons Why White Box Testing Trumps Black Box Testing
I’m surprised how often our clients want us to perform black box penetration testing on their web-facing systems, instead of white box testing. What’s the difference? In black box testing, the client...
View ArticleClik here to view.
What Qualifies an Information Security Professional as ISO 27001 ‘Competent’?
As an ISO 27001 consulting firm, knowing what qualifies an information security professional as ‘competent’ according to the standard is important. A unique approach that combines education and...
View Article