Author Archives: Chris Cronin


Author: Chris Cronin, ISO 27001 Auditor The Court of Justice of the European Union has determined that E.U. Safe Harbor is not sufficient protection of European Union residents whose personal information is sent to the United States. This is a big deal for U.S. and E.U.-based businesses who have relied on the Safe Harbor framework as a […]


Author: Chris Cronin, ISO 27001 Auditor The Third Circuit Court of Appeals announced on Monday, August 24, 2015 that the Federal Trade Commission is acting within its authority when it takes action against companies for poor data security practices. Take heed. You may be doing exactly what the FTC is complaining about.


PREPARING FOR YOUR DATA BREACH. Author: Chris Cronin, ISO 27001 Auditor Most InfoSec professionals don’t want to think about becoming the next victim of a major data breach to make the headlines. And yet when faced with another major data breach it is a time when Executive Management and security teams reflect on their own insecurities. […]

Lessons in Risk Management: What We Should Learn from the FAA Fire

Author: Chris Cronin, ISO 27001 Auditor Too often in information security we focus on the confidentiality of personal information, ignoring the damage that can result from failures in integrity and availability. In fact, this is the main driver of much of our information security spending in the U.S. But the proper function of information and communications […]

Darrell Issa Just Learned the Difference Between Compliance and Security. Let’s Hope for a Payoff.

Darrell Issa’s House Committee on Oversight and Government Reform has been busy looking into the security of the website and its connected systems.

California’s New “Do Not Track” Privacy Law is Weak … As Expected

If you operate a web site that accepts personal information from California residents, you may be aware that California’s amended CalOPPA law has added a “do not track” requirement this month. California’s legislators have added to the already-weak law a new, value-less clause that gives the appearance that the law does something that it does […]

Common Hazards in Risk Management: The Selfish Risk Assessment

Information security laws and regulations are telling us to conduct cyber security risk assessments before we develop our security and compliance programs. They insist on this so our security goals are meaningful to each of us, rather than aspiring to a generic list of controls that were written by experts who never met us and […]

Your Policies Can Hurt You, Part 2: Overzealous Policies Can Create Breach-Prone Environments

Early on in my information security career I was auditing a firm that conducted complex economic analyses for their clients. They processed a lot of personal information and they wanted to be sure they were applying appropriate controls to safeguard that information. Part of their business model was to charge their clients per hour for […]