Category Archives: Duty of Care Risk Assessment (DoCRA)
CIS Controls 7 CIS RAM
CIS RAM (Center for Internet Security® Risk Assessment Method) was developed by HALOCK Security Labs in partnership with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. (more…)
We Just Gave Away Our Cyber Security Intellectual Property. It was the right thing to do.
Why a Chicago-Based Cyber Security Firm Just Released its Prized IP.
By Chris Cronin, ISO 27001 Auditor, Partner (more…)
Are Your Security Devices HIPAA Compliant?
By Chris Cronin, ISO 27001 Auditor, Partner
Would you be surprised to learn that there is no HIPAA requirement that tells organizations to use a firewall? How about an intrusion detection system (IDS)? Nope. And no requirements for a data loss prevention tool (DLP) either, or a proxy server, or even a security information and event management system (SIEM).
Risk Acceptance Levels: Managing the Lower Limits of Security Costs
Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable level, but only by describing how we would arrive at the upper limits of a reasonable security cost. Be sure to read The Hand Rule: Managing the Upper Limits of Risk Management in order to understand the full point of this posting. (more…)
If HIPAA Compliance Seems Too Hard … Then You’re Doing it Wrong. Here are the Basics of Doing it Right.
In April of 2013 the Office of Civil Rights, the branch of the Department of Health and Human Services that oversees compliance with the HIPAA Security Rule, started releasing analysis from their pilot audit of Security Rule compliance. In 2012, OCR and their audit partner KPMG set out to assess 115 organizations: hospitals, insurance companies, clearinghouses and business associates. Their essential goals were to develop and test a new HIPAA audit program, and to see what the current state of HIPAA compliance was. And what they found was that in terms of HIPAA Security Rule compliance … you’re probably doing it wrong. (more…)
HIPAA Security Rule and Fines
Maintaining HIPAA compliance use to not have much teeth behind it. Times have changed, however, as the Alaska Department of Health and Social Services (DHSS) is too well aware. (more…)
Reasonable and Appropriate Data Security
Reasonable and Appropriate Data Security – An interesting case that the FTC filed recently (June 26, 2012) against a well-known hotel chain. (Names omitted for the purposes of this blog.) Notice the similarities to the PCI DSS requirements. (more…)
PCI Level 2 Non-Compliance, Mastercard’s New Rules
I have had many questions on the topic of compliance for Level II PCI Merchants that are transitioning from a SAQ (self-assessment questionnaire) to an On-site audit with a Report on Compliance (ROC). Many are concerned with the prospect that they are non-compliant with many of the controls and want to know what they should do and what risks they face. (more…)