Reference Materials

Industry Insights for Reasonable Security and Appropriate Risk
Articles
Real-world examples and articles written by leading cyber security experts.
Cyber Security Summit Threat Forecasting: Using Open Source Data to Foresee Your Next Breach
We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.
Cyber Security Summit Presentation: CMMC and CCPA. Using Duty of Care Risk to Comply With New Challenges
CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.
Is There Such a Thing as Reasonable Privacy?
"A Privacy Guide: Is There Such a Thing as Reasonable Privacy?" on how to implement privacy reasonably.
(ISC)2 Security Congress | The Questions a Judge Will Ask You When You are Sued for a Data Breach | Getting to Reasonable Security
What is reasonable security? This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM). CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
Reasonable Security The Questions a Judge Will Ask You After a Data Breach
This presentation helps establish reasonable security by reviewing judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.
California Consumer Privacy Act CCPA Applicability, Requirements Security Compliance
Midwest Cyber Security Alliance (MCSA) reviews the California Consumer Privacy Act CCPA to understand the potential penalties and risks of noncompliance.
How is PCI Enforced?
Unlike most regulations you may be familiar with, the PCI DSS is enforced by contract - here is a quick look at the process; learn more about how you can be PCI compliant.
Health Care Compliance Association (HCCA) Webinar: Duty of Care Risk Analysis
Duty of Care Risk Analysis How to define “reasonable” security controls that makes sense to business, judges, and regulators. Design and run a risk assessment that is meaningful to technicians, business, and authorities. Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened
Adopting Duty of Care Risk Analysis to Drive Governance, Risk, and Compliance (GRC)
The Questions A Judge Asks You After A Data Breach
Compliance Week Webinar: The Questions A Judge Asks You After A Data Breach
SANS Security Leadership Poster 5 Keys for Building a Cybersecurity Program & CIS Controls
Multi-Factor Balancing Test: 8 Questions a Judge Will Ask You after a Data Breach

The 8 Questions a Judge Will Ask You after a Data Breach. Define your acceptable level of risk with a duty of care risk assessment.

HALOCK Article If HIPAA Seems Too Hard

In 2012, OCR and their audit partner KPMG set out to assess 115 organization and test a new HIPAA audit program, and to see what the current state of HIPAA compliance was.

HALOCK Cyber Security Ransomware Article

Staying ahead of security threats is no easy task. One threat that should definitely be on your radar is ransomware.

HALOCK Article A Judge Approved a Lawsuit Against Target

Business and legal journalists have been expressing disappointment at Judge Paul Magnuson’s decision to allow third party banks to sue Target Corp after their cardholder data breach.

Case Studies
Case studies and best practices of cyber security engagements. Insights learned throughout the scope, inventory, assesssment, validation, remediation process.
Cyber Security Case Study: When Ransomware Attacks and You Don’t Have Documented Data Inventory
HALOCK partnered with a Manufacturing company to recover data exfiltrated from a ransomware attack and implemented controls to help inventory, backup, and protect assets from future security incidents.
University PCI Compliance Case Study
HALOCK partners with a research university to conduct a comprehensive PCI DSS project to ensure compliance.
Ransomware Case Study: Exfiltrating Remote User Accounts to Inject Ransomware
How a manufacturing company contained and eradicated a ransomware cyber attack.
PCI DSS Retail Case Study Security Policy & Practices
During a PCI Assessment for a global retailer, HALOCK discovered and helped resolve significant breakdowns in security policies and practices implemented at the stores.
Penetration Testing Case Study
Retail Penetration Testing Case Study
Cyber Security Summit Chicago Presentation - CIS RAM: This Math will Save You
Access the presentation file from the Cyber Security Summit Chicago session - CIS RAM: This Math Will Save You
HALOCK CASE STUDY Not All Vendors Are Created Equal A Case Study In Penetration Testing

A major university located in the Midwest was interested in comparing HALOCK’s penetration testing services to those of a competitor to see if there were any material differences.

HALOCK CASE STUDY ISO 27001 Is Good Security and Good Business

When a multi-state law firm decided that securing their highly sensitive information and information systems was critical to their success, they turned to ISO 27001.

Checklists
Step-by-step checklists, assessments and guidance on compliance, security engineering, pen testing, privacy (CCPA), third party vendors, and incident response concerns.
CCPA Privacy Cyber Security Checklist
Review your security readiness with the CCPA Privacy Checklist.
HALOCK Third Party Risk Management (TPRM) Workbook
Third Party Risk Management (TPRM)/Vendor Risk Management Workbook
Duty of Care Risk (DoCRA) Checklist

Determine if your risk assessment meets Duty of Care and is DoCRA compatible.

HIPAA Compliance Risk Assessment Checklist

Whether you're implementing a new HIPAA security program or managing an existing program over time, it can be helpful to use a checklist to make sure you're covering all of the necessary steps.

HALOCK Incident Response Plan Security Checklist

Have an incident response plan in place before you experience an incident. Be sure that your IR plan includes the following 10 items to ensure the incident response progresses as smoothly as possible.

FastStart Vendor Risk Management Checklist

HALOCK’s FastStart Vendor Risk Management (VRM) Checklist allows organizations to initiate a formal VRM Program and get started immediately!

HALOCK 10 Must-Have Capabilities of Best-In-Class Pen Testing Providers (Pen Test Checklist)

Keeping Security Awareness top-of-mind in your organization is crucial. Use this pen testing checklist as a reference to ensure that the proper practices in your organization are being met.

Guides/Workbooks
Purely educational, these tools, guides, and workbooks walk you through key cyber security topics you need to know, including PCI compliance, HIPAA security rule, penetration testing, third party vendor risk and more.
(ISC)2 Security Congress | The Questions a Judge Will Ask You When You are Sued for a Data Breach | Getting to Reasonable Security
What is reasonable security? This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM). CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
California Consumer Privacy Act CCPA Applicability, Requirements Security Compliance
Midwest Cyber Security Alliance (MCSA) reviews the California Consumer Privacy Act CCPA to understand the potential penalties and risks of noncompliance.
How is PCI Enforced?
Unlike most regulations you may be familiar with, the PCI DSS is enforced by contract - here is a quick look at the process; learn more about how you can be PCI compliant.
Health Care Compliance Association (HCCA) Webinar: Duty of Care Risk Analysis
Duty of Care Risk Analysis How to define “reasonable” security controls that makes sense to business, judges, and regulators. Design and run a risk assessment that is meaningful to technicians, business, and authorities. Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened
CCPA Quick Reference Card Reasonable Security
Your quick look at the California Consumer Privacy Act (CCPA) for reasonable security.
HALOCK TPRM Interactive Workbook
Adopting Duty of Care Risk Analysis to Drive Governance, Risk, and Compliance (GRC)
The Industry Risk Assessment Disconnect and the Solution
HALOCK Information Technology Risk Assessment
Is Your Organization Exercising “Due Care”?
The Guide to PCI DSS 3.1

PCI DSS 3.1 further clarifies the changes made in PCI DSS 3.0 by addressing 30 clarifications to existing requirements, four guidance points that serve to improve understanding of the requirements.

The Guide to PCI DSS 3.0

The changes in PCI Data Security Standard (PCI DSS) 3.0 focus on some of the most frequently seen threats and risks that have led to cardholder data breaches.

The Guide to PCI DSS 3.2

The PCI Security Standards Council (PCI SSC) in PCI DSS v3.2 is requiring that all versions of SSL and TSL version 1.0 must be disabled. In order to be PCI DSS compliant you must be utilizing TLS 1.1 at a minimum, (although TLS 1.2 is highly recommended). This mandate was originally slated for implementation by 2016 but due to the burdensome impact to organizations, the PCI SSC extended the timeline to June 30, 2018. The PCI DSS applies to all organizations receiving credit card payments for goods and/or services (merchants) and any third party service providers for PCI DSS merchants. This guide helps users through the new requirements.

Vulnerability Assessment Services Frequently Asked Questions

There is a great deal of information and misinformation in the marketplace with regard to exactly what penetration testing is and what you should expect from a penetration testing company.

The Best Guide to the HIPAA Security Rule You'll Ever Read

If you have some responsibility in your organization for complying with the HIPAA Security Rule, then this guide is for you.

Infographics
A visual overview of cyber security trends, news, industry in infographics.
Not so fast . . .
8 Questions a Judge Asks you after a Data Breach Infographic
Your Employees are Targets: Social Engineering Infographic
Your employees are targets of social engineering; teach them to be secure with this cyber security awareness poster.
Healthcare & Data Breaches Infographic
Data breaches in the healthcare industry
Data Breaches & Marketplace Reputation Infographic
Do data breaches impact marketplace reputation?
SOCIAL ENGINEERING: The Human Element Infographic
Secure your team from social engineering with this cyber security awareness poster.
Solutions
Our cyber security solutions to evaluate, build, or enhance your safeguards and controls to define reasonable security and strengthen risk management.
Incident Response Readiness (IRR) Essentials
The IRR Essentials Package provides you with all of the elements to develop your company’s incident response readiness program quickly plus a consulting team to help you navigate your specific technical questions throughout the process. You receive Incident Response Program components with directions, templates, cyber security training, and advisory services that guide you along the development process.
HALOCK Information Security Cyber Security Reasonable Risk
Privacy Compliance CCPA and Reasonable Security Risk Analysis
Establishing reasonable security controls for privacy compliance defined by regulatory requirements such as CCPA and The SHIELD Act. Practice Duty of Care (DoCRA) as defined by your mission, objectives, and social responsibility.
Incident Response & Forensic Services
Third-Party Risk Management (TPRM) & Vendor Assessment Services Overview
Third-Party Risk Management (TPRM) & Vendor Assessment Services
Security Maintenance Program
Maintain Your High Standards. Expand the expertise, support, operations, and analysis to a dedicated Security Maintenance Team.
Cyber Security Awareness Training
Security awareness delivers a high return but oft en receives the least investment in a security management program.
Threat-Based Security Architecture Review & Analysis
Are you prepared against common attacks in your industry? Simplify the complex. Consolidate the process. HALOCK streamlines your security architecture review workflow with Threat-Based Security Architecture Review & Analysis.
PCI DSS Compliance Information Security
The Payment Card Industry Data Security Standard (PCI DSS) specifies technical and operational requirements for all organizations that store, process or transmit credit card data. If you handle credit card data, then PCI DSS applies to you - achieve PCI Compliance with HALOCK.
COMPLIANCE Solutions
Regulations, such as the HIPAA Security Rule, CCPA, GDPR, PCI, DSS, Gramm-Leach-Bliley Safeguards Rule, Massachusetts 201 CMR 17.00, 23 NYCRR Part 500 (NYDFS), and many other regulations require reasonable security safeguards to achieve compliance.
Web Application Penetration Test Cyber Security
Custom web applications are designed to provide access to services and information. Validating if that access is used as intended requires a very specific and specialized method of testing.
Social Engineering Penetration Test Cyber Security
Remote social engineering penetration tests validate the effectiveness of user security awareness, incident response, and network security controls such as malware defenses, local permissions, and egress protections.
Onsite Social Engineering Penetration Test
Onsite social engineering penetration tests are performed to assess the effectiveness of physical security controls, employee response to suspicious behavior, perimeter defenses, and validate that network security controls prevent an attacker from gaining network access.
Wireless Penetration Test
Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorized access to wireless services.
Internal Network Penetration Test
Internal penetration tests are more thorough than automated vulnerability scans in that comprehensive testing efforts focusing on exploiting weaknesses with the intent of gaining access to assets positioned within the private network.
External Penetration Test
External Penetration Tests are more thorough than automated vulnerability scans in that comprehensive testing efforts focus on exploiting weaknesses with the intent of gaining access to the environment.
Penetration Testing Methodology
Industry pen test methodology
Penetration Testing Report & Deliverables
Report, Summary, Detailed findings, Walk-throughs, Supplementary information, Post-testing activities, Remediation,
Penetration Testing Project Plan
Penetration Testing Methodology & Project Plan
Penetration Test
Penetration Test Services
White Papers
In-depth reports on various cybersecurity topics written by recognized authorities.
CRAIN'S Cybersecurity Roundtable