HALOCK partnered with a Manufacturing company to recover data exfiltrated from a ransomware attack and implemented controls to help inventory, backup, and protect assets from future security incidents.

HALOCK partners with a research university to conduct a comprehensive PCI DSS project to ensure compliance.

How a manufacturing company contained and eradicated a ransomware cyber attack and further mitigated their risk.

During a PCI Assessment for a global retailer, HALOCK discovered and helped resolve significant breakdowns in security policies and practices implemented at the stores and mitigate risks.

Retail Penetration Testing Case Study

Access the presentation file from the Cyber Security Summit Chicago session - CIS RAM (Risk Assessment Method): This Math Will Save You

A major university located in the Midwest was interested in comparing HALOCK’s penetration testing services to those of a competitor to see if there were any material differences.

When a multi-state law firm decided that securing their highly sensitive information and information systems was critical to their success, they turned to ISO 27001.

Review your security readiness with the California Consumer Privacy Act (CCPA) Privacy Checklist.

Third Party Risk Management (TPRM)/Vendor Risk Management Workbook

Define reasonable security for your organization. Determine if your risk assessment meets Duty of Care and is DoCRA compatible.

Whether you're implementing a new HIPAA security program or managing an existing program over time, it can be helpful to use a checklist to make sure you're covering all of the necessary steps.

Have an incident response plan in place before you experience an incident. Be sure that your IR plan includes the following 10 items to ensure the incident response progresses as smoothly as possible.

HALOCK’s FastStart Vendor Risk Management (VRM) Checklist allows organizations to initiate a formal VRM Program and get started immediately!

Keeping Security Awareness top-of-mind in your organization is crucial. Use this pen testing checklist as a reference to ensure that the proper practices in your organization are being met.

The 2024 HALOCK Annual 10-K Survey is a publication by HALOCK Security Labs and Reasonable Risk that tracks how well public companies describe their cybersecurity programs in Item 1C of their 10-K disclosures.

What is reasonable security? This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM). CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Midwest Cyber Security Alliance (MCSA) reviews the California Consumer Privacy Act CCPA to understand the potential penalties and risks of noncompliance.

Unlike most regulations you may be familiar with, the PCI DSS is enforced by contract - here is a quick look at the process; learn more about how you can be PCI compliant and manage risk.

Duty of Care Risk Analysis How to define “reasonable” security controls that makes sense to business, judges, and regulators. Design and run a risk assessment that is meaningful to technicians, business, and authorities. Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened

Your quick look at the California Consumer Privacy Act (CCPA) for reasonable security.

Business decision-makers juggle countless variables and make risk decisions using “due care” and “reasonableness.” Learn best practices on how to apply duty of care to your specific organization.

Is Your Organization Exercising “Due Care”?

PCI DSS 3.1 further clarifies the changes made in PCI DSS 3.0 by addressing 30 clarifications to existing requirements, four guidance points that serve to improve understanding of the requirements.

The changes in PCI Data Security Standard (PCI DSS) 3.0 focus on some of the most frequently seen threats and risks that have led to cardholder data breaches.

The PCI Security Standards Council (PCI SSC) in PCI DSS v3.2 is requiring that all versions of SSL and TSL version 1.0 must be disabled. In order to be PCI DSS compliant you must be utilizing TLS 1.1 at a minimum, (although TLS 1.2 is highly recommended). This mandate was originally slated for implementation by 2016 but due to the burdensome impact to organizations, the PCI SSC extended the timeline to June 30, 2018. The PCI DSS applies to all organizations receiving credit card payments for goods and/or services (merchants) and any third party service providers for PCI DSS merchants. This guide helps users through the new requirements.

There is a great deal of information and misinformation in the marketplace with regard to exactly what penetration testing is and what you should expect from a penetration testing company.

If you have some responsibility in your organization for complying with the HIPAA Security Rule, then this guide is for you.

From the PCI Webinar Series - A review of the 14 new requirements that are effective immediately for any PCI DSS 4.0 validation.

Learn about the general changes to PCI DSS 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.

Are you prepared to show your security program was reasonable and appropriate? Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see.

We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.

CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.

"A Privacy Guide: Is There Such a Thing as Reasonable Privacy?" on how to implement privacy reasonably and mitigate risk.

What is reasonable security? This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM). CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

This presentation helps establish reasonable security by reviewing judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Midwest Cyber Security Alliance (MCSA) reviews the California Consumer Privacy Act CCPA to understand the potential penalties and risks of noncompliance.

Unlike most regulations you may be familiar with, the PCI DSS is enforced by contract - here is a quick look at the process; learn more about how you can be PCI compliant and manage risk.

Duty of Care Risk Analysis How to define “reasonable” security controls that makes sense to business, judges, and regulators. Design and run a risk assessment that is meaningful to technicians, business, and authorities. Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened

Business decision-makers juggle countless variables and make risk decisions using “due care” and “reasonableness.” Learn best practices on how to apply duty of care to your specific organization.

Compliance Week Webinar: The Questions A Judge Asks You After A Data Breach and your security risks.

SANS Security Leadership Poster 5 Keys for Building a Cybersecurity Program & CIS Controls and CIS Risk Assessment Method (RAM)

The 8 Questions a Judge Will Ask You after a Data Breach. Define your acceptable level of risk with a duty of care risk assessment.

In 2012, OCR and their audit partner KPMG set out to assess 115 organization and test a new HIPAA audit program, and to see what the current state of HIPAA compliance was.

Staying ahead of security threats is no easy task. One threat that should definitely be on your radar is ransomware.

Business and legal journalists have been expressing disappointment at Judge Paul Magnuson’s decision to allow third party banks to sue Target Corp after their cardholder data breach.

Your employees are targets of social engineering; teach them to be secure with this cyber security awareness poster.

Data breaches in the healthcare industry

Do data breaches impact marketplace reputation?

Secure your team from social engineering with this cyber security awareness poster.

Maintain Your High Standards. Expand the expertise, support, operations, and analysis to a dedicated Security Maintenance Team.

Security awareness training is an integral part of your security program; it is your company’s first line of defense in protecting its valuable corporate assets and helps manage risk.

Are you prepared against common attacks in your industry? Streamline your security architecture review workflow with Threat-Based Security Architecture Review & Analysis and manage your risks.

The Payment Card Industry Data Security Standard (PCI DSS) specifies technical and operational requirements for all organizations that store, process or transmit credit card data. If you handle credit card data, then PCI DSS applies to you - achieve PCI Compliance with HALOCK and mitigate your risks.

Regulations, such as the HIPAA Security Rule, CCPA, GDPR, PCI, DSS, Gramm-Leach-Bliley Safeguards Rule, Massachusetts 201 CMR 17.00, 23 NYCRR Part 500 (NYDFS), and many other regulations require reasonable security safeguards to achieve compliance.

Protect one of the leading sources for data breaches. Are Your Critical Web Applications Protected? Conduct Web Application Pen Testing to ensure your safeguards are effective and mitigate your risk.

Remote social engineering penetration testing validates the effectiveness of user security awareness, incident response, and network security controls. Ensuring your teams understand your processes help manage your risk. Conduct a social engineering pen test regularly.

An overview of HALOCK's information security services: Security and Risk Management, Compliance (HIPAA, PCI DSS, Privacy, CMMC-readiness), Penetration Testing, Incident Response & Forensic Services, Workforce, Security Engineering and Products. HALOCK offers recurring and ongoing security programs as well as standalone services.

Are Your Wireless Networks Secured? Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorized access to wireless services. Test your wifi and wireless networks to mitigate risk.

Internal network penetration tests are more thorough than automated vulnerability scans in that comprehensive testing efforts focusing on exploiting weaknesses with the intent of gaining access to assets positioned within the private network.

External Penetration Tests are more thorough than automated vulnerability scans in that comprehensive testing efforts focus on exploiting weaknesses with the intent of gaining access to the environment.

Third-Party Risk Management (TPRM) & Vendor Assessment Services to help mitigate your risk.

The Incident Response Readiness (IRR) Essentials Package provides you with all of the elements to develop your company’s incident response readiness program quickly plus a consulting team to help you navigate your specific technical questions throughout the process. You receive Incident Response Program components with directions, templates, cyber security training, and advisory services that guide you along the development process.

Industry pen test methodology

Report, Summary, Detailed findings, Walk-throughs, Supplementary information, Post-testing activities, Remediation.

Penetration Testing Methodology & Project Plan

Internal and External Network, Web Application, Internal Wireless, Social Engineering, Remediation Verification, and Recurring Penetration Testing to verify if your security controls are effective.

Learn how HALOCK’s Risk Management Program can help you reach and maintain acceptable risk and reasonable security.

Establishing reasonable security controls for privacy compliance defined by regulatory requirements such as CCPA and The SHIELD Act. Practice Duty of Care (DoCRA) as defined by your mission, objectives, and social responsibility.

Incident Response Readiness services include development of the Incident Response Plan (IRP), Incident Response Team Training, First Responder Training, an Incident Response (IR) Technology Review, a Threat Hunting service, and a Service Level Agreement for Live Incident Response to help mitigate your risk.