Some companies test once a year. Some test several times a year. So what frequency is correct for your organization? Well that all depends on how frequently your environment changes and other unique factors affecting your organization. When determining how often to conduct network penetration tests, consider the following:
Yes, it’s another information security predictions article – security hiring trends. No, I won’t be discussing APT, China, or anything involving our favorite prefix, “cyber.” Instead, here’s a brief glimpse at what we infosec recruiters are seeing in terms of enterprise demands for security roles. While all infosec positions, from firewall jockey to CISO, remain […]
Managers often think about compliance in terms of policies. There is something concrete, achievable and finite about them. And they are required by laws and regulations for protecting information and systems. But too often managers think of policies as a finish line for compliance. Need to be compliant? Then write a bunch of new policies […]
Most of my information security focus these past few years has concentrated on management and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security […]
I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we […]
In April of 2013 the Office of Civil Rights, the branch of the Department of Health and Human Services that oversees compliance with the HIPAA Security Rule, started releasing analysis from their pilot audit of Security Rule compliance. In 2012, OCR and their audit partner KPMG set out to assess 115 organizations: hospitals, insurance companies, […]
Perfect security is not possible, feasible nor required by law. In fact, information security laws and regulations require that we provide “reasonable and appropriate” security through a well-defined risk management process. Without a risk-based approach, organizations attempt to address information security requirements by either attempting to comply with a long list of security controls, or […]
The United States is an exceptional country in many ways, not least of which is that we don’t like doing what governments tell us to do. It’s in our moral fiber to rebel. One telling example of this was expressed in a historical article comparing US railroads to European railroads in the nineteenth century. What […]
I’m going to refer to another something in a previous blog, the one about Verizon’s 2012 Data Breach Report.
Maintaining HIPAA compliance use to not have much teeth behind it. Times have changed, however, as the Alaska Department of Health and Social Services (DHSS) is too well aware.