reasonable and appropriate Archives

HCCA Webinar Presentation: Duty of Care Risk Analysis (DoCRA) for Defining Reasonable Security

2019

Author! Author! Happy Hour at RSA

2019

Highlight your RSA Experience at the Author! Author! Happy Hour.

NIST Cyber Security Risk Management Conference – Reasonable Risk

2018

NIST Cyber Security Risk Management Conference – Reasonable Risk. Our partner, Chris Cronin will be speaking with Phyllis Lee of the CIS (Center for Internet Security).

THE FTC IS TELLING US THAT PCI DSS CERTIFICATION IS NOT ENOUGH. NOW WHAT?

2016

As part of its enduring interest in LifeLock, Inc., the Federal Trade Commission issued the following statement on December 17, 2015, “PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections … the existence of a PCI DSS certification is an important consideration in, but by no means […]

WHAT IS HIPAA?

2015

HALOCK is deep in the regulatory compliance and security field, so we sometimes take for granted that words common to us, like “HIPAA,” are still not clearly understood. So let’s take a moment to lay out the basics of HIPAA.

Risk Acceptance Levels: Managing the Lower Limits of Security Costs

2013

Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable level, but only by describing how we would arrive […]

The Hand Rule: Managing the Upper Limits of Security Costs

2013

While presenting a talk at CAMP IT last week I got into a number of conversations with attendees about the Hand Rule and security costs. At HALOCK Security Labs we talk about the Hand Rule a lot. Also known as the Calculus of Negligence, it is a way that an organization can mathematically estimate what […]

Are iPads HIPAA Compliant?

2013

I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we […]

UNLIMITED SECURITY BUDGETS AND PERFECT SECURITY

2013

Perfect security is not possible, feasible nor required by law. In fact, information security laws and regulations require that we provide “reasonable and appropriate” security through a well-defined risk management process. Without a risk-based approach, organizations attempt to address information security requirements by either attempting to comply with a long list of security controls, or […]