Security Program Management  This article is the first in a series of articles organized by the concepts framed out in the National Institute for Standards and Technology (NIST) Special Publication 800-53, the Security and Privacy Control Catalog that is used as part of NIST’s Risk Management Framework (RMF) to specify the granular areas of Security and Privacy to be addressed in Enterprise Risk Management strategiesRead more about Security Program Management[…]

How do I become a HIPAA Security Specialist  Learn the Source Material  The VERY FIRST step to becoming a HIPAA Security Specialist – read the law. The HIPAA Security Rule is very vague (I think, purposefully), but learning each part (including the Administrative, Physical, and Technical as well as the Information Sharing/Business Associate aspects). I pulledRead more about How do I become a HIPAA Security Specialist[…]

What should I learn to provide a strong foundation for my Cyber Security career?  While “Cyber Security” is often considered a specific focus within IT, the connotations underlying this term are very broad and not always technology focused. Information is the key – and securing that information takes strong practices in Confidentiality, Integrity, and Availability.  An individualRead more about What should I learn to provide a strong foundation for my Cyber Security career?[…]

Risk Assessments vs. Security Assessments  We’ve already established the importance of assessments in a previous article: (Audits vs Assessments and Why They Aren’t The Same Thing).  A recap of which is – assessments are used to help an entity mature.    We’ve also established that the role of a CISO is to focus on Risk to Information resources: (What isRead more about Risk Assessments vs. Security Assessments[…]

Audits vs. Assessments & why they’re not the same thing  It’s much easier to mitigate a risk when you know the risk exists.  Using the analogy of a snake in the grass, people don’t go running off into the woods by a creek without surveying the ground at their feet.  Likewise, maintaining a blindness to risk is aRead more about Audits VS Assessments And Why They Are Not The Same Thing[…]

Yes, Zoom can be hacked. But not because it’s “Zoom.” And not that the other remote collaboration providers CAN’T be hacked – they all can. The problem is vulnerabilities and the likelihood and impact of their exploitation. Vulnerabilities can exist at all levels within a system or application: within the app itself and within theRead more about Can Zoom Be Hacked?[…]

Vulnerability Management Programs  Vulnerabilities exist in all systems, and these vulnerabilities are what attackers take advantage of to steal credentials, perform Denial of Service attacks, exfiltrate sensitive data, and more.  A major component of a successful Security Program is a Vulnerability Management Program that can respond rapidly to known vulnerabilities, closing these gaps as quickly and asRead more about Vulnerability Management Programs[…]

Security Awareness Training Program Awareness of Security concepts at all levels of the organization is imperative in today’s world.  Because of that, a Security Awareness & Training Program is one of the most impactful components of an operating Security Program.  Whether the individual is an end user, a system administrator, or the C-Level Security Representative,Read more about Security Awareness Training[…]

The title “Chief Information Security Officer” (CISO) is viewed in various ways by different people and different organizations.  In some organizations, the CISO carries a purely policy-focused role.  Others, the CISO role can overlap or even envelop IT and business operations.   The role answers to different levels in different organizations, often being strictly associated with IT. Read more about What is a Chief Information Security Officer?[…]