The completion of an information security risk assessment is a key requirement in all information security frameworks, including ISO 27002, NIST 800:53, HIPAA and PCI-DSS. A recent analysis of regulatory enforcement under HIPAA identifies risk assessment as a key area of weakness. While risk assessments are required, the specifics for how to perform a risk […]
Author Archives: David Lineman
To be effective, information security policies need to be read and understood by every member of the organization. This seemingly simple requirement is now becoming a standard practice to reduce risk, comply with regulations and demonstrate due-diligence. Why is this control so important and how can it be done in practice? Regulatory Requirements Every regulatory […]
In February 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cyber-security. The frameworks is intended to be a "voluntary" set of standards that can help small and medium sized businesses develop an information security program. (Part of the problem, of course, is that we don't need another framework - but a [...]
Often it is difficult to justify security policy development to management. In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be. "Just go find a template on the internet." For those of you who have tried this approach, you quickly discover that there is [...]
The piercing lens of information security changes focus quite often. In recent weeks the security vulnerability lens is focused on point-of-sale (POS) devices. And there seems to be good reason. The Target breach, perhaps the largest reporting breach in history, seems to be the result of malicious software inserted into these devices via a network hole […]
We talk to customers every day about security policies. One of the most common questions we receive is this: How should we structure our information security policies? When we dig deeper, we usually find that this is a really a two-part question regarding policy structure. First, how should we name and organize our documents. Second, […]
01
Jan
Jan
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In sed vulputate massa. Fusce ante magna, iaculis ut purus ut, facilisis ultrices nibh. Quisque commodo nunc eget tortor dapibus, et tristique magna convallis. Phasellus egestas nunc eu venenatis vehicula. Phasellus et magna nulla. Proin ante nunc, mollis a lectus ac, volutpat placerat ante. Vestibulum sit amet […]
The PCI Security Standards Council just released Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS), the set of requirements for protecting credit card data. The update had some significant changes, including a greater focus on third-party information security. There are many articles describing the new changes to PCI-DSS V3, including a nice […]
The British Standards Institute (BSI) recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls. This was the first major update since the 2005 release. Many organizations are interested in how the changes will impact their information security program. What Really Changed? In our review, very little in the […]
New PolicyShield Update Addresses Operations and Change Management New information security policy updates address key elements of operational security HOUSTON, Texas – Janurary 31, 2012 - Information Shield (www.informationshield.com) today announced the latest update of the PolicyShield Information Security Policy Subscription service. The latest release includes includes over thirty new pre-written security policy statements, three addition pre-written [...]