DIY GRC – Using Archer to Build Your Organization

Posted by Lia Konieczny on Aug 9, 2016 3:46:38 PM

DFARS_Update_Blog_Post.jpg

Wouldn’t it be great if there were an “easy” button for developing your organization’s governance, risk, and compliance departments? There are several aspects to consider when building out each sector, such as, what kind of control assessments should we have and how often? What kind of approval chain should our policy documents be following? How should we conduct our business impact analyses? Where should we house our asset inventory? How do we tie all of these aspects together? Why is GRC even important?

Read More

Topics: eGRC, RSA ARcher, policy

Law Firms Continue to be Targeted by Cyber Criminals

Posted by Jeff Schroeder on May 6, 2016 4:33:00 PM

Ransomware_Blog_Post.jpg

A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cyber criminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.

Read More

Topics: Security Assessment, policy, Data Breach

Inflight Wi-Fi Not as Secure as You Think

Posted by Ross Moir on Mar 18, 2016 1:36:46 PM

Inflight_Wifi_Risks_Blog_Post.jpg
 
Image courtesy of satit_srihin at FreeDigitalPhotos.net

ARS Technica recently published an article on the security of inflight Wi-Fi.  Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services.  While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow.  Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story.  Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen.  But what can be done about it?

 

First, Wi-Fi on an airplane operates similar to public Wi-Fi networks.  Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service.  Once that is done – the user is granted access to the web.  There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear.  This means anyone listening can grab the data that passes through the access point.

 

Read More

Topics: Security, Wireless Security, cybersecurity, policy

3 Reasons a Security Policy Improves Information Security

Posted by Eric Noonan on Mar 2, 2016 10:30:43 AM
Policies_Improve_Security_Blog_Post.jpgProduct vendor's marketing focuses on advanced persistent threats - Stuxnet, China and all of the other fear, uncertainty and doubt (FUD) - that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization's information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.
 

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security

 

1: Corporations Take a Policy Seriously

Corporations tend to take a policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the "why" behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time. 
 
Read More

Topics: cybersecurity, policy