Thoughts on Building an Information Security Program that Sticks

Most executives realize that information security (and cybersecurity) is a rising threat within their organization. This is the new normal in the digital economy. As result information security professionals that used to be viewed as technical practitioners are finding seats at the executive table and at with the board of directors. The problem for most[…]

Quality Work Does Not Mean Quality Service

“Managing the Professional Services Firm” by David Maister is considered to be “core canon” among consulting professionals. Though it was originally published over 25 years ago (1993) it has aged gracefully and almost all of its content is still relevant today. One of our team’s favorite distinction, as pointed out by Maister, is the difference[…]

Information Protection: A Practical Strategy for Identifying and Controlling Your Most Valuable Data (Whitepaper)

Do you have an inventory of your Company’s most critical data and information assets? Do you know where those information assets are located throughout the Company? Do you have confidence that your most valuable information is only accessible to appropriate individuals? If you are wrestling with these questions you aren’t alone. Companies across the globe[…]

Key Due Dates and Deliverables for the NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity regulation is relevant to all financial services, banking, and insurance organizations doing business in the state of New York that have 10 employees or more than $5 million in revenue. If your organization falls into that category you should be aware of the NYDFS Cybersecurity Regulation phased implementation schedule. Each of these[…]

Vendor Due-Diligence: NIST 800-53 vs. NIST 800-171

Organizations may benefit from greater understanding of the difference between and appropriate use of NIST 800-53 vs. NIST 800-171, especially when it comes to understanding which framework is required by law or applicable under vendor due diligence. Marketplace Confusion: Vendor Due-Diligence Often Drives Implementation The proliferation of NIST 800-53 “Security and Privacy Controls for Federal Information[…]

How to Choose a SOC 2 Audit Firm (with Vendor Scorecard Template)

Selecting the right partner to assist with SOC 2 compliance (or anything else) can be challenging. If you are trying to sort through the marketplace to select a vendor here are a few considerations. You can also download our free vendor selection template here. 1| Experience Assess resumes of the individuals who will be performing[…]

New York Cybersecurity Regulations – Path to Compliance (Whitepaper)

Written March 1, 2017, the New York Financial Services Cybersecurity Regulations have been developed to address significant cybersecurity threats to the financial services industry. The regulations prescribe certain standards for a financial service company’s (“regulated entity” or “Covered Entity”) cybersecurity program for the purpose of promoting protection of customer information and protecting regulated information systems.[…]

Simplify Compliance by Creating One Set of Controls to Manage Risk (Unified Control Framework)

Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements. We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to[…]