Simplify Compliance by Creating One Set of Controls to Manage Risk (Unified Control Framework)

Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements. We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to[…]

Petya Ransomware & Mitigation Steps

They Petya Ransomeware outbreak is the second such global attack in the last couple of month. The malware is spreading using same Microsoft Windows vulnerability that was exploited by the recent WannaCry ransomware event. Symantec confirmed that Petya uses the “Eternal Blue” exploit. Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but if you have put off installing the patch[…]

How to Effectively Communicate Your Security and Compliance Story to Prospective Clients and Business Partners

I read an article last week about Wal-Mart forcing some of their vendors off Amazon’s cloud. Wal-Mart has an incredible amount of leverage over their vendors so my guess is that most SaaS providers probably went along with Wal-Mart’s request. This type of thing isn’t uncommon in the world of vendor management. I have personally[…]

What SOC 2 Updates to COSO 2013 Mean for You (Whitepaper)

Beginning December 15, 2018, (with optional adoption beginning April 2017) all SOC 2 reports will be required to utilize the updated Trust Services Criteria. The updated trust services criteria are an update to align with the seventeen COSO 2013 framework principles. If you would like to download the complete whitepaper please send us a note.[…]

How a Better IT Risk Assessment May Change Your Thoughts on the Traditional Gap Analysis

Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”? I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control[…]

We Started a Business – Our IT Audit Blog is Still Going Strong

This update is long overdue, but we started a business! After two years of blog posts we decided to take the leap and make risk3sixty a full fledged consulting company. Specifically, focusing on world-class IT Audit, Cyber Risk, and Compliance PMO services. After talking to many of our clients and colleagues we realized the world[…]

The Future of IoT Security

Required Reading: 1) IoT Growing Faster Than the Ability to Defend it 2) DDoS on DYN Impacts Twitter, Spotify, Reddit Until recently the security concerns associated with IoT devices have been mostly speculative. It’s easy to ignore how a webcam or a inexpensive gadget might be a cyber-security concern. Most people don’t think in terms[…]

Items of Interest week of September 5, 2016

Here are some quick reads for the week of September 5, 2016. If you have interesting links of your own share them in the comments. Yahoo: FBI says foreign hackers penetrated state election systems Arstechnica: State-sponsored Malware can collect data from devices not connected to the internet Schneier: Keystroke recongniation from wi-fi distortion Dark Reading: CISOs[…]

IT Risk Assessment: Effective Identification and Selection of IT Audit Projects (Whitepaper)

  Over the past few months I’ve had several leaders of Internal Audit departments ask: “How can we build cyber-security into our annual audit plan?” After a few conversations I decided to put together a whitepaper to help the less-than-technical Chief Audit Executive (CAE) put together a well thought out IT Risk Assessment that helps[…]