IT Risk Blog | The official blog of risk3sixty


Articles, Posts, and Insights into IT Audit, Cyber Risk, IT Compliance, and Information Security

How to Turn the Risk Committee Meeting into the Most Valuable Meeting on Your Calendar

Mention “Risk Committee” or “Enterprise Risk” to upper management and you will probably get an eye role. If you suggest a standing meeting about risk – it might get you fired. BUT – I believe the risk committee meeting can be the most valuable meeting on your calendar. Here’s how: Why Risk Committee Meetings Are[…]

Security Researchers Identify Critical Vulnerabilities in AMD Chips: Chimera, Ryzenfall, Masterkey and Fallout

Critical Vulnerabilities in AMD Chips Security researchers at CTS-Labs, based out of Israel, disclosed 13 critical vulnerabilities and backdoors in certain AMD chips used in workstations, laptops and servers. Successful exploitation of these vulnerabilities could grant deep system access to attackers from which they could launch malware attacks undetected. The vulnerabilities are four in name:[…]

Navigating the CMS Enhanced Direct Enrollment Audit (Whitepaper)

Beginning enrollment period 2019, all qualified health plan issuer or web-broker in the Federally-facilitated Exchange must follow the Direct Enrollment rules and obtain a CMS audit from an independent auditor to host application and enrollment services on your website. What is in the Whitepaper: 1 | CMS Requirements including business requirements audit, the security and[…]

State-by-State Breakdown of Cybersecurity Legislation (Whitepaper)

As cybersecurity incidents, such as the Equifax data breach, continue to occur, states are beginning to recognize the need to impose cybersecurity requirements on companies in order to protect the personal information of individuals resident in the state. Many states’ cybersecurity laws have traditionally been focused on penalizing hackers and cybercriminals for criminal behavior. However,[…]

GDPR: Simplifying the Data Protection Impact Assessment Requirement (Whitepaper)

The EU’s new General Data Protection Regulation (“GDPR”) introduces the concept of a Data Protection Impact Assessment (“DPIA”); defined as an analysis of the risks of processing operations on the “rights and freedoms” of data subjects.This means that if your company is processing the data of individuals who are EU citizens you may have to[…]

Thoughts on Building an Information Security Program that Sticks

Most executives realize that information security (and cybersecurity) is a rising threat within their organization. This is the new normal in the digital economy. As result information security professionals that used to be viewed as technical practitioners are finding seats at the executive table and at with the board of directors. The problem for most[…]

GDPR: Simplifying the Complex Vocabulary of the General Data Protection Regulation (Whitepaper)

Approved by the European Union on April 14, 2016 and fully enforceable beginning May 25, 2018, General Data Protection Regulation (GDPR) is arguably the most wide-reaching change to privacy requirements to date. How wide reaching is GDPR? If you are located in the EU and control or process personal data, if you offer goods or[…]

SEC Issues New Cybersecurity Guidance: What you need to know

On February 21, 2018, the SEC issued new guidance on cybersecurity disclosures for public companies. As an “interpretive release,” the new guidance interprets existing laws. In this case, the SEC has clarified the statutes that may affect reporting of cybersecurity risks and incidents. The guidance also addresses various costs and consequences of cybersecurity that should[…]

Simple Guide to SOC for Cybersecurity (Whitepaper)

In April 2017 the AICPA released the SOC for Cybersecurity examination. The report’s goal is to provide Companies a report type that is more appropriate for general distribution and that also provides report readers visibility into the Company’s cybersecurity risk management program. This whitepaper provides an overview of SOC for Cybersecurity and clarifies the distinctions[…]

Quality Work Does Not Mean Quality Service

“Managing the Professional Services Firm” by David Maister is considered to be “core canon” among consulting professionals. Though it was originally published over 25 years ago (1993) it has aged gracefully and almost all of its content is still relevant today. One of our team’s favorite distinction, as pointed out by Maister, is the difference[…]