IT Risk Blog | The official blog of risk3sixty


Articles, Posts, and Insights into IT Audit, Cyber Risk, IT Compliance, and Information Security

What is the difference between SOC 2 and SOC for Cybersecurity?

Overview of the SOC for Cybersecurity In 2017 the AICPA published guidance on a new cyber security risk management examination, System and Organization Controls for Cyber Security (SOC for Cybersecurity).  This SOC for Cybersecurity examination was created to address the growing need for reporting and attestation over an organization’s cyber security posture. The SOC for[…]

Key Due Dates and Deliverables for the NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity regulation is relevant to all financial services, banking, and insurance organizations doing business in the state of New York that have 10 employees or more than $5 million in revenue. If your organization falls into that category you should be aware of the NYDFS Cybersecurity Regulation phased implementation schedule. Each of these[…]

GDPR: Deciphering the General Data Protection Regulation (Whitepaper)

Approved by the European Union on April 14, 2017 and fully enforceable beginning May 25, 2018, General Data Protection Regulation (GDPR) is arguably the most wide-reaching change to privacy requirements to date. How wide reaching is GDPR? If you are located in the EU and control or process personal data, if you offer goods or[…]

Meltdown and Spectre – A Quick Overview

Bottom Line Up Front Security Researchers have publicly disclosed the details of CPU design flaws that are the result of design decisions made industry wide more than a decade ago to speed up processing and allow a computer’s processor to access information before it was needed. The resultant vulnerabilities, Meltdown and Spectre both exist outside[…]

Takeaways from SANS SEC560- Ethical Hacking and Pen Testing

This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training. A Quick Overview of the SANS 560 Class Experience Curriculum Overview SANS[…]

Vendor Due-Diligence: NIST 800-53 vs. NIST 800-171

Organizations may benefit from greater understanding of the difference between and appropriate use of NIST 800-53 vs. NIST 800-171, especially when it comes to understanding which framework is required by law or applicable under vendor due diligence. Marketplace Confusion: Vendor Due-Diligence Often Drives Implementation The proliferation of NIST 800-53 “Security and Privacy Controls for Federal Information[…]

How to Choose a SOC 2 Audit Firm (with Vendor Scorecard Template)

Selecting the right partner to assist with SOC 2 compliance (or anything else) can be challenging. If you are trying to sort through the marketplace to select a vendor here are a few considerations. You can also download our free vendor selection template here. 1| Experience Assess resumes of the individuals who will be performing[…]

New York Cybersecurity Regulations – Path to Compliance (Whitepaper)

Written March 1, 2017, the New York Financial Services Cybersecurity Regulations have been developed to address significant cybersecurity threats to the financial services industry. The regulations prescribe certain standards for a financial service company’s (“regulated entity” or “Covered Entity”) cybersecurity program for the purpose of promoting protection of customer information and protecting regulated information systems.[…]