Deploying a HIPAA Compliant Encryption Policy

HIPAA, or the Health Insurance Portability and Accountability Act, presents a fairly robust set of standards and rules that any organization within the United States handing PHI (Personal Health Information) are compelled by law to address. On the surface, many of HIPAA’s rules appear strait forward, but as I quickly learned while performing a recent[…]

Managing User Access in the Manufacturing Environement

Managing user access in the manufacturing environment, especially at the plant level, is tricky. Unique machinery and production requirements call for specific skills and infrastructure that may not be supported centrally by corporate managers.  This means that many plants must operate as independent sub-businesses within a larger corporation.  Thus, governance and control of critical plant infrastructure and machinery is[…]

TSA Failure Highlights the Importance of Audit and Assurance

Executives should love IT auditors because auditors provide something every CEO/CIO wants: A view into the operating effectiveness of their company or department. Without audit functions a company might be wasting money, man-power, or spending a lot of time doing things that have no impact on the business. Today, a story broke that an audit[…]

Data in Transit- Bridging the Gap between Data Owners and Custodians

Ensuring both the integrity and confidentiality of data as it traverses an organization’s internal network and beyond can be complex, especially when attempting to bridge the gap between the Data Owner and Data Custodian, who typically view the organization from very different angles. This presents the IT auditor with a great opportunity to act as[…]

The 50 Most Used Passwords!

Last week I helped a few friends with setting up a new website for their business and their associated email accounts for the domain. At one point in the process, one of them told me the password they wanted to use to access the site. Not shockingly, it was something rudimentary and simple. Despite more[…]

The Principle of Least Privilege

When performing IT audits, the Principle of Least Privilege is a term you may hear thrown around quite a bit, but how many novice auditors new to IT audit actually understand what is implied by this within an IT environment? From my experience, not many. The most common place I see the term surface is[…]

Free Information Security Training Materials (Exam and Acknowledgment Forms Included)

A recent study by Symantec revealed that “together human errors and system problems account for 64 percent of data breaches”. This further reinforces the point I made in my last post that it is vital that companies train their employees. To help drive that point home we have created a free information security training package[…]

Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and[…]

Google’s Data Centers: Speaking of Physical and Environmental Security

My previous posts on physical and environmental security controls covered a gamut of security measures to protect data and facilities. Then I ran across this video from Google’s data center and it looks like they have more than a few of those controls in place. BONUS: Here’s a link to Google’s presentation on “Fighting Common Web[…]

Performing a Physical Security Audit

Physical Security audits are designed to ensure that data and information technology infrastructure are protected from malicious and/or unintentional acts of harm. That includes preventing hackers from plugging directly into your machines to steal data or preventing a clumsy co-worker from spilling coffee on a server rack. Physical Security audits are most common for data centers[…]