Managing an Organization’s Passwords

How to keep the keys to the kingdom from escaping the kingdom. Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing:[…]

ISO 27001: Understanding Security Roles and Responsibilities and Why They Are Vital to the Success of Your Security Program

When building your Information Security Management System (ISMS) as part of ISO 27001 program implementation one of the most important elements of the system of management for your security program is ensuring all stakeholders understand their roles and responsibilities. (If you are unfamiliar with ISO 27001 and the “ISMS” you can  read our whitepaper on[…]

Five Ways to make the Board of Directors and Executives Very Happy

Unless you are part of senior management the closest most of us come to the Board of Directors (BODs) or executives is reading their Ivy League bios on the company website. But a good consultant knows the way to your bosses heart is by making the BODs very happy. The good news is making the big-whigs[…]

I Hate My Auditor: Building Better Client Relationships

I never tell anyone that I am an “auditor”. Usually the word “auditor” conjures up images of the IRS knocking at your door asking for money. Besides, “auditor” hardly scratches the surface of what any good IT auditor does for his company. For me, I market myself as a consultant. Most of my time goes[…]

Key Characteristics of an Effective Information Systems Auditor

I like most my time spent blogging on R3S to focus on Information Technology and Security. As an Information Systems auditor, my IT/IS knowledge definitely makes me stand out against many of my peers in public accounting. With that being said, today I’d like to shift gears a bit and explore what I think it[…]

Free Information Security Training Materials (Exam and Acknowledgment Forms Included)

A recent study by Symantec revealed that “together human errors and system problems account for 64 percent of data breaches”. This further reinforces the point I made in my last post that it is vital that companies train their employees. To help drive that point home we have created a free information security training package[…]

Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and[…]

I.T. Auditors are Worthless: How to Establish Credibility with the I.T. Guy (or Gal)

“I.T. Auditors don’t know anything about I.T.” – Anonymous Client On the first day of almost every project I have ever been involved with I have had to overcome the perception that as an “Auditor” (I prefer Consultant because I’m usually there to do a lot more than just audit) I lack any understanding of technology. From a[…]

Analysis of Strong VS Weak Passwords

Data breaches are a dime a dozen these days. But when hackers steal databases full of customer info, login names and passwords, the passwords themselves aren’t usually sitting out in plain sight. Typically the passwords will be cryptographically hashed. Hashing a password is the process of taking a string of any length (the password in[…]