SAS-70 is Dead, Long Live the King (ISO27001?)
This posting is intended for my fellow auditors working in the Fortune 1000 world. The Yankees are no longer winning the World Series every year, Bill Clinton lives in NY not Washington DC, and Y2K is...
View ArticleWhat McDonald’s Can Teach Us About Information Security
I spoke this week at an event where I was discussing how globalization is impacting information security and used the McDonald’s at the Louvre in Paris as a very sad example of how we are unfortunately...
View ArticleHITRUST vs. ISO-27001 (or is it?)
The process of “realization” is an interesting one. My first thoughts on HITRUST tended towards the negative; “Why do we need another ISO-27001 derivative information security framework?” “Why not just...
View ArticleRationalizing Risk Assessments – Objectivity be Damned?
Just finished my nth (non-fulfilling) conversation on our approach to Information Security Risk Assessments with our Audit Lead. It still amazes me that something so fundamentally logical/right is so...
View ArticleISO 27001 Scope –“Bigger Isn’t Always Better”
The phrase “Small Is Beautiful” is widely credited to by British economist E. F. Schumacher. It has evolved to champion small, enabling and empowering approaches, , in contrast with phrases such as...
View ArticleIs The Motion Picture Industry A Model For Information Security?
I recently had reason to spend some time looking at the “Content Security Best Practices Common Guidelines” published by the Motion Picture Association of America (MPAA). The guidelines are intended to...
View ArticleISO 27001 to ISO 27003 Standards
Comparing the ISO 27001 Roadmap to the ISO 27003 Guidance for Implementation One of the most frequently asked questions Pivot Point Security gets when speaking with clients about implementing ISO 27001...
View Article“Certified” Penetration Testing Company
It’s not uncommon for potential client to ask “Is your company certified to provide Penetration Testing?”. It’s a great question and one that unfortunately does not have a good answer – YET. Via a...
View ArticleISO-27010 – Information Security Guidance for Information Exchange
Our Ethical Hacker Roundup last week included a blurb on stricter laws to protect patient health information (PHI) in Health Information Exchanges (HIEs). That led me to download and read the new...
View Article
More Pages to Explore .....