Home/Kendall Morris

About Kendall Morris

Kendall is a Senior Analyst and Cyber Risk Advisory specialist for risk3sixty where he helps to implement business-first offensive and defensive security strategies. Kendall holds a B.B.A in Information Security and Assurance from Kennesaw State University. Kendall is a CISA, certified AICPA SOC for Service Organizations practitioner, and HITRUST Certified CSF Practitioner.

ISO 27001 vs SOC 2: Choosing a Compliance Framework

In a previous blog post, we discussed the differences between SOC 2 vs ISO 27001. In this post, we will look at the factors affecting the decision of choosing which  of the two compliance frameworks best aligns with your business needs. Client Expectations The choice to adopt a compliance framework is often driven by client expectations. Clients may stipulate in [...]

By |2020-08-07T15:39:04+00:00August 3rd, 2020|ISO 27001 Compliance, SOC Reporting|0 Comments

SOC 2 vs ISO 27001: What’s The Difference?

Navigating the ins and outs of two of the most popular compliance frameworks. When it comes to vendor due diligence, many companies are raising the bar. This article will help you weigh the difference on SOC 2 vs ISO 27001.  In addition to evaluating vendor revenue, growth, and skills, security is becoming an important focus of client reviews. With almost half [...]

By |2020-08-04T12:33:07+00:00July 13th, 2020|ISO 27001 Compliance, SOC Reporting|0 Comments

Common Misconceptions About the ISO 27001 Framework

Answering some of the most commonly asked questions around ISO 27001 implementation. At risk3sixty, we have helped many clients implement ISO 27001. Through this work, we have pinpointed a few common misconceptions surrounding the framework. In this post, we will dig into these misconceptions and shed some light on the ISO 27001 implementation process. Misconception #1: An organization must implement all [...]

By |2020-06-07T19:22:49+00:00June 8th, 2020|CISO Discussions, ISO 27001 Compliance|0 Comments

Securing the Work-from-Home Environment During COVID-19

Tips for security administrators during the COVID-19 pandemic We have seen a massive increase in the number of employees working from home due to the COVID-19 pandemic. System administrators must ensure that employees can still securely access corporate resources. The transition to the cloud both for corporate activities (Office 365, G Suite) and for service hosting (AWS, Azure) has relieved some [...]

By |2020-05-26T14:05:29+00:00April 7th, 2020|Cyber Risk Management, News and Events|0 Comments

How to Read a HITRUST Validated Assessment

Understanding the results of a HITRUST engagement and how to use them. During your vendor due diligence process, a vendor sends you their HITRUST report. What exactly does this report tell you? How can you use this information to properly evaluate the vendor? In this blog, we will give a brief overview of the HITRUST CSF framework and then dive into [...]

By |2020-03-23T12:54:41+00:00March 4th, 2020|HITRUST, IT Audit & Compliance|0 Comments

Performing Effective User Access Reviews

Correcting mistakes that arise in the day-to-day management of access control.   Organizations can take many steps to manage access, such as adopting documented registration and de-registration processes, maintaining a list of service accounts, and segmenting networks. While all are effective ways of managing access, they occasionally fail.   For example, a step may be missed in the on-boarding process. A [...]

How to Create Effective Policies

How to leverage information security policies into leveling up your security program.   People often regard information security policy as a "check-the-box" compliance initiative. Many organizations will copy a policy template, make small revisions applicable to their context, and then forget about it.   But, an information security policy that directs the organization is as crucial to a security program as [...]

Managing an Organization’s Passwords

How to keep the keys to the kingdom from escaping the kingdom. Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing: ISO 27001 A9.4.2: Where required by [...]