Home/IT Audit & Compliance

An Insider’s Perspective on Choosing a Security and Compliance Partner That Is Right for Your Business

A few things to consider when choosing a consulting firm partner. At risk3sixty, we interact with a lot of prospective customers who want us as a security consulting partner. Some firms ask great questions and have a clear understanding of what they are looking for. Others need a little more help figuring things out.   Security, privacy, and compliance are complex [...]

By |2020-01-23T19:20:21+00:00January 13th, 2020|CISO Discussions, IT Audit & Compliance|0 Comments

Performing Effective User Access Reviews

Correcting mistakes that arise in the day-to-day management of access control.   Organizations can take many steps to manage access, such as adopting documented registration and de-registration processes, maintaining a list of service accounts, and segmenting networks. While all are effective ways of managing access, they occasionally fail.   For example, a step may be missed in the on-boarding process. A [...]

How to Create Effective Policies

How to leverage information security policies into leveling up your security program.   People often regard information security policy as a "check-the-box" compliance initiative. Many organizations will copy a policy template, make small revisions applicable to their context, and then forget about it.   But, an information security policy that directs the organization is as crucial to a security program as [...]

Craftsmanship in Music and Compliance

If you’ve been on stage for a speech or performing arts, you know stage fright is real. Businesses can get nervous when they hear the word "audit" in the same way musicians can get nervous before a performance. However, there is one great way to alleviate that fear: preparation. If your business prepares well, you will see the fruits of that [...]

Managing an Organization’s Passwords

How to keep the keys to the kingdom from escaping the kingdom. Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing: ISO 27001 A9.4.2: Where required by [...]

Business Continuity Planning: It Takes a Village

Business Continuity Planning (BCP) and Disaster Recovery are essential tools for organizations of any size and maturity level; but what may not be apparent is the appropriate amount of resources required to ensure organizations are prepared with an effective BCP. All too often, the task of constructing and maintaining the organizations Business Continuity Plan falls to a select few or even [...]

Are Pen Test and Vulnerability Scans Required for a SOC 2 Report?

Are Pen Test and Vulnerability Scans Required for a SOC 2 Report? There has been much confusion lately in the SOC 2 market as companies seek to understand the need-to-haves vs. the nice-to-haves when it comes to obtaining a SOC 2 report.  Much of this confusion was brought about by the December 2018 upgrade of the Trust Services Criteria, and associated Point of Focus, intended to align SOC 2 with the 2013 COSO framework.

By |2020-01-17T21:17:50+00:00March 20th, 2019|IT Audit & Compliance, SOC Reporting|1 Comment

Beyond Vulnerability Scans: Mitigating and Monitoring for Malware Leveraging C2 Systems

Many modern forms of malware are now file-less and rely on Command & Control (C2) infrastructure to assist outsiders with gaining unauthorized access to networks. This malware “phones home” to remote attackers, who then leverage the internal foothold to infiltrate networks and execute attacks. These attacks can be difficult to detect when security monitoring is limited to periodic vulnerability and compliance [...]

By |2020-01-17T21:17:50+00:00March 12th, 2019|Cyber Risk Management, IT Audit & Compliance|0 Comments

Securing Enterprise Networks with Port-Based Network Access Control

One of the biggest threats facing enterprises are outsiders plugging directly into an Ethernet port and being granted instant, unauthenticated access to the network. This threat is especially common in hospitals where there is heavy use of computer systems mixed with untrusted outsiders roaming the halls. Shutting down unused ports is the traditional mitigation. Still this technique does not prevent plugging [...]

By |2020-01-17T21:17:50+00:00February 6th, 2019|Cyber Risk Management, IT Audit & Compliance|0 Comments

Analyzing Your Attack Surface Like A Hacker

When most people think of hacking, they think of what Hollywood portrays. In a dark basement, a hooded, perhaps tattooed outcast rapidly types nonsensical keystrokes at a flashy computer monitor for several seconds before snidely muttering, "I'm in." By that representation, the hacking process seems pretty straightforward: find a vulnerability, exploit it and ride off into the sunset with a bunch [...]

By |2020-01-17T21:17:55+00:00October 8th, 2018|Cyber Risk Management, IT Audit & Compliance|0 Comments