Category


Latest Blogs

All Blogs »

April 19, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Understanding the Australian Regulation’s ‘Two-Person Rule’ Requirement

The Australian Regulation's PPG 234 requires that extremely sensitive IT assets be subject to the "two-person rule," but it doesn't offer much guidance in terms of what it deems "extremely sensitive." In this Ask-an-Expert written response, IANS Faculty Josh More explains the rule and offers some practical   advice for complying with it efficiently. 

Read More »


April 14, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Addressing PCI’s ‘One Primary Function’ Requirement

While PCI DSS 3.2 requires that IT implement just one primary function per server, it isn't exactly clear about what compliance entails. In this Ask-an-Expert written response, IANS Faculty Josh More explains the requirement and offers strategies for defending common business practices.

Read More »


April 5, 2017 | Risk Management
By Rich Guida, IANS Faculty

 Creating an Effective IDAM Governance Committee

Planning an optimal identity and access management (IDAM) strategy requires participation and buy-in from a variety of stakeholders, including HR, legal and more. In this Ask-an-Expert written response, IANS Faculty Rich Guida offers recommendations for creating the right membership, rules and processes for a strong IDAM governance committee.

Read More »


March 8, 2017 | Directory Services
By Rich Guida, IANS Faculty

 Detailing Requirements for an IDAM System

Establishing a set of questions and requirements is a critical step in the process of constructing an identity and access management (IDAM) system. In this Ask-an-Expert written response, IANS Faculty Rich Guida details the important questions security teams should be asking their prospective IDAM vendors, ranging from cryptography and authentication requirements to privilege management and separation of duties. 

Read More »


February 28, 2017 | Privacy
By Aaron Turner, IANS Faculty

 Protecting Data Transferred From Canada

While Canadian regulators in the past typically followed U.S. precedent on data protection standards, the country has moved closer toward the EU model over the past few years. In this Ask-an-Expert written response, IANS Faculty Aaron Turner recommends companies handling Canadian citizen data follow the EU General Data Protection and offers some technical guidance for implementing the necessary controls. 

Read More »


February 27, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Managing Vendors With Disparate Frameworks

Vendor due diligence becomes even more challenging when there are a variety of information security frameworks in play. In this Ask-an-Expert written response, IANS Faculty Josh More details two approaches to the problem: a formalized mapping process using the COBIT framework and an ad-hoc approach designed to prioritize the specific risks facing the organization. 

Read More »


February 1, 2017 | Regulations & Legislation
By Debra Farber, IANS Faculty

 International Security, Privacy and Compliance Laws: Q4 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q4 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


January 4, 2017 | Regulations & Legislation
By Daniel Maloof, IANS Managing Editor

 Trump and Security: What to Expect in the New Administration

We all know incoming U.S. President Donald Trump is focused on physical security and building the wall, but what about cybersecurity policy? In this report, a handful of IANS Faculty detail what they believe we should expect from the new Donald Trump administration in terms of digital privacy, consumer protections, the EU-U.S. Privacy Shield, the U.S. Cybersecurity Framework and more.

Read More »


December 9, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Understanding the Relationship Between Physical and Logical Information Security

The relationship between physical security and cybersecurity can be more closely linked than some organizations might think. In this Ask-an-Expert written response, IANS Faculty Rich Guida details specific instances (i.e., insider threats) where the two types of security come together and offers insight into the practice of "incrementalism."

Read More »


November 2, 2016 | Risk Management
By Michael Pinch, IANS Faculty

 Breaking Down the Top 5 Security Risks Facing Health Care Organizations

The top priorities for health care organizations today are uptime and free access to data, which means companies in this space face a number of security challenges. In this Ask-an-Expert written response, IANS Faculty Mike Pinch details the major security risks the health care industry is dealing with today - from ransomware to the Internet of Things - and offers strategies for tackling these challenges.

Read More »


October 6, 2016 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q3 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q3 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


October 1, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Best Practices for Risk Registers

When it comes to building a risk register, there are a number of important steps organizations must take. In this Ask-an-Expert written response, IANS Faculty Rich Guida details the process of constructing a risk register and offers specific criteria for determining how accurate and successful it is.

Read More »


September 12, 2016 | Risk Management
By Adam Ely, IANS Faculty

 IT Governance Everyone Can Live With

Building a quality, efficient, multi-entity governance, risk and compliance (GRC) structure that doesn’t slow business units and allows for consistent and effective risk mitigation is hard but achievable. In this report, IANS Faculty Adam Ely explains how to determine costs, handle staffing and empower stakeholders to create a GRC program that efficiently mitigates risk and garners support from line-of-business leaders.

Read More »


July 21, 2016 | Enterprise and IT Compliance Management
By Adam Ely, IANS Faculty

 Keeping Compliant With PCI After Certification

Maintaining PCI compliance is a factor of how well you can build ongoing PCI-based tasks into the normal operating processes of your organization. In this Ask-an-Expert written response, IANS Faculty Adam Ely provides a sample PCI compliance task tracking list that organizations can use to describe various PCI tasks and the frequency at which they need to be addressed. 

Read More »


July 6, 2016 | Privacy
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q2 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q2 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


May 31, 2016 | Risk Management
By George Gerchow, IANS Faculty

 Creating Archer Dashboards

Gleaning useful data/metrics from Archer dashboards (and leveraging this information) can be a challenge for security teams. In this Ask-an-Expert written response, IANS Faculty George Gerchow recommends taking a phased approach, starting with modules such as Compliance and Vendor Management, in order to generate buy-in from other departments outside of IT.

Read More »


April 5, 2016 | Risk Management
By Dave Shackleford, IANS Faculty

 Assessing Security Concerns With Laptop Manufacturers

When organizations look to improve the security of their supply-chain programs, evaluating the different laptop manufacturers is an important step to take. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford details the risks with Dell and Lenovo laptops in particular, and offers some key recommendations for reducing risk during the selection and contract process.

Read More »


April 1, 2016 | Enterprise and IT Compliance Management
By Ed Moyle, IANS Faculty

 Understanding What ‘Significant Change’ Means in PCI DSS

When it comes to PCI DSS compliance, the language in the standard about “significant change” can be challenging to decode. In this Ask-an-Expert written response, IANS Faculty Ed Moyle offers resources for guidance and recommends that organizations document all changes to their environment as either "significant" or "non-significant" in the context of their particular risks.

Read More »


March 25, 2016 | Privacy
By Debra Farber, IANS Faculty

 The EU-US Privacy Shield: What You Need to Know

Now that the EU-US Safe Harbor is no longer valid, the EU and U.S. have hammered out a new framework for transatlantic data flows. In this report, IANS Faculty Debra Farber examines the new EU-US Privacy Shield, explains what’s changed and what hasn't, and offers advice to U.S. companies on processing EU data in the future.

Read More »


March 23, 2016 | Privacy
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q1 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q1 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


March 4, 2016 | Enterprise and IT Compliance Management
By Dave Shackleford, IANS Faculty

 Selecting an IT Security Framework

Selecting a security framework can be a challenging task, particularly with a number of viable options available. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford details the ISO 27001, NIST 800-53 and ISF security frameworks, assessing their strengths and weaknesses when it comes to emerging risk areas.

Read More »


February 26, 2016 | Risk Management
By Bruce Bonsall, IANS Faculty

 Getting Business Leaders to Own Risk

To be successful, CISO organizations must possess more than technical expertise. They must also excel at proactive organizational engagement, which IANS breaks down into 7 Factors. In this report, IANS Faculty Bruce Bonsall outlines key strategies for mastering Factor 2: Getting Business Leaders to Own Risk.

Read More »


February 18, 2016 | Data Loss Prevention (DLP)
By Adam Ely, IANS Faculty

 Privacy and Compliance Best Practices for DLP

Balancing data loss prevention (DLP) efforts and employee privacy can be a tricky challenge for organizations to navigate. In this Ask-an-Expert written response, IANS Faculty Adam Ely explains that when implementing DLP solutions, it's critical to inform users that systems are being monitored for the sake of data protection and to fine-tune DLP policies so that any monitoring is tied to business risks and does not invade user privacy.

Read More »


January 29, 2016 | Regulations & Legislation
By Debra Farber, IANS Faculty

 Prep Now for the EU's New General Data Protection Regulation - Or Pay Later

The EU has agreed to text for a new General Data Protection Regulation (GDPR), presenting significant new challenges for businesses operating with the EU. In this report, IANS Faculty Debra Farber outlines the changes, underscores the ramifications and urges businesses to prep now since compliance is likely to take much time and effort, and the risk of non-compliance is bigger and more expensive than ever before.

Read More »


January 20, 2016 | Enterprise and IT Compliance Management
By Marty Gomberg, IANS Faculty

 Building a Regulatory Compliance Program

An increasingly complex regulatory environment requires an effective compliance program that enables organizations to identify and react to the latest security standards and legislation. In this Ask-an-Expert written response, IANS Faculty Marty Gomberg provides a template for companies looking to optimize their implementation of a strong regulatory/compliance program.

Read More »


December 29, 2015 | Privacy
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q4 2015 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q4 2015, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


November 19, 2015 | Enterprise and IT Compliance Management
By Ed Moyle, IANS Faculty

 CSA STAR Certification: A Primer

In this CSA STAR primer document, IANS Faculty Ed Moyle outlines the three levels of the certification, explains how organizations can attain them and details the various benefits of the program for both cloud services providers and their customers.

Read More »


November 5, 2015 | Incident Response Planning
By Marty Gomberg, IANS Faculty

 Out-of-Band Communication Best Practices

When the corporate network goes down and panic sets in, it's critical to have a sound business continuity plan in place. In this Ask-an-Expert written response, IANS Faculty Martin Gomberg offers a checklist for how to prepare for a crisis situation and details some of the tools, techniques and processes that can help support incident response communication, specifically for business continuity.

Read More »


September 30, 2015 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q3 2015 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q3 2015, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


September 29, 2015 | Enterprise and IT Compliance Management
By Dave Shackleford, IANS Faculty

 Assessing the Impact of the Cloud and Virtualization on SOC Reporting

With businesses continuing to move their data center operations to cloud-based and virtualized environments, there is increasing pressure on cloud services providers to provide a SOC 2 over a SOC 1. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford explains that any report involving cloud providers should address virtualization hypervisor security, virtual machine configurations and back-end storage security, among other issues.

Read More »


September 21, 2015 | Mobile Access and Device Management
By Michael Pinch, IANS Faculty

 Best Practices for Managing Devices Across PCI and non-PCI environments

With budgets tight, security teams are always looking for ways to shave costs and become more efficient. In this Ask-an-Expert written response, IANS Faculty Mike Pinch details some key considerations for organizations seeking to leverage common infrastructure management tools to manage devices on a separate PCI segment, including the fact that most shared security tools fall in scope for PCI-DSS and that network segmentation must be based on purpose-built controls.

Read More »


September 17, 2015 | Risk Management
By Michael Pinch, IANS Faculty

 Using Risk Assessment to Set Business Impact Thresholds

Analyzing and identifying an organization's most critical risks is a daunting, but necessary task. In this Ask-an-Expert written response, IANS Faculty Mike Pinch lays out a process for classifying organizational risk in terms of dollar values, and explains the concept of "materiality," which can help correlate the security program to actual business decisions.

Read More »


September 10, 2015 | Enterprise and IT Compliance Management
By Michael Pinch, IANS Faculty

 The Next Big Compliance Issues on the Horizon (Webinar Replay/Slides)

Big data, mobile, IoT, the cloud. As more organizations evolve to support new technology paradigms, what will be the next big compliance issues affecting information security? In this webinar, IANS Faculty Michael Pinch explores the most likely scenarios coming down the pipeline and offers various ways to prepare from a compliance standpoint.

Read More »


September 4, 2015 | Privacy
By Rebecca Herold, IANS Faculty

 EU Data Privacy Directive: An Update

For companies with a significant international presence, it's critical to keep tabs on the latest changes in regulations and legislation overseas. In this Ask-an-Expert written response, IANS Faculty Rebecca Herold offers an update on the EU Data Privacy Directive and details some key changes currently being proposed, including the establishment of a single set of data protection rules that would be enforced across the EU.

Read More »


July 31, 2015 | Enterprise and IT Compliance Management
By Michael Pinch, IANS Faculty

 Key Considerations for IT Sarbanes-Oxley Compliance

Achieving and maintaining a Sarbanes-Oxley (SOX)-compliant IT environment can represent a daunting task for financial services organizations. In this Ask-an-Expert written response, IANS Faculty Mike Pinch explains that getting a handle on IT controls, performing interim testing and obtaining third-party assurance reports can greatly aid an organization's efforts toward becoming SOX-compliant.

Read More »


July 6, 2015 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q2 2015 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q2 2015, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


June 15, 2015 | Regulations & Legislation
By Debra Farber, IANS Faculty

 The EU's Proposed General Data Protection Regulation Explained (Webinar Replay/Slides)

Tame Compliance: Navigating the EU's new regulation for preserving the personal data of its citizens can be a complex task, particularly for multinational organizations. In this webinar, IANS Faculty Debra Farber details the legislation, timelines for compliance and the ramifications for all companies conducting business in and with the EU.

Read More »


May 14, 2015 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q1 2015 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q1 2015, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »