News

  • SethJaffe

Proposed Data Breach Prevention and Compensation Act of 2018
Proposed Data Breach Prevention and Compensation Act of 2018 1280 480 SethJaffe
In what appears to be a direct response to last year’s Equifax Breach, Senators Elizabeth Warren and Mark Warner introduced, this week, the Data Breach Prevention and Compensation Act, directly targeting large Credit Reporting Agencies (“CRAs”) like Equifax, Experian, and TransUnion. The Act comes with quite a sting, allowing for fines of up to 75% [...]read more
  • SethJaffe

SWIFT Security Controls Framework Advisory Controls
SWIFT Security Controls Framework Advisory Controls 640 240 SethJaffe
By Seth Jaffe. Our prior article on compliance with the SWIFT Security Controls Framework focused on those controls designated mandatory by the Society for Worldwide Interbank Financial Telecommunication. But SWIFT included, in its framework, eleven advisory controls that are worth mentioning. They are: Implement confidentiality, integrity, and mutual authentication mechanisms to protect back office data [...]read more
  • SethJaffe

Why Your Incident Response Plan Needs Rules
Why Your Incident Response Plan Needs Rules 1200 450 SethJaffe
By Seth Jaffe. Over the holidays, we dusted off some board games for a little family fun. One of the things that struck me was the frequency with which players consulted the game rules. The more complicated the game, of course, the more folks scoured the rule guide. This got me thinking about incident response, [...]read more
  • SethJaffe

SWIFT Security Controls Framework Goes into Effect
SWIFT Security Controls Framework Goes into Effect 1920 720 SethJaffe
By Seth Jaffe. For banks and financial institutions using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) network, the new year brought a requirement to self-attest compliance against new mandatory and, optionally, advisory controls promulgated by SWIFT through its Customer Security Controls Framework. Security professionals will recognize these controls as generally standard in the industry, [...]read more
  • JustinSilbert

Risk Assessments Should Build Credibility, Not Destroy It
Risk Assessments Should Build Credibility, Not Destroy It 640 240 JustinSilbert
By: Justin Silbert There are many different types of risk assessments. Some organizations adhere to an industry standard such as Risk Management Framework (RMF), COBIT, or ISO. Other organizations perform a penetration test, fix their holes (or not), and then assume they are secure. Few assessments, however, achieve the stated purpose, to convey risk information [...]read more
  • SethJaffe

NASA’s Flight Director – Why Your Incident Response Team Should Have One
NASA’s Flight Director – Why Your Incident Response Team Should Have One 640 240 SethJaffe
  By Seth Jaffe. CNN’s Danielle Wiener-Bronner penned an article recently chronicling Equifax’s data breach missteps. One statement in particular caught my attention as being sage wisdom, and worth fleshing out: “Too many decision makers yield a slow response, which results in negative attention.” The importance of an empowered incident response director cannot be understated. Consistent with our theme on incident [...]read more
  • SethJaffe

The Importance of an Executable Incident Response Plan, and How NASA Can Help
The Importance of an Executable Incident Response Plan, and How NASA Can Help 2560 1700 SethJaffe
By Seth Jaffe. Brian Harrell had a good piece this week on improving cybersecurity governance in the boardroom, a topic that we routinely blog about in our Cyber Governance Corner Series. So why am I mentioning a governance article in the Incident Response Series? Because Brian opines, in his article, that “[c]ompliance is a regulatory minimum that one must [...]read more
  • SethJaffe

The Evolutional Leap from a Basic Incident Response Plan to an Executable Incident Response Program
The Evolutional Leap from a Basic Incident Response Plan to an Executable Incident Response Program 1280 512 SethJaffe
By Seth Jaffe. In the wake of the Equifax data breach, the time is right to revisit incident response. Dozens of authorities recommend incident response plans (you may have seen lists on my twitter feed or LinkedIn posts), but what does it really mean to have an incident response plan? Is it simply to check [...]read more
  • SethJaffe

Board of Director’s Obligations to Understand Cyber Risk
Board of Director’s Obligations to Understand Cyber Risk 1024 683 SethJaffe
By Seth Jaffe for the Cyber Governance Corner. It is no secret that, as an industry, information security suffers from a worker shortage. The Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study concluded that the most common reason is a lack of qualified personnel. But the next most common reason is [...]read more
  • SethJaffe

Emergency Response after Harvey
Emergency Response after Harvey 640 240 SethJaffe
By Seth Jaffe. In the wake of Harvey here in Houston, I took a few minutes to pull up FEMA’s Emergency Management Guide to see how it compares with #incidentresponse.  Originally penned in 1993, the Guide offers a number of lessons for the average cyber incident response plan. For example, it begins with review of [...]read more
  • JustinSilbert

Hiring the Wrong Leader Could Sabotage your Cybersecurity Program
Hiring the Wrong Leader Could Sabotage your Cybersecurity Program 640 240 JustinSilbert
By Justin Silbert. Hiring for cybersecurity positions may seem the same as any other profession. Create job description, solicit resumes, interview, and hire the best candidate. But too often, the wrong person is placed into a critical leadership position of securing the organization. The most critical problem is the inability of managers to assess cybersecurity [...]read more
  • SethJaffe

Transition Period Ends for the NY State Cyber Security Law
Transition Period Ends for the NY State Cyber Security Law 640 426 SethJaffe
By Seth Jaffe. Today ends the 180-day transition period under New York’s Cyber Security Regulation 23 NYCRR Part 500. Covered entities are expected to be in compliance with roughly seven of the sixteen discrete sections.[1]  By August 28, 2017 covered entities must meet the following:   Cyber Security Program (§500.02): maintain a cyber security program [...]read more
Enter your
text here