News

Why Your Incident Response Plan Needs Rules

Why Your Incident Response Plan Needs Rules 1200 450 SethJaffe
By Seth Jaffe. Over the holidays, we dusted off some board games for a little family fun. One of the things that struck me was the frequency with which players consulted the game rules. The more complicated the game, of course, the more folks scoured the rule guide. This got me thinking about incident response, [...]read more

SWIFT Security Controls Framework Goes into Effect

SWIFT Security Controls Framework Goes into Effect 1920 720 SethJaffe
By Seth Jaffe. For banks and financial institutions using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) network, the new year brought a requirement to self-attest compliance against new mandatory and, optionally, advisory controls promulgated by SWIFT through its Customer Security Controls Framework. Security professionals will recognize these controls as generally standard in the industry, [...]read more

Risk Assessments Should Build Credibility, Not Destroy It

Risk Assessments Should Build Credibility, Not Destroy It 640 240 JustinSilbert
By: Justin Silbert There are many different types of risk assessments. Some organizations adhere to an industry standard such as Risk Management Framework (RMF), COBIT, or ISO. Other organizations perform a penetration test, fix their holes (or not), and then assume they are secure. Few assessments, however, achieve the stated purpose, to convey risk information [...]read more

NASA’s Flight Director – Why Your Incident Response Team Should Have One

NASA’s Flight Director – Why Your Incident Response Team Should Have One 640 240 SethJaffe
  By Seth Jaffe. CNN’s Danielle Wiener-Bronner penned an article recently chronicling Equifax’s data breach missteps. One statement in particular caught my attention as being sage wisdom, and worth fleshing out: “Too many decision makers yield a slow response, which results in negative attention.” The importance of an empowered incident response director cannot be understated. Consistent with our theme on incident [...]read more

The Importance of an Executable Incident Response Plan, and How NASA Can Help

The Importance of an Executable Incident Response Plan, and How NASA Can Help 2560 1700 SethJaffe
By Seth Jaffe. Brian Harrell had a good piece this week on improving cybersecurity governance in the boardroom, a topic that we routinely blog about in our Cyber Governance Corner Series. So why am I mentioning a governance article in the Incident Response Series? Because Brian opines, in his article, that “[c]ompliance is a regulatory minimum that one must [...]read more

The Evolutional Leap from a Basic Incident Response Plan to an Executable Incident Response Program

The Evolutional Leap from a Basic Incident Response Plan to an Executable Incident Response Program 1280 512 SethJaffe
By Seth Jaffe. In the wake of the Equifax data breach, the time is right to revisit incident response. Dozens of authorities recommend incident response plans (you may have seen lists on my twitter feed or LinkedIn posts), but what does it really mean to have an incident response plan? Is it simply to check [...]read more

Board of Director’s Obligations to Understand Cyber Risk

Board of Director’s Obligations to Understand Cyber Risk 1024 683 SethJaffe
By Seth Jaffe for the Cyber Governance Corner. It is no secret that, as an industry, information security suffers from a worker shortage. The Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study concluded that the most common reason is a lack of qualified personnel. But the next most common reason is [...]read more

Emergency Response after Harvey

Emergency Response after Harvey 640 240 SethJaffe
By Seth Jaffe. In the wake of Harvey here in Houston, I took a few minutes to pull up FEMA’s Emergency Management Guide to see how it compares with #incidentresponse.  Originally penned in 1993, the Guide offers a number of lessons for the average cyber incident response plan. For example, it begins with review of [...]read more

Hiring the Wrong Leader Could Sabotage your Cybersecurity Program

Hiring the Wrong Leader Could Sabotage your Cybersecurity Program 640 240 JustinSilbert
By Justin Silbert. Hiring for cybersecurity positions may seem the same as any other profession. Create job description, solicit resumes, interview, and hire the best candidate. But too often, the wrong person is placed into a critical leadership position of securing the organization. The most critical problem is the inability of managers to assess cybersecurity [...]read more

Transition Period Ends for the NY State Cyber Security Law

Transition Period Ends for the NY State Cyber Security Law 640 426 SethJaffe
By Seth Jaffe. Today ends the 180-day transition period under New York’s Cyber Security Regulation 23 NYCRR Part 500. Covered entities are expected to be in compliance with roughly seven of the sixteen discrete sections.[1]  By August 28, 2017 covered entities must meet the following:   Cyber Security Program (§500.02): maintain a cyber security program [...]read more

Director Duties Related to Cyber Security

Director Duties Related to Cyber Security 640 240 SethJaffe
By Seth Jaffe. There is an interesting infographic circulating social media this summer from David McCandless over at Information is Beautiful.  It distills the largest data breaches into floating graphic bubbles, represented by the size of the breach.  This type of imagery, while interesting for those of us in cyber security, must be moderately terrifying [...]read more

Cyber Governance Corner – Overview

Cyber Governance Corner – Overview 640 240 SethJaffe
By Seth Jaffe. Gone are the days where data protection was left solely to the IT department.  Today, cyber risk is constantly on the minds of corporate leadership, and it is a board-level responsibility.   In this on-going, multi-part series, we will review director obligations related to cyber security risk management, methods to mitigate that risk, [...]read more