Saturday, October 29, 2016

Best Control Framework for HIPAA / HITECH Audits / Reviews

While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.

Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.

The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.

Tuesday, October 18, 2016

Corporate IT & the Leadership Paradox

With over a decade of experience in consulting, one can see the leadership paradox, especially in corporate IT departments.

Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.

Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.

Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.

No wonder IT outsourcing is so strong.

Monday, October 10, 2016

Data Breach Fatigue & Security Training

Apparently, there is "data breach fatigue" out there and recommendations on cutting down security education, training, & awareness (SETA) is gaining traction.

The question comes with to scale back SETA activities due to this fatigue?

The answer is based on the maturity of the information security (InfoSec) program, jurisdiction / market, industry, and the organization's culture.  Frankly, a CISO / CIO / CTO should negotiate freedoms (e.g., local administrative access, open Internet / Web / email access) pursuant to SETA.  Meaning, that if users have carte blanche then SETA is required, necessary, and regularly conducted.

Also, less SETA should equate to more budget for preventive / detective capabilities.