Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule. But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we're offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let's cut straight to the chase:
Infosec Policies Posts
recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We're motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans. 88% of the vendor risk assessments in our analysis contained questions about plans and policies.
If you are subject to the FTC Safeguards Rule (link), it can be hard to know where to start with your compliance effort. An important first piece of information that you should keep in mind is that the proposed changes to the FTC Safeguards Rule have not yet been...
Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2? If your answer was "all of the above" then you've come to the right place.
Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2. Lets see if we can clear that up; here's what the AICPA says about it.
As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time. Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future. Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.
Anytime you see security policies or practices implemented in a way that seems to be more for appearances than for genuine security protection, beware that you may be witnessing Security Theater. Be skeptical if and when you see it.
At Havoc Shield we have no interest at all in helping companies go through the motions: we're interested in helping companies improve their security posture every week, every month, every year, reducing the chance that they fall victim to cyberattacks. In this article, we'll share some of the key indicators of Security Theater -- each of which are practices that we strongly dislike.
If you are a Havoc Shield client, we hope you've rolled out an Incident Response Plan in the Policy Manager section of the platform. Whether you accept our battle-tested templates outright, or you choose to make some surgical modifications, it's important to get the plan into the hands of those who will participate in it. You know the drill: planning for the worst, hoping for the best, as they say. If you aren't a Havoc Shield client, we hope you've rolled out a similarly battle-tested plan.
With your plan in the hands of your team members, now is also a good time to talk about the hidden connection between Incident Response Plans and Talent Acquisition. Especially if you are at the type of company that we typically serve - angel-backed, venture-backed, and growth companies.
Does your company have BYOD policies? For those unfamiliar with the term, BYOD is "Bring Your Own Device" -- and BYOD policies relate to what the company does (and doesn't) allow in terms of handling company business from your own devices. When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet. However, more recently it's adopted a meaning that includes any personal device -- including laptops, tablets, smartphones, and anything else.
You may have heard the advice "Good Security Programs Begin and End with Policy" -- an assertion that is being popularized by at least one online cybersecurity training program. We disagree. Here, we'll share why.
We learn as kids not to talk to strangers, but as adults, we sometimes forget this lesson when we engage with emails. That's why it is so crucial to put email security best practices in place in order to protect your data, customers and company as a whole.