Infosec Policies Posts

Cyber SecurityInfosec PoliciesSOC 2

Movies, Photographs, and SOC 2 Type 1 vs Type 2

Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2?  If your answer was "all of the above" then you've come to the right place.

Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2.  Lets see if we can clear that up; here's what the AICPA says about it.

Movies, Photographs, and SOC 2 Type 2 vs SOC 2 Type 1
Enterprise Security QuestionnairesInfosec Policies

Uncovering Hidden Annual Security Requirements

As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time.  Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future.  Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.

Uncovering Hidden Annual Security Requirements
Cyber SecurityImplementationInfosec Policies

The Wasteful Pursuit of Security Theater

Anytime you see security policies or practices implemented in a way that seems to be more for appearances than for genuine security protection, beware that you may be witnessing Security Theater.  Be skeptical if and when you see it.

At Havoc Shield we have no interest at all in helping companies go through the motions: we're interested in helping companies improve their security posture every week, every month, every year, reducing the chance that they fall victim to cyberattacks.  In this article, we'll share some of the key indicators of Security Theater -- each of which are practices that we strongly dislike.

The Wasteful Pursuit of Security Theater
Cyber SecurityInfosec PoliciesInfosec Training

Your Incident Response Plan depends on Talent Acquisition

If you are a Havoc Shield client, we hope you've rolled out an Incident Response Plan in the Policy Manager section of the platform.   Whether you accept our battle-tested templates outright, or you choose to make some surgical modifications, it's important to get the plan into the hands of those who will participate in it.  You know the drill: planning for the worst, hoping for the best, as they say.  If you aren't a Havoc Shield client, we hope you've rolled out a similarly battle-tested plan.

With your plan in the hands of your team members, now is also a good time to talk about the hidden connection between Incident Response Plans and Talent Acquisition.  Especially if you are at the type of company that we typically serve - angel-backed, venture-backed, and growth companies.

Your Incident Response Plan depends on Talent Acquisition
Infosec Policies

How BYOD Policies Catch You Up to Reality

Does your company have BYOD policies?  For those unfamiliar with the term, BYOD is "Bring Your Own Device" -- and BYOD policies relate to what the company does (and doesn't) allow in terms of handling company business from your own devices.  When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet.  However, more recently it's adopted a meaning that includes any personal device -- including laptops, tablets, smartphones, and anything else.

How BYOD Policies Catch You Up to Reality