Notes from the Field: Center for Internet Security Control 10 – Malware Defenses 

by Greg Halpin / September 14, 2023

The client I was working with had a web application hosted on a Windows server with the anti-virus software disabled. When I asked the head of Information Technology about it, he said the company's web application didn't work when anti-virus was running, so they couldn't enable it. They weren't concerned about it as they had a firewall in place with malware protection. I strongly advised them to reconsider that decision.…

Why Data Mapping Is Critical for GDPR Compliance:  A Comprehensive Tip Sheet for GDPR Compliance 

by Suzette Corley / October 4, 2023

We understand how hard it is to keep up with today’s privacy expectations. Privacy regulations are constantly evolving, and maintaining compliant data privacy practices is overwhelming.    One of the key aspects of building a compliant privacy program is learning where your data is, how it flows, and what regulations are affecting it. Data mapping, a GDPR requirement, is a great way to understand your data flow process as well as how to…

Notes from the Field: Center for Internet Security Control 09 – Email and Web Browser Protections 

by Greg Halpin / September 13, 2023

A small SaaS (Software as a Service) client I worked with recently mentioned an information security incident they experienced a year ago in which the email account of one of their sales representatives was compromised via a phishing attack. The attackers gained the credentials of the sales rep, obtained email addresses of customers, and sent emails to the company's customers with false offers to buy discounted services. The attackers had scraped…

The 7 Steps of Incident Response 

by Bob Welch / July 28, 2023

In today’s ever evolving threat landscape, you must have a plan in place for how your organization will face threats and respond to them when an attack occurs. Unfortunately, incidents are a matter of when not if, so having a response plan is the best way to guarantee your organization survives after an incident occurs.  When an incident occurs, it may feel like you have a million steps to take…

Notes from the Field: Center for Internet Security Control 08 – Audit Log Management 

by Greg Halpin / August 16, 2023

During a recent SOC 2 Gap Assessment with a medical billing company, the IT Manager and I discussed the logging and alerting tools the organization had in place. He explained that the company uses the default logging settings and capabilities of the operating systems, applications, and network gear. However, they didn't configure any alerts. The IT team reviewed logs when there was a problem but did not conduct regular reviews.…