Category Archives: Uncategorized
Is your ePHI Protected?
HIPAA stands for the Health Insurance Portability and Accountability Act, a U.S. law enacted in 1996 that establishes federal standards for protecting sensitive health information from disclosure without patient consent. It includes rules for the privacy and security of protected health information (PHI) and applies to healthcare providers, health plans, and other entities that handle…
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration (CWE) is a community-developed catalog of over 600 categories for hardware and software weaknesses and vulnerabilities, maintained by MITRE and sponsored by the U.S. Department of Homeland Security’s CISA. It provides a common language and taxonomy to help developers identify, fix, and prevent security flaws before deployment. Knowing the weaknesses that…
OWASP Top 10
If you develop web applications OWASP Top 10 is the leading list of security risks to be on top of. The below image depicts the OWASP Top 10 Web Applicaiton Security Risks to ensure you test for in your SAST or DAST code review efforts. If you don’t perform code review it’s an essential part…
FedRAMP and Who?
The Federal Risk and Authorization Management Program (FedRAMP), is a compliance program established by the U.S. government to standardize security assessments including but not limited to, authorization, and continuous monitoring of cloud products and services used by federal agencies. Any cloud service provider (CSP) offering services to federal agencies must be FedRAMP certified, including those…
3 Levels of CMMC Certification
The Cybersecurity Maturity Model Certification (CMMC) Program and model consist of 3 levels of certification designed to enforce the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Government contractors will have to determine which level of certification is needed based on the contracts they’re involved in. Below bullet points further describe the…
NIST 800-171 Compliance
The Defense Industrial Base (DIB) is a network of organizations, facilities, and resources that provide our government with materials, products, and services for defense purposes and particularly for our military. Being an Army Veteran myself understanding DFARS compliance is essential for our national security and military readiness. DFARS is a regulation that mandates defense contractors…
What Should Leaders Say to the Board?
I prepared a one pager on the ways leaders should communicate to their board of directors. The bottom line is they want to hear the risks impacting business success are understood, a plan is in place to address it and the security posture is improving which shows risk reduction. Lastly, always ask for their guidance…
What is the difference in a Gap Assessment, Risk Assessment and an Audit?
Using the Secure Controls Framework (SCF) as the baseline the answer to the question is below. Essentially it’s all about risk reduction and minimizing the risk your business feels comfortable absorbing “Risk Tolerance”. The lower your risk footprint “Appetite” the lower the impact from these gaps which increases your risk level. Knowing these three concepts…
AI Security Taxonomy
I created the following AI Security Taxonomy image based off of Ciso’s Integrated AI Security and Safety Framework which is one of the most complete efforts I’ve seen. It will help you understand the evolving AI threat landscape using unified, lifecycle-aware taxonomy integrated with AI security and AI safety threats across modalities, agents, pipelines, and…
What is a Risk Dashboard?
A good Risk Dashboard will show you all the applicable risks to your organization consolidated into a central view that allows you to drill down into each area of concern. Below is a representation of a dashboard. They also allow for easier representation of risk to leadership and to the board of directors. Below are…