Sage Advice - Cybersecurity Blog

Become Bilingual and Bridge the Gap

Ask CISOs to prioritize the skills they require to excel in their work, and a sizeable number will put talk before tech. Bi-directional communication — and its role in creating world-class cybersecurity programs — is a reoccurring theme in security workforce surveys and similar research. At the 2017 CyberCrime Symposium, featured speaker Summer Fowler tapped into influential security studies by ISC2, SANS, and Carnegie Mellon University (CMU) to spotlight the communication breakdown that characterizes interactions between CISOs and their senior leadership.

Read More

Topics: CyberCrime Symposium, Security Policy, Compliance

Complying with the 23 NYCRR 500 Cybersecurity Regulation

In response to the ever-growing threat of cyber-attacks, the New York State Department of Financial Services (NYSDFS) has issued 23 NYCRR 500, which outlines cybersecurity requirements and regulatory minimum standards for financial services companies. It applies to any company subject to the authority of NYSDFS under New York banking, insurance, and financial services law. In it, they urge all “to move swiftly and urgently to adopt a cybersecurity program” as they’ve outlined in the regulation.

Read More

Topics: Compliance

Cybersecurity Compliance Assessments: It’s All About Interpretation

Finance, healthcare, and retail are just a few of the industry sectors that have to comply with cybersecurity rules. Whether in the form of regulations or contractual agreements, their purpose is often to protect non-public personal information (NPPI) such as medical records, financial records, credit card numbers, etc., from being disclosed and / or compromised. A big challenge when assessing whether you are in compliance is figuring out exactly what you are required to do, so it helps to have a good interpreter.

Read More

Topics: Compliance

Navigating a HIPAA Reporting Event when Hit with Ransomware

People responsible for cybersecurity in every industry are familiar with the scourge of ransomware. If hit, your organization could be exposed to some very serious regulatory consequences on top of the public embarrassment, technical costs, and financial losses from the incident. For Healthcare entities, HIPAA guidance on exposure of patient information can be very difficult to navigate. An important issue for Healthcare entities is, can they avoid triggering the Breach Notification Rule if hit with ransomware?

Read More

Topics: HIPAA, Compliance, Ransomware, Healthcare

Continuous PCI Compliance is Here

Everyone uses credit and debit cards (CC) to make purchases. It has become an expected form of financial transaction that is part of the economy around the world.  Those very convenient set of numbers on plastic are now being stored as data digits in our ‘virtual’ wallets - on websites like Amazon.com and on our phones in Android Pay and Apple Pay. CC numbers are attached to our subscription services for things like Netflix, iTunes, Dunkin Donuts, and Uber.  Today, businesses that do not accept credit cards post notices on their storefronts and at the cash register.  For a business with a virtual retail presence it is unheard of to not accept a CC.

Read More

Topics: Compliance, PCI

NIST Framework for Improving Critical Infrastructure Cybersecurity

According the US Department of Homeland Security, "critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof." 

To better address critical infrastructure cybersecurity risks, on February 12, 2013, President Obama issued Presidential Executive Order 13636.

Read More

Topics: Compliance

Seven Characteristics of a Successful Information Security Policy

The role of policy is to codify guiding principles, shape behavior, provide guidance for decision makers, and serve as an implementation roadmap.  An information security policy is a directive that defines how an organization is going to protect its information assets and information systems, ensure compliance with legal and regulatory requirements, and maintain an environment that supports the guiding principles. 

Read More

Topics: Security Policy, Compliance

Understanding the FFIEC Cybersecurity Assessment Tool

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity maturity. The methodology provides a repeatable process to measure your cybersecurity preparedness over time.

Read More

Topics: Compliance, Financial Sector

Cybersecurity Exam Expectations - Five Key Areas You Should Focus On

In preparation for upcoming regulatory examinations, every financial institution should immediately start evaluating their cybersecurity profile. Examiners' cybersecurity assessment expectations are that executive management and boards of directors have an understanding of their banks cybersecurity strengths and weaknesses. According to those familiar with the examination pilot, cybersecurity examinations will focus on five key areas – governance, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.

Read More

Topics: Compliance, Financial Sector

Vendor Management - Tips for Creating a Vendor List

You already know who your critical vendors are, right? But do you know all your vendors? If a regulator were to walk into your office and ask about Vendor Z, are you confident enough in your documentation that you’ll be able to explain Vendor Z to them?

Even though you have a handle on your critical vendors, it’s often the “minor” vendors that get us in trouble. If the regulators hear you say, “I’m sorry, I don’t know who Vendor Z is, but I’ll find out for you,” it makes them wonder if you really have a firm grasp on your Vendor Management program.

Read More

Topics: Compliance, Vendor Management