Attacks are no longer simple and scatter gun, like the Nigerian scam. The principle behind this type of attack is launch a hundreds of thousands attacks and hope that just a very few stick. Grammar was poor, yet overall [Click to Read more...]]]> http://www.isscp.com/blog/?p=92 Previous steps

Now we need to consider the threats, both actual and perceived. Identify and discuss them, then list cost-effective solutions. In the solutions identify what is needed and possible methods to implement the solution. After all threats have been identified you might find a single solution that will address more than [Click to Read more...]]]> http://www.isscp.com/blog/?p=71 One question I love asking coverd entities, “What and when was the latest change made to HIPAA?” I ask this for two reasons,    One:  to see what they know and how up to date they are,  and    Two: because HIPAA always changes.     In a previous post I have already indicated the change in 2008 from [Click to Read more...]]]> http://www.isscp.com/blog/?p=87 HIPAA audits are just like any audit or project they require the proper steps.

The planning and scoping of a project is often one of the hardest parts of project management. Audits, like a HIPAA audit, are a targeted project with findings or shortcomings as their project deliverables.  If the audit scope [Click to Read more...]]]> http://www.isscp.com/blog/?p=69 Most Security regulations like HIPAA, SOX, GLBA and PCI (which is an industry standard Not a regulation),  all call for a risk analysis audit.  To many this is an unknown or difficult process, so I thought I would present the common goals for a Risk-based Analysis Audit

GOAL 1: The network defined

We need to [Click to Read more...]]]> http://www.isscp.com/blog/?p=51 Read an article that just blew me away!

“An IT auditor may also work a a forensic specialist (cyberforensic) where the objective is usually directed toward potential crimes or nefarious deeds”

Then let us make lawnmower mechanics,  aviation engineers. Let us have the local lawnmower repair guy service the jet engines to 747s. Obviously we will not!.  [Click to Read more...]]]> http://www.isscp.com/blog/?p=49 For most medical practitioners the full concept of Disaster Recovery Planning (DRP) is sadly not fully understood.  This often comes from a very weak approach to Risk Management, since the two concepts are very interrelated.  [ By the way: HIPAA does calls for both, Disaster Recovery Plan see 164.308(a)(7)(ii)(B)  and Risk Management see 164.308(a)(1)(ii)(B)  ]

So [Click to Read more...]]]> http://www.isscp.com/blog/?p=41 Complaint Driven Vs. Audit Driven

In October 2008 OIG (Office of Inspector General) conducted an audit of CMS (Centers for Medicare & Medicaid Services) regarding their oversight of HIPAA.  Read the link for more information it is well worthwhile, though for many the impact may be subdued in auditees (auditor speak or lingo).

My summary of the [Click to Read more...]]]> http://www.isscp.com/blog/?p=30 This was born out of two sequences of events:

(1) Attending the SANS webcast Virtual rountable: featuring Ed Skoudis, Mike Poor, and Hal Pomeranz, the discussion point concerning cyber warfare / cyber attack was raised due to the current activity against South Korean and US government networks.

(2) During the same week I was reading “The Management [Click to Read more...]]]> http://www.isscp.com/blog/?p=23 Why is it that when we have addictive problems, like drugs and alcohol we address the issue by stating you can only get right, once you admit you have a problem. This is why so many meetings have “Hi my name is X, I am [Click to Read more...]]]> http://www.isscp.com/blog/?p=3 Posted: October 03rd 2007

I guess the answer to the question depends on the lorg reader’s (the human reader) approach, feelings and job function/description. Sadly there are many “log readers” that seek the “instant society approach to completing their duties. They seek systems and applications to read the log files and [Click to Read more...]]]> http://www.isscp.com/blog/?p=5 Posted: August 30th 2007

Of all the Compliance regulations, HIPAA stands out from the rest.

It’s been six years since the 2001 Enron scandal erupted, resulting in Compliance and Governance beguin elevated today.

Large (Fortune 1000 companies) have had to comply, and to a large degree, are quite willing due to the [Click to Read more...]]]> http://www.isscp.com/blog/?p=7 Posted: August 28th 2007

Incident Response plays a vital role along with an organization’s DRP (disaster receovery plan). We must be sure it is implemented correctly?

Incident Response has a preset structure: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. These steps [Click to Read more...]]]> http://www.isscp.com/blog/?p=8 Does SAS 70 imply tight security? Does SAS 70 prove no vulnerabilities? These questions and more are answered for your understanding.]]>

Posted: August 27th 2007

In talking with multiple busines partners, it never ceases to amaze me that there is such a small grasp of [Click to Read more...]]]> http://www.isscp.com/blog/?p=9