When Information Technology and Information Security leaders want to test the security weaknesses and cyber resilience of their organization, they turn to penetration testing. There is no better way of validating organizational security posture than by running pen tests. What is a pen test? Why would you want to conduct internal pen tests instead of […]
Internal Penetration Testing: The What, When & Why You Should Do It Read More »
If you’re thinking about embarking on your HITRUST Common Security Framework (CSF) certification process, you’re probably wondering how much it’ll set you back. It’s an important consideration and, frankly, may force a decision not to certify your organization’s security controls against the HITRUST CSF. I think it’s critical to make the case for an informed
How Much Does HITRUST Certification Cost? 7 Key Factors Read More »
Depending on who you talk to, the definition of a HITRUST “Gap Assessment” may sound very different. That’s because the HITRUST CSF nomenclature departs slightly from common security parlance. That’s a good thing, in my opinion, because the HITRUST CSF is exacting with pre- and post-certification process requirements. In this article, we’ll dig into what
Explained: HITRUST Gap Assessments Are Not Like The Others Read More »
If you’re a company that needs to comply with the General Data Protection Regulation (GDPR), you’re probably wondering whether or not you need to run penetration tests. Penetration testing assessing and evaluating corporate infrastructure is a critical part of any security program, but is it needed by law to protect personal data from a data
Why Do Penetration Testing for GDPR? Article 32 & Much More Read More »
ISO 27001 is a robust security framework that comprehensively evaluates and certifies an organization’s security posture. What does it have to say about an organization’s exposure to security vulnerabilities? What requirements are there for ISO 27001 penetration testing? In this article, I’ll work to answer those questions and more. My goal is to demystify ISO
Should You Do Penetration Testing for ISO 27001? A CISO Explains Read More »
Many healthcare providers, covered entities, and business associates are unclear about whether they need penetration testing for HIPAA compliance. As a healthcare industry CISO, this has never surprised me: The documentation on this point is at times unclear, and even compliance consultants have been known to advise on it inaccurately. In this article, I’ll attempt
Penetration Testing for HIPAA: Requirements, Costs & More Read More »
Penetration testing is an imposing term. A lot of small businesses don’t understand what it is, why they need it, or how much it costs. Or if they do, they understand the consequences: expensive technology investments. Consequently, penetration testing is a daunting proposition. What many a small company doesn’t understand is that their business’ success
Penetration Testing for Small Business: The What, Why & How Much Read More »
If you’re asking this question, it’s usually for one of two reasons: I get it. Pen tests can be a daunting proposition. They can be expensive and they reveal security weaknesses. They’re also critical for driving and developing attack-resistant security strategy. As a CISO, I believe a penetration test is a vital tool for any
Why Do We Need Penetration Testing? For These 4 Reasons Read More »
Many people wonder: does an SSAE 18 SOC 2 assessment require a penetration test? The answer is a resounding “no.” That being said, there are many good reasons to conduct regular penetration testing. Coordinating that testing with other audit functions promotes economies of scale and may even help with responses to those audits. (NOTE: If
Does SOC 2 Require a Penetration Test? Not Really. Read More »
Navigating the SOC audit process can be daunting. There are a few options for audits and while the standards are consistent among auditors, each auditor has their own unique style for conducting the audit. In this article, I’m going to break down the primary distinctions between a SOC 2 Type 1 vs Type 2 audit.
SOC 2 Type 1 vs Type 2: How to Decide Which is Right Read More »
