Who needs just compliance?

Corona Virus COVID-19 

Apple CEO publishes a very sensible message. This company seems to feel the risk is greatly reduced in China and within a few days - everywhere.  


Risk assessment for the COVID-19 issues must bring focus on your individual well being.  Once the risk is understood you can broaden your focus to family, friends, neighbors and community.  Each country must take care of itself.  Some will fare better than others.  The difference comes from the individuals who calmly walk towards the problem with confidence they understand the risks.  

Vision:  Acting as a trusted adviser over dozens of engagements we have confirmed that, if you measure objectively --  the effort needed to actually produce a solid cyber security posture amounts to only 10 percent additional effort compared to simply producing the appearance of 'compliance'.

Mission: Focus on IT governance and Information Technology deployment. Bring clarity of purpose to information security management. Introduce repeatable procedures through a defined framework to establish successful implementation & stable operations.

Specialization and Focus: 
  • Regulatory Exam Preparation and Support
  • Assessment of cyber security posture
  • Blockchain risk assessment
  • Cyber security maturity assessment
  • Governance assessment
  • Process visualization
  • Policy framework alignment audit
  • Implementation practices (procedures) 
  • Review policy vs. deployment gaps assessment 
  • Implementation road-map 
  • Staff skills assessment & training plan 
  • Framework for monitoring detailed self-audit programs
  • Gaps assessment and remediation
  • Litigation Support
  • Expert Witness Testimony
 Typical Deliverables:
  • Security Posture Development
  • Business Continuity Management
    • Technology Recovery Planning
    • Business Recovery Planning
    • Disaster Recovery Planning
    • Crisis Management Planning
    • Process Flow Diagrams
  • Vulnerability Assessment Analysis
  • Penetration Test Analysis 
  • Technology Gaps Tracking
  • Cyber Security Program
  • IT General Controls Program
  • Compliance Reporting
  • Risk Assessment by Business Unit
  • Self-Audit Reporting
  • Policy Development
Consulting Practice:

Deliver affordably priced information security services advising senior management and corporate boards.  Exceed expectations, produce lasting improvement in cyber security implementation .

Regulatory / Frameworks

 

OCC, FFIEC, GLBA, HIPAA, PCI, DOD

CIS, NIST


Typical engagements:
  • On Call
  • Defined Scope of Work
  • Staff Augmentation
  • Technology Transfer Instruction

Background:  40 years IS experience
Contacts:  
E-Mail Us  LinkedIn  Facebook http://www.salina.net http://www.salina.net/ Phone

Certifications:
https://www.youracclaim.com/badges/4f777def-9206-4ca4-a233-90e92ffb9892 GSNA,  http://www.salina.net CISSPhttp://www.salina.net S+,  http://www.salina.net, Study Towards CASP , MCSA, GISP                          our 'hat's off' to the professionals at SANS - you are our heroes. 
 The most trusted source for computer security training, certification, and research

Acknowledgments:

The deployment and validation road map provided by the Center for Internet Security specifically their CIS 20 Controls Download is the central guide to our consulting practice. They have earned, and receive from us full credit for the work. The road-map makes projects to improve cyber security implementation much more effective.  

Quote for today:   Doing nothing has the down side of being difficult to determine when you are finished.  (Nelson DeMille - Night Fall)

Soap Box (13Mar18):

iPhone Cracker (Graykey) Today's article on this tool by researchers at MalwareBytes indicates the security pendulum has (temporarily) swung away from user privacy.  In cases of terrorism (alleged or confirmed) this may be appropriate.  Employed without strong controls Graykey can pose  problems for our fourth amendment rights.  It will be interesting to see if Apple attempts to patch to preclude this method for breaking an iPhone pass code.

Previously:

What did we learn from the Experian Breach?  That even in the certain knowledge that their systems were vulnerable, management made the decision to ignore the opportunity to close the gap.  Policy in place required timely updating of patches.  Practice authorized by management abrogated policy.  The consumer suffers.

Can we do betterExplore the possibility that the FDIC Cybersecurity Assessment Tool 'results' were made public by regulatory requirement.  Would consumers choose to do business with institutions at the bottom of the maturity scale?

Previously:

Tutorial for scanning your network for MS17-010 (CVE-2017-0143 EternalBlue) posted on Internet Storm Center (isc.SANS.org)

   A quick way to determine vulnerability.        nmap -Pn -p445 <ip-netblock>


Sen. Oren Hatch (R-UT) President pro tempore of the United States Senate has introduced legislation under S. 1475 seeking to provide a set of public security guidelines to be used by non-government entities. A bill to provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology.  A companion bill in the House is sponsored by Rep. Anne Ashoo, (D-CA).  Hatch's office said it hopes to see wide, bipartisan support for both legislative efforts.    Let's stay tuned and see if they pick up tha the Center for Information Security has already contributed (above) to a substantial body of work in this area.

CTI conference gets credit for engaging Cliff Stoll to be the keynote speaker speaker!

Congratulations to the DHS and FBI on bringing together the December 29, 2016 Joint Analysis Report (JAR) providing technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election.  This level of immediate and transparent disclosure is a step forward in improving information security and defending critical systems. 

 https://www.documentcloud.org/documents/3254239-Russia-Hacking-report.html

..." The failure to implement all of the Controls that apply to an organization's environment constitutes a lack of reasonable leadership."  Attorney General Kamala G. Harris (CA) Breach Report 2016.

  "If you can't measure it, you can't manage it.” ...   commonly attributed to the late W. Edwards Deming.


Rant's and Raves Below the line :