Jan 10, 2019 9:30:00 AM

HHS Finally Offers Cybersecurity Guidance to Healthcare Organizations

I’ve worked with healthcare organizations of all sizes for many years and questions are regularly asked about what the best controls framework is for building a cybersecurity program. Surprisingly, very little guidance related to cybersecurity has been provided by the government in the past years even though healthcare has been one of the prime targets of hackers. Stories of hacking, phishing, and malware/ransomware have been prevalent on almost a weekly basis. With the majority of healthcare organizations being understaffed and underfunded, efforts to develop a cybersecurity program have typically been done in a piecemeal fashion to meet the barebone requirements.

Topics: Cyber Assurance Insights, HHS Guidance, NIST

Aug 16, 2018 9:30:00 AM

Topics: Cyber Assurance Insights

Jul 5, 2018 10:30:00 AM

Topics: Cyber Assurance Insights

Jun 28, 2018 9:30:00 AM

NIST for Cybersecurity: What You Need to Know About the Framework v1.1 Update

At the end of April, NIST released the v1.1 update to its Cybersecurity Framework (‘CSF’). (See our introduction to the Framework through our most recent blog article.) HORNE had the opportunity to attend the NIST update webinar last month. Below is a summary of the the latest updates to be considered by your organization if you currently utilize or plan to utilize the Cybersecurity Framework.

Topics: Cyber Assurance Insights

Jun 26, 2018 9:30:00 AM

NIST for Cybersecurity: Understanding the Framework

NIST Cybersecurity Framework (CSF) Overview The NIST Cybersecurity Framework is a cybersecurity risk management program developed with a focus on industries necessary to national and economic security, such as the energy, banking, communications and defense sectors. Due to its flexibility, however, both small and large companies have adopted the Framework across every industry sector, including federal, state and local governments.

Topics: Cyber Assurance Insights

Jun 14, 2018 9:34:16 AM

Building the Audit of the Future: Diving Deeper into the Role of the Auditor

Last week in “Building the Audit of the Future: The Roles of Robots and Humans”, we talked about the technology pieces of the audit of the future and the need to understand several components in order for auditors to be anticipatory in the coming years. We discussed process automation, efficiency (and data analytics), accuracy expectations and cyber risk mitigation. We left off just as we began touching on my favorite part of the audit process – discussing threats, concerns, mitigating factors and the future with clients.

Topics: Cyber Assurance Insights, Audit of the Future

Jun 7, 2018 9:30:00 AM

Building the Audit of the Future: The Roles of Robots and Humans

When most people think about the audit of the future they think about robots. Now, I don’t know about you but when I think about robots and the future I think about people wearing white jumpsuits driving flying cars. In my mind, I see a mix of something like the Jetsons meets Tomorrow Land in Walt Disney World. Unfortunately, while all of this is very exciting, it’s not exactly what the audit of the future is going to look like. Instead, the audit of the future is going to look technical at first (so, there will be some robots), and then it will take a fast 180° and feel a lot more fluid than technical. Today, I want to talk about the first half of the audit of the future, the technical piece, and then next week dive into the less concrete, client relationship piece.

Topics: cybersecurity, Cyber Assurance Insights, Audit of the Future

Mar 15, 2018 10:00:00 AM

What You Need to Know About the SEC’s New Cyber Guidance

During the primetime of the 2017 10K filing season, the SEC issued additional guidance and expectations for cybersecurity disclosures. Cyber has been a hot topic for the SEC in the last several years. The financial impact to companies to prevent and then respond to a breach cannot be overstated.

Topics: risk management, Cyber Assurance Insights, Cyber SOC

Feb 27, 2018 1:04:33 PM

Providing Peace of Mind Around Your Law Firm's Data Security

Have you ever wondered why Amazon Web Services (AWS) is so focused on security? When you visit their compliance page, they have nearly every privacy and security badge available, noted with the global standards highlighted below:

Topics: cybersecurity, SOC 1 Audit, securing your data, SOC for Cybersecurity, Cyber Assurance Insights, Cyber SOC, Compliance

Feb 2, 2018 4:06:23 PM

6 Steps to NIST 800-171 Compliance

NIST 800-171 provides a framework for the protection of controlled, unclassified information (CUI). The framework is intended to provide guidance for nonfederal entities working with and accessing the data of federal entities. However, NIST 800-171 serves as a best practice for controls for privacy and security for many types of unclassified data.

Topics: Cyber Assurance Insights, IT GRC, Cyber GRC, Cyber Regulations, Compliance, NIST 800-171

Aug 10, 2017 10:00:00 AM

How Secure Are Your Vendors?

The spotlight on the topic of vendor management has been shining even brighter lately with a large number of data breaches resulting because of poor vendor processes. With vendors being a key reason for the success of companies in today’s economy, companies have a responsibility to ensure efficient processes are in place when contracting with and working daily with vendors. Though many companies are limited by funds and resources that can be devoted to vendor management, the process for protecting themselves can be as simple as asking the following questions:

Topics: VENDOR MANAGEMENT, vendor security, Cyber Assurance Insights

Aug 1, 2017 10:37:00 AM

CMS May Want Their Money Back

The old adage ‘Money can make you do crazy things’ can easily be applied to both our personal and business lives. Within the healthcare industry, HITECH incentive payments were offered by the US government several years ago to implement electronic health record systems at hospitals and other healthcare organizations. In order to qualify for these government incentive payments, healthcare organizations were required to carry out regular security risk assessments in order to show that they were meeting the HIPAA Security Rule requirements. As is the case with many government incentives, a large number of healthcare organizations properly followed the rules and carried out the security risk assessments while a select number received the HITECH incentive payments without doing so.

Topics: Cyber Assurance Insights, HITECH

Jul 25, 2017 10:02:00 AM

What You Need to Know About Cyber Regulations

Everyone hears about cyber risk, but not everyone is aware that that the federal government is taking steps to help protect public companies and investors from malicious hackers.  Recently, the Senate moved forward a bill requiring public companies to 1) name a cyber security expert on the board or 2) explain the other cyber security steps taken if no board member has cyber security expertise (the Cybersecurity Disclosure Act of 2017).  The bill has bipartisan support and is a common sense next step.  This bill is very similar to the requirement that came out of SOX that required a financial expert on audit committees. 

Topics: Cyber Assurance Insights, Cyber Regulations

Jun 29, 2017 10:01:00 AM

Will the FDA Strengthen Cybersecurity Requirements for Medical Devices?

Earlier this year, the FDA released guidance for Postmarket Management of Cybersecurity in Medical Devices. While many agree that the recommendations will help guide developers and manufacturers, these are still "non-binding" and are simply recommendations, not requirements. With the stakes being so high and the continued growth of cyber threats, if and when will the FDA begin mandating these recommendations?

Topics: Cyber Assurance Insights

Jun 23, 2017 7:05:00 AM

Four Steps to Managing Vendor Security

Target. Home Depot. Wendys.  The stories of significant cyber breaches are in the headlines every day.  Board members and CEOs are growing more and more concerned about cyber risk management in their organization.  But most don’t realize that each of the three breaches listed above were linked to 3rd party service providers and business associates.

Topics: SOC for Cybersecurity, Cyber Assurance Insights

Jun 22, 2017 10:02:00 AM

Breaking Bank: Episode 3

Over the last several weeks we have witnessed the story of a Bank who thought that compliance was enough to keep their customer’s information and the Bank’s reputation secure. However, they quickly realized that one breach can change everything and cause them to question their strategy regarding cybersecurity. We step back onto the scene as the ISO, Walter, has learns what he could have done differently to prevent the recent cyber attack.

Topics: Cyber Assurance Insights

Jun 1, 2017 10:03:00 AM

Breaking Bank: Episode 2

Last month we began the story of a very ambitious bank filled with well-intentioned individuals who love their jobs and want to see their customer’s information protected. We were introduced to the bank’s Information Security Officer, Walter White and we watched as he took important steps to protect his company with internal control implementation and cybersecurity practices (like hiring an IT company to perform a penetration test). He thought his company was secure, until the unexpected happened. Today, we find out what event changed everything…

Topics: Cyber Assurance Insights

May 25, 2017 10:03:00 AM

Cybersecurity: Are You the Gazelle at the Back of the Herd?

In response to the headline breaches plaguing organizations across the globe, there have been numerous solutions and recommendations that have gained popularity in the fight to combat cyber-crime. New security appliances, 24x7 network monitoring services and red team assessments are a few of the solutions being discussed among IT leadership and the cybersecurity services community. While each of these solutions plays a crucial role in strengthening the cyber resilience of organizations, their efforts are often futile if the appliances are not being used correctly or if vulnerabilities are not remediated properly and expeditiously.

Topics: Cyber Assurance Insights, IT GRC, Cyber GRC

May 17, 2017 10:31:00 AM

Cyber SOC – What Board Members Need to Know

The AICPA has issued its much awaited standard on cyber security.  The new guidance, referred to as the “Cyber SOC,” allows CPA’s to audit a company’s cyber security.  In the past, organizations relied on various consultants, internal resources, and sometimes just plan luck, in identifying and mitigating cyber risks.  The Cyber SOC fundamentally changes how cyber threats are evaluated and managed.  It allows for an independent, objective look at an organizations processes, policies and controls around cyber risks. 

Topics: Cyber Assurance Insights, Cyber SOC

May 16, 2017 10:00:00 AM

President Trump's Cybersecurity Executive Order: What You Need to Know

Last weekend’s global cyber-attack shocked a lot of us due to its size, scope and impact. As news broke of the attack around the globe, each story was more concerning and raises the question:  what is the US doing about cyber security?

Topics: Cyber Assurance Insights, Cybersecurity Executive Order

May 11, 2017 10:00:00 AM

Breaking Bank: Episode 1

I don’t know about you, but I’ve read a lot of content-filled, factually intense cybersecurity articles over the past few months. I’ve read so many that I begin hearing similar concepts without actually understanding how it impacts my clients specifically. For this reason, today I don’t want to spout off a bunch of information (as accurate as it may be) and tell you to go make sense of it, I would instead like to tell you a story. So sit back, relax, and enjoy the movie (cue Disney Castle scene)…

Topics: cybersecurity, Cyber Assurance Insights

May 4, 2017 10:00:00 AM

SOC for Cybersecurity: What Does this Mean for Your Business?

The American Institute of Certified Public Accountants (AICPA) finalized the guidance for Systems and Organization Controls (SOC) for Cybersecurity reporting this week.  This guidance gives organizations guidelines on how to create and document their cybersecurity risk management program, as well as provides standards for public accounting firms to report on such programs.  In other words, this provides clear guidance for CPAs to provide assurance on cybersecurity.

Topics: SOC for Cybersecurity, Cyber Assurance Insights