May 28, 2020 9:37:36 AM

Cloud Computing & Risk Management: A Review of the FFIEC's Recent Statement

Out of sight out of mind feels pretty good, doesn’t it? Especially with not only is it out of sight, it is off the ground. Your organization’s data is so far out of reach not only does it feel like you can’t get to it, but there’s an illusion that no one else can either. But it is just that, an illusion. Even if you are partnering with a reputable vendor with large market share, there is still risk that needs to be considered and mitigated. Recently, the Federal Financial Institutions Examination Council (FFIEC) published a press release discussing security recommendations for how to mitigate this risk. Let’s take a few minutes to walk through it.

Topics: risk management, the cloud

Apr 13, 2020 6:00:00 AM

COVID-19 and Maintaining the Integrity of Your Information Security Policy

Remote Work and Information Security Policy Exceptions There is a well-known metric included in risk assessments known as the Annualized Rate of Occurrence, or ARO. Risk events have varying AROs depending on the frequency with which they are expected to occur. Many risk events have AROs that are so low, meaning that the event is so unlikely to occur, that an organization may not have a formal, documented policy or procedure (such as Pandemic Response) that describes how the organization will react or account for the impact of such an event.

Topics: risk management, COVID 19

Mar 15, 2018 10:00:00 AM

What You Need to Know About the SEC’s New Cyber Guidance

During the primetime of the 2017 10K filing season, the SEC issued additional guidance and expectations for cybersecurity disclosures. Cyber has been a hot topic for the SEC in the last several years. The financial impact to companies to prevent and then respond to a breach cannot be overstated.

Topics: risk management, Cyber Assurance Insights, Cyber SOC

Oct 4, 2016 10:00:00 AM

Alphabet Soup: Understanding the Qualifications of Risk Management Professionals

You’ve just gotten an email from a potential vendor looking to make a connection.  In their signature, following their name is a list of five abbreviations, all intended to make them appear qualified, reputable, and knowledgeable.   But what do they actually mean?  Are they relevant to the service you are trying to procure?  A pilot’s license is crucial for a commercial airline pilot but irrelevant for practicing law.  Similarly, technical certifications are outstanding for your IT department, but not so relevant when looking for someone to issue a Service Organization Control (SOC) Report.  If you need to provide a SOC Report  to your clients or customers, no matter the version you need, you’ll need a CPA.  Other organizations may require very specialized certifications, such as Pulse and STAR requiring a CTGA (Certified TR-39 Auditor) to perform ATM and PCI Pin compliance audits.  

Topics: risk management