Infosec in the Small Business World

-
Over the past few years, it is becoming increasingly more common for clients to come to us asking that to fill out a security questionnaire from one of their vendors or investors.  A decade ago this was almost unheard of.  While all companies where we are located are required by law to have a Written Information Security Plan (WISP) and keep it up to date, these rules are largely ignored.  No one is checking to see if you are following the rules, and the concept of a WISP in the SMB world is hard to implement if they even can.  They are hard enough to achieve in corporate environments.

 Where does one begin?

  • You can search for "sample WISP," and you will get plenty of excellent examples, but do not try to implement this on your own.  Make sure that you have owner by in, involve HR, your IT staff, and your general counsel.
  • Have your IT team start with implementing ISO27K based standards.  If you apply and follow these standards, you will have a good solid foundation for most other audit standards.

Make sure that you ask your vendors for the following:
  • SOC reports
  • if they meet PCI DSS (required for credit cards)
  • if they are HIPAA compliant (the US health care industry rules dealing with patient data)
  • if they have a WISP, and when was it last reviewed (should be reviewed yearly)
If you do not want to lose out on business or be in the unfortunate position of being involved in a data breach, reach out for help to your IT professional.  The penalties for not being compliant are high, and claiming that you did not know or understand the law is not an excuse.

Popular posts from this blog

The light at the end of the tunnel... Finishing the puzzle

-
   The past few months at work I have been working on this never ending upgrade project.  Well it will probably never be officially finished, but that is probably a good thing, since that is how the company got in it's technological mess in it's first place.    When I kicked off the project I never really imagined to what extent we would be pushing the boundaries and finding system limitations.  It started off as an innocent software upgrade.  Nothing is quite that simple though.    I inherited an ERP (Enterprise Resource Planning) system that had not been touched upgrade wise in 9 years, the website was 6 years old, the newest desktop was over 5 years old, and on top of that there was a manual e-commerce system and EDI (Electronic Data Interchange).    That year we upgraded all of the desktops in the office, replaced the legacy PBX phone system with a VOIP one, which required that I needed to replace all of the network switch...
Read more

Internet of Things (#IoT) is Here Upon Us, So Where is #IPv6

-
   Internet of Things (IoT) has existed as a concept for a while now, but now it is a hot buzz word.  As geeky as it may sound you are probably using something that falls in this category already, SmartTVs, Chromecast, Internet radios, major appliances, cars, smartphones, tablets, smart thermostats (Nest for instance) and all of the devices that they integrate with, and now smart watches.    Last year I cut the cable cord and got a Nexus Player and a Tablo .  I already had Amazon Prime that I can watch with my PS3.  It's a shame that Amazon can't get over themselves and just support Android.  Fire was built on Android so its obvious they just want to have a pissing war to try and sell more Fire products.  I am not a fan of walled garden devices but that is a different discussion.  I added Sling TV when it came out and recently added Netflix back to the fold.  (I had used it back in the DVD days before they changed the pricing m...
Read more

Best in Breed vs Bundled Solutions

-
   I have spent much of my IT career on the consulting side but I have also had a stint for a few years on the other side in the role of IT decision maker role.  One of topic that rears it's ugly head from time to time is whether or not to go with a best in breed solution or a bundled solution.    I see both sides but after working with ERPs I tend to favor bundled solutions because of the simplicity, how streamlined IT support becomes and integration is that big of an issue.   I know that things are going to work and I try to make the software work to what I need to do before I decide that an outside solution is needed.    But I currently work with a colleague that tends to prefer the best in breed method in almost every occasion.  Honestly this approach kind of bugs me, for one I am writing about it.  I feel that the best in class approach is like deciding to where mismatching clothes when you wake up in the morning.   ...
Read more