Entries by Jeff VanSickel

Business Continuity Plans and Disaster Recovery Plans (Part 2)

Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses. In Part 2 on this topic, I discuss factors that have to be considered when building a plan. Preparing for a disaster can be a daunting task, involving many factors. A […]

Business Continuity Plans and Disaster Recovery Plans (Part 1)

Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses. The definition of a disaster is anything that can impact the continuation of business operations. Most people think disasters would just include major weather events (snowstorms, hurricanes, flood, and tornadoes), fire, […]

Managing IT Risk (Part 2)

Third Party Risk Management Following up on my prior post Third Party Risk Management, (4/9/18), I’d like to share my recommendations to monitor and manage IT risk. There are a number of Governance, Risk, and Compliance (GRC) tools available, ranging from the inexpensive to the extremely expensive. Small to medium size companies are generally not […]

Managing IT Risk (Part 1)

Third Party Risk Management Topping my list of information security risks for the coming year is third party risk management. Small to medium size companies do not have the workforce necessary to monitor the security posture of their technology service providers. To properly address the issue, a company will need to put the following in place […]

Qualifying IT Security Risks

How should a small organization quantify risk when it comes to IT security?   In my last post, I discussed how people with little or no IT security experience are often put in charge of IT security at small companies. I explained how they might approach telling their boss how things are going on the […]

What Comes First, the 27001 or the 27002 ISO Standards?

There is something quirky about the 27000 series of standards published by the International Organization for Standardization (ISO). Perhaps it is presented deliberately this way as a lesson in due diligence. Perhaps it is just a random error. But the standards are in the wrong numerical order. Judging from our interactions with company IT organizations, […]

Disaster Recovery & Cybersecurity

I’d like to share answers to questions recently asked about disaster recovery. 1. What advice would you give to tie cybersecurity protection and IT disaster recovery together for business continuity? There are a number of activities performed by the IT operational group within an organization that deal with Disaster Recovery. They include performing data backups, […]

Addressing BitLocker and PCI-DSS 3.1 Usage

Inquiry: Earlier this month we received an email from Matthew Todd of Financial Engines, Inc. that said, “Back in 2011, Phil Cox (SystemExperts) wrote some guidance on using Windows BitLocker to meet PCI-DSS requirements. PCI-DSS has been updated since then, and I’m curious if SE has updated guidance.” Response: Section 3.4.1 of PCI-DSS version 3.1, […]

Surviving a Breach

The Target breach is making many in the IT security field take a closer look at their company’s information security and compliance practices. I’d like to share here some of the questions and answers from a recent media interview looking at “How to Survive a Breach.” 1. Are most companies prepared for a cyber breach? […]