Thursday, November 3, 2022

Most Requested Compliance Documents

Indicator of what’s important around the world.

Current: Monthly Selected Authority Documents - September, 2022 - Unified Compliance

Monthly Updates & History: Monthly Updates Archives - Unified Compliance

Top 10:

  1. NIST CSF 1.1
  2. CIS Controls, V8
  3. ISO 27001-2013
  4. EU General Data Protection Regulation (GDPR)
  5. NIST SP 800-53 R5
  6. Sarbanes-Oxley Act of 2002
  7. PCI DSS v3.2.1
  8. ISO/IEC 27701:2019
  9. Cloud Controls Matrix, v4.0
  10. ISO 27002 

Tuesday, October 25, 2022

Summary of All Data Breaches 2004-2022

The pictures speak for themselves. It's interesting..... Looking at the average data sensitivity for all records lost each year, ranked according to the simple scale below, you get this chart. 

Data sourceWorld’s Biggest Data Breaches & Hacks — Information is Beautiful

Data sensitivity

1. Just email address/Online information
2 SSN/Personal details
3 Credit card information
4 Health & other personal records
5 Full details

By number of records lost

Putting it together

Tuesday, October 11, 2022

IT Audit Process: Identify blind spots & streamline operations

I created this to use as a backdrop for discussions around the IT audit process with a focus on identifying blind spots and streamlining operations.

Thursday, October 6, 2022

Top Leadership Tips! XL Management Post

 I brought up the Tuckman model of team phases while coaching an OKR session for a new team. The purpose was to encourage them to anticipate - and perceive as normal - a little chaos and contention. 

A quick Google search later to send a funny video, and I ran across this excellent list. I copied it here and cleaned it up. 


1: Be familiar with the phases of Teamwork. Tuckman’s forming, storming, norming, and performing model.

2:.If you want good leaders to lead teams give them the tools to do it. Train and manage the process of leadership building.

3: If you want followers (team members) train them to work together – manage the process and monitor progress.

4: Support the process from the very top but be prepared to be lonely. Leading is often a lonely role – the buck stops with you.

5: Give each leader and each team identity to hold onto. A reason to be proud of membership and an acknowledgment of achievement.

6: Foster the identity to increase group/team cohesion. Leading and following are not always doom and gloom. Make business fun – work hard play hard.

7: Establish The Norms You Want. It is imperative to agree on the core norms setting ground rules to prevent problems later on.

8: Clearly define roles and responsibilities in order to establish boundaries and set expectations governing relationships.

9: Establish key group/team processes. Meetings, decisions, brainstorming, timekeeping, and problem-solving.

10: Everyone’s time is valuable. If you don’t expect your team to waste your time – don’t waste theirs. Give power to the team on the ground – trust in their judgment. They are the ones delivering the goods.

11: Truly great leaders have mastered courtesy along with being bold, courageous, dynamic, and visionary.

12: Communicate, communicate, communicate. But above all get to the point! Make sure you get the message out to your audience – don’t waffle. Do not leave people wondering what all the slides were about when there was only one point to be made. Leaders have a knack for cutting through the BS and simplifying the solution so that everybody can embrace it.

13: Don’t be afraid to give bad news. Every company has bad news – it makes the good news look better too.

14: If you want your team to be engaged, committed and good followers say thank you! You expect team members to be cohesive and achieve great things; when they do, thank them. As General Colin Powell (US Army retired) once said “Organization doesn't really accomplish anything.  Plans don't accomplish anything, either.  Theories of management don't much matter.  Endeavors succeed or fail because of the people involved.  Only by attracting the best people will you accomplish great deeds.”

15: Integrity counts. Neither your customer nor your team is wedded to you so they need to believe and trust in you.  

16. Never doubt your own vision – you are the leader, and you are expected to know all the answers until proven differently. And remember optimism multiplies if fostered.

17. Being responsible sometimes means pissing people off. It’s better to get the right thing done in the right way than to let your team believe that mediocrity is good enough. Keep looking below the surface – even when what is below may not be palatable.

18. Be happy with your team bringing problems and complaints as well as the good news. The day this stops either means they don’t care or have lost confidence in you.

19. Advisors have their place. But at the end of the day, it is your judgment that counts. Separate data from judgment and constantly reference your own hard-won insight.

20. Pick good followers for now and leaders for tomorrow. Formulate your list of criteria and be choosey who you work with. Make sure each person ticks most if not all of the key boxes. E.g. Intelligence, judgment, insight, loyalty, integrity, and a high-energy drive.

Friday, September 16, 2022

SP 800-66 Rev. 2 Reverse Mapped HIPPA - NIST Updated Guidance for Health Care Cybersecurity

Here's a NIST mapping crosswalk between the HIPAA requirements and NIST SP 800-53r5 in a spreadsheet format.

Spreadsheet Here: 2022 HIPAA Crosswalk SP 800-66 ipd Table 12.ver.01.xlsx - Google Drive from Blog Downloads (

NIST PageSP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule: Cybersecurity Resources | CSRC (

Publication LinkNIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

I reworked the information from the initial public draft into a spreadsheet that also allows easy importing into different tools. Additionally, I included a direct NIST map, essentially reversing the look-up. Finally, all control IDs are now two digits which allows for proper sorting and lookups with tools inside arrays.

Here's a snapshot of the format (click to view): 

Thursday, August 18, 2022

Federal Auditing is... Complicated.

Breaking down your understanding of all things Federal, eh? Yeah, I'm *still* learning. I love this compilation you can find at I've been using this chart for years to demonstrate to my peers how different bodies of work interact. You'll find this in compliance slide decks I've created for graduate college classes to drive the point that there is a lot to consider when making control selection, design, implementation, and operational decisions. 

You can use this as another tool for peeling back layers and quickly finding related directives and publications. 
From the website (do yourself a favor and read this before looking at the chart...): 
  • "The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware of, in a helpful organizational scheme. The use of colors, fonts, and hyperlinks is designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
  • At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side are boxes identifying key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can also be found in the chart."

Wednesday, August 17, 2022

Global 500 vs Fortune (US) 500 Sector Comparisons - I.e. Profit Margins!

I created this out of curiosity about the macro business environment changes and differences over the last year and between US and Global markets among different sectors. As usual - Follow the money... There's some interesting insights. 

So what line of business is the most profitable?? This is organized by the average profit margin of companies within each sector.

Tuesday, August 16, 2022

Brilliant Article: (Don’t) Focus on Your Job at the Expense of Your Career

Credit to HBR and specifically Dorie Clark. Brilliant. Young people need to hear this. 

Don’t Focus on Your Job at the Expense of Your Career (

Summary: "The gap between what we have to do today and where we see ourselves in the future can be vexing. We’d like to advance toward our goals, but we feel dragged down by responsibilities that seem banal or off-target for our eventual vision. In this piece, the author offers four strategies you can try so that you can simultaneously accomplish what’s necessary for the short-term while playing the long game for the betterment of your career." 

  1. Analyze the strategic value of your activities.
  2. Enlist allies.
  3. Manage your brand.
  4. Be willing to experiment with “120% time.”
IMHO - This is what I tell my own teenagers and students in college:
  • Put in the time when you are young because you have the energy, mental capacity, and the greatest amount of neural plasticity.
  • The world and the workplace are not fair. Position yourself to capitalize on opportunities. That can be many things - training, visibility, kindness, someone others want to be around and emulate.
  • Embrace the opposite of Imposter Syndrome. Be confident and go for it. Why not you? 
  • Hard work beats talent when talent doesn't work hard. 
More excellent articles by Dorie Clark

  1. Haven't Networked in a While? Here's How to Jump Back In.
  2. Stop Procrastinating and Tackle That Big Project
  3. Approach Your Personal Brand Like a Project Manager
  4. How to Make Progress on Your Long-Term Career Goals
  5. The Upside of Feeling Uncertain About Your Career

Thursday, August 11, 2022

Open Cybersecurity Schema Framework (OCSF)

Who: Amazon, Cloudflare, CrowdStrike, IBM, Okta, and Salesforce

What: They have collaborated on a joint initiative to solve a critical bottleneck in the sharing of threat information: The different data formats currently in use across multiple cybersecurity tools and products.

  • Schema includes: Activity; Activity ID; Category; Category ID; Class; Class ID; Count; Duration; End Time; Enrichments; Event Time; Message; Metadata; Observables; Original Time; Product; Profiles; Raw Data; Reference Event Code; Reference Event ID; Reference Event Name; Severity; Severity ID; Start Time; Status; Status Code; Status Details; Status ID; Timezone Offset; Type ID; Type Name; Unmapped Data

Thoughts: There's still a tremendous amount of work to be done and it will realistically be quite some time before the value is realized from this effort. However, it's good to see some progress and interest. This has been a problem for a very, very long time. 

Tags: Open Cybersecurity Schema Framework (OCSF)