A compiled checklist of 300+ tips for protecting digital security and privacy in 2023.
This is great work! Great job Lissy93 and team!
A compiled checklist of 300+ tips for protecting digital security and privacy in 2023.
This is great work! Great job Lissy93 and team!
This information was gathered to help people at VMware as many prepare for the pending Broadcom acquisition by Lorelei Ghanizadeh Voorsanger | LinkedIn. Thank you, Lorelei, for sharing with so many others that need this information. You are a blessing. And thank you to the hundreds of people that have reached out to me and my peers with resources and help. You are appreciated.VMware peers, you are seen. Reach out to me. I have a lot of resources that may be helpful.
Update Your LinkedIn Profile
Job Search Sites & Placement services – US-centric
One of the critical security controls that PCI DSS v4.0 emphasizes is the need for internal vulnerability scans. Companies must perform these scans after any 'significant change,' as defined by the standard. Significant changes include things like adding new hardware, software, or making considerable upgrades to existing infrastructure.
The scans aim to detect and resolve high-risk and critical vulnerabilities based on the entity’s vulnerability risk rankings. Following the scan, any detected vulnerabilities must be resolved, and rescans should be conducted as needed.
External vulnerability scans are equally important and follow the same triggering mechanism—significant changes in the environment. Here, the focus is on resolving vulnerabilities scored 4.0 or higher by the Common Vulnerability Scoring System (CVSS). As with internal scans, rescans are required as necessary to confirm that vulnerabilities have been adequately addressed.
Internal penetration testing is a more aggressive form of evaluation and should be conducted at least once every 12 months or after any significant change to the infrastructure or application. The testing can be carried out either by a qualified internal resource or a qualified external third-party, provided that there is organizational independence between the tester and the entity being tested. Notably, the tester doesn't need to be a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV).
Much like its internal counterpart, external penetration testing is required annually or after any significant alterations to the system. The testing must also be conducted by qualified resources and should follow the entity’s defined methodology for testing.
PCI DSS v4.0 is pretty broad in what it considers to be 'significant changes,' effectively encompassing any new hardware, software, or networking equipment added to the Cardholder Data Environment (CDE), as well as any replacement or major upgrades to existing hardware and software in the CDE. The list is exhaustive and is aimed at ensuring that any changes, no matter how seemingly minor, are given adequate attention from a security perspective.
The PCI DSS v4.0 requirements for vulnerability scans and penetration testing provide a structured approach for entities to keep their data environments secure. While these requirements might seem stringent, they offer a well-defined framework for securing cardholder data against the backdrop of ever-advancing cyber threats. Adhering to these requirements is not just about ticking compliance boxes; it’s about taking the necessary steps to protect your organization and its stakeholders.
Check out this maturity model. What does it mean to measure the maturity of a technology implementation qualitatively? And how can maturity levels help visualize the current and future states to meet control requirements?
Let's unpack these concepts and show how qualitative measures can enrich the maturity model process, particularly with the use of visualization techniques like bar or radar graphs.
Maturity models serve as diagnostic tools, usually consisting of a sequence of maturity levels that provide a path for improvements. These models are vital for benchmarking and identifying the best practices that need to be implemented for organizational success. In technology implementation, they can gauge how effectively an organization is meeting its control requirements—be it in data security, governance, or software development lifecycle.
While numbers and metrics provide a certain level of clarity, they often lack context. Qualitative measurements step in here to provide nuanced insights into otherwise cold data. Through expert interviews, case studies, and scenario analyses, qualitative assessments can address 'how' and 'why' questions that numbers cannot.
One of the powerful ways to present the qualitative aspect of maturity models is through visualization. A bar or radar graph can be used to overlay the current and future states of an organization's maturity levels.
Imagine a bar graph where the X-axis represents different control requirements like "Data Encryption," "User Access Management," and "Compliance Monitoring," and the Y-axis represents maturity levels from 0 (Non-existent) to 5 (Optimized). The current state can be represented by blue bars reaching up to the current maturity level for each control requirement.
This visualization allows stakeholders to immediately grasp which areas are well-managed and which need improvement. It's not just about the height of the bar but the story behind each bar—which can be enriched by qualitative inputs like expert opinions, employee feedback, and process reviews.
In the same graph, future state scenarios can be represented by a different color—say, green bars—overlaying or adjacent to the current state bars. These future state bars are not arbitrary but are informed by qualitative measures like scenario planning, risk assessments, and strategic discussions.
The juxtaposition of current and future states in one graph offers a compelling narrative. It shows where the organization aims to be, providing a clear vision for everyone involved.
Maturity levels, when fleshed out with qualitative measurements, offer more than a snapshot of the present; they provide a roadmap for the future. Visual representations like bar or radar graphs give life to these qualitative insights, making them easy to understand and act upon.
So, the next time you consider assessing your organization’s technology maturity, think beyond numbers. Look at the stories those numbers can tell, and use qualitative measures to fill in the gaps. And don't just keep these insights in spreadsheets and reports—visualize them.
Combine qualitative measures with visualization techniques and build a more meaningful, actionable, and comprehensive roadmap. Aim for a balanced, nuanced, and visually engaging approach to understand the current state and opportunity for improvement.
Here's a quick assessment of an organization's adherence to the NIST Privacy Framework. The beauty of this method - by the way - is that it's fast and easy to create this chart using qualitative measures. Search for the Privacy Framework spreadsheet under the downloads section if you want a copy of this.
HIPAA to NIST and NIST to HIPPA indexed worksheets in a single spreadsheet based on the Initial Public Draft (ipd) are posted on the downloads website. Look for the workbook 2022 HIPAA Crosswalk SP 800-66 ipd Table 12 on:
In the realm of cybersecurity learning programs, quantitative data acts as the backbone that offers empirical evidence of program effectiveness. This data, collected through various channels—from real-world cybersecurity incidents and metrics on employee reporting to targeted simulations and longitudinal studies—provides a measurable barometer of your organization's cybersecurity posture. It can also help tailor training materials to specific departments, evaluate ROI, and keep content up to date. This section will detail the key types of quantitative data that you should focus on, offering a robust framework for continuously enhancing your cybersecurity initiatives through actionable metrics.
While quantitative metrics provide the hard facts, it's the qualitative data that enriches our understanding by adding context, nuance, and depth to these numbers. Qualitative feedback captures the human elements that are often overlooked in cybersecurity initiatives. From capturing employees' responses about the program's delivery and content to conducting focus groups for in-depth insights, qualitative data allows us to gauge the intangibles that make or break a learning program. In this section, we will delve into various types of qualitative feedback, including presenter evaluations, open-ended surveys, and even observations from the training sessions, to provide a more holistic assessment of your cybersecurity education efforts.
Combining quantitative data with qualitative insights will not only paint a comprehensive picture of your program's effectiveness but will also guide data-informed decisions for future improvements. For instance, if your quantitative data indicates high knowledge retention but qualitative feedback points to low engagement, you may need to inject more interactive elements into your program. Because when it comes to cybersecurity, an empowered workforce is your best line of defense.
And if you haven't already, check out NIST Special Publication 800-50 and look for the upcoming Rev. 1. This is a comprehensive guideline that serves as an invaluable resource for information security education, training, and awareness. Thank you to NIST and the industry authors and contributors for your tireless work in advancing the field and providing a foundational resource for cybersecurity professionals everywhere.
I ran across this again today working on an internal project for VMware. We are a team of likeminded professionals who enjoy quality work and sharing with the community to raise the bar for everyone.
What struck me when I reopened this workbook is remembering the many very, *very* long days. Mapping is an incomplete science, filled with subjective relationships. However, starting from scratch, using homegrown tools and my own reading through the controls, I remapped as accurately as I could the relationship between the PCI DSS and the body of controls established by NIST SP 800-53r5.
We have our own internal agendas and projects related to this work. However, the data here can help someone else struggling with the volume of frameworks and managing the complex relationships between all of them.
I stand by the mapping as 90% correct. I've learned through the years there are usually ways to improve the accuracy of subjective data. Please let me know if you find an error! Use as you see fit. Look for 2023 PCI DSSv4 to NIST 800-53r5 on davischr2/Cloud-Documents (github.com) or Blog Downloads (compliancequickstart.com).
#pci #pcicompliance #nist #sp80053r5
Cross Posted on LinkedIn: PCI DSS to SP 800-53r5 | LinkedIn
The NIST Privacy Framework (PF) is an interesting model for building and assessing a formalized privacy program. Sure - I agree - it's not as detailed as what can be found on ARMA, but it's familiarity with the NIST Cybersecurity Framework (CSF) makes it approachable and easier to share with stakeholders.
This important distinction can help drive interest and stakeholder involvement.
The implementation of any model or checklist is only useful as a point in time assessment, and finding a way to extrapolate quantifiable growth is the key to successful implementation and gaining value from the effort.
And so - along those lines - please enjoy access to a free tool for measuring your privacy framework as it stands currently versus your desired state during the next periodic timetable you choose to set.
Cross posted on LinkedIn: NIST Privacy Framework Maturity Model | LinkedIn
You can find the result under Blog Downloads (compliancequickstart.com).
I've found a profession that fits my personality and passions, and I'm equally passionate about helping others find their own personal fit. I'm watching those close to me grow up and think about the work force in the looming years with some anticipation - and some anxiety.
Interest profilers are simply a tool that can be used to help identify professions that could be a good fit based on your authentic self.
This is a list I'll update over time for my own friends and family investigating career choices.
This brief is an interesting read created by Gartner to discuss emerging technologies over the next decade. I've shared this with a few people inside my organization and the response has been quite interesting. When we get so focused on our own domain, reading forward-looking articles such as this one can seem like science fiction.
This particular paper is targeted towards particle leaders to help them understand how emerging technologies and trends are changing. Staying on top of emerging technologies is necessary to decide which technologies or trends are most beneficial for their business, and when it is the right time to invest in them in order to improve their products and services.
Never lose sight of that fine line between embedded truth and the need for change. Never lose focus of the opportunities that can make you successful.
In this case, the authors created a simple chart depicting which technologies require focus now, and which ones they believe are imminent. Paying attention to these shifts helps to ensure relevance and longevity.
Think of emotional intelligence as empathy and understanding the emotional state of others and how to navigate the emotions. Awareness. Think of emotional influence as deftly using this information to your advantage. Emotional influence then becomes a powerful marketing technique that aims to persuade potential customers by appealing to their emotions rather than logical arguments. When it comes to selling cloud computing technologies, some common emotions that can be appealed to include:
My wife and I became enthralled with the artful selling on a recent trip. She quickly googled to find an excellent article written by Jillian Ilao found on fitssmallbusiness.com titled "6 Emotional Selling Techniques to Drive Buying Decisions"
Jillian powerfully concludes with this:
The Lockheed Martin Kill Chain has evolved over time as the tactics and technologies used by attackers have changed. Initially, the focus was on traditional network attacks, but the rise of mobile devices and the Internet of Things has led to the inclusion of additional stages to cover these types of attacks.
The original Lockheed Martin Kill Chain consists of seven stages:
In addition to the seven core stages, the Lockheed Martin Kill Chain model also includes three additional stages that can occur before or after the core stages:
The Lockheed Martin Kill Chain model is a valuable tool for understanding the different stages of a cyber attack and for identifying potential points of intervention. By understanding the different stages of the attack, organizations can implement targeted defenses and responses to mitigate the risk of a successful attack.
This was shared with me. Posting so that I remember this and share with others.
21 skills that will pay you forever1. Ability to sell and negotiate.