Collaborate Disseminate
In the IT Security team where I work, we currently use the Standarized Information Gathering or SIG tool to evaluate IT security posture of prospective 3rd party vendors. What I like about the SIG is the questions are standarized and depen… Continue reading Evaluating security controls of smaller vendors
I work in the IT Security function of my company as a team lead. We periodically send out phishing emails to all users on company network as a form of continuous education of users on how to spot malicious phishing emails. Ou… Continue reading How should failures by a single user on a simulated phishing email be measured?
Im using Control-m to facilitate a transfer from a vendor.
I use Kleopatra to generate a key pair and then give the public key to the vendor to encrypt and send us files.
Every time I test decrypting a file off their site … Continue reading No secret key error [migrated]
Today while reviewing vulnerability scan results with a colleague, we had a debate about what vulnerabilities can be considered “true or legitimate” and hence worthwhile to spend resources in monitoring. We had a differing op… Continue reading If a vulnerability has no relevant attack vectors, is monitoring still legitimate for a company?
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing “test” … Continue reading When is phishing education going too far?
Our company is implementing a BYOD policy. I am working with management to draft end user training guidelines / standards as senior member of the Information Security team. Our company is in a regulated industry and works rou… Continue reading How should security user training be provided when implementing a company BYOD strategy?
A university course has tasked my wife with researching websites that would, I imagine, get her placed on an FBI watchlist. Their advice is to not provide any PII, do not interact with anyone, and do not download anything.
… Continue reading How do you safely research dangerous websites?
I currently work in the Information Security team at my company. I have been requested by company management to assist in reviewing and revising our current IT security policies. I am a trusted, respected member of the IT Sec… Continue reading Should security policy acknowledgements in a company be customized for IT vs non IT users?
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security m… Continue reading Should corporate security training be tailored based on a users’ job role?
As an IT auditor, part of my job duties includes vendor risk assessment / conducting security due diligence.
Based on documentation obtained from the vendor, (SOC 2 report, SIG survey ) , I and several members of the team, … Continue reading How should potential (unverified) security vulnerabilities be best reported?