ISO 9001 Clause 8.4 covers the requirements for controlling externally provided processes, products, and services. The clause starts with subclause 8.4.1, which mandates that organizations ensure all externally provided processes conform to specified requirements. Businesses must determine the necessary controls when external products and services are intended for incorporation … [Read more...] about ISO 9001 Clause 8.4 Control of externally provided processes, products and services
Book Review: Trust Me – ISO 42001 AI Management System
"Trust Me - ISO 42001 AI Management System" by Gregory Hutchins and Margaux Hutchins is an essential read for anyone involved in AI governance and compliance. This book delves into the revolutionary ISO 42001 standard, comprehensively understanding its underlying theory, complex concepts, and practical applications. The authors explain why this standard is critical, especially … [Read more...] about Book Review: Trust Me – ISO 42001 AI Management System
Assessing changes in reliability methods over time: An unsupervised text mining approach
The study by Charles K. Brown and Bruce G. Cameron analyzes how reliability engineering methods have evolved by performing a systematic literature review on 30,543 reliability engineering papers. Using topic modeling, they identified 279 topics, which were reduced to eight top-level method topics (prognostics, statistics, maintenance, quality control, management, physics of … [Read more...] about Assessing changes in reliability methods over time: An unsupervised text mining approach
Vulnerability and risk management: How to simplify the process
The IT landscape has evolved dramatically, from when centralized software was securely locked away in an office to today's complex ecosystem with numerous devices, software applications, digital assets, and diverse personnel. This shift has created a complicated IT risk landscape, where unmitigated risks can significantly impact business finances, functionality, morale, and … [Read more...] about Vulnerability and risk management: How to simplify the process
SEC Adds New Incident Response Rules for Financial Sector
The Securities and Exchange Commission (SEC) has introduced new data-breach reporting regulations for certain financial firms to enhance the protection of consumers' nonpublic personal information. These amendments to Regulation S-P, adopted over 24 years ago, mandate that broker-dealers, investment companies, registered investment advisers, and transfer agents establish robust … [Read more...] about SEC Adds New Incident Response Rules for Financial Sector
Preparing for the departure of an information security officer
The departure of an Information Security Officer (ISO) poses significant challenges for institutions, particularly regarding cybersecurity and compliance. High turnover rates in this role, exacerbated by remote work opportunities, intensify the struggle to retain cybersecurity talent. The departure of an ISO can weaken a company's security posture and compliance framework, … [Read more...] about Preparing for the departure of an information security officer
What To Expect From A NIST 800-171 Gap Analysis
NIST SP 800-171 is a framework designed to help non-federal organizations protect Controlled Unclassified Information (CUI). Understanding and achieving compliance can be complex for many small to medium-sized businesses (SMBs). A crucial part of this compliance process is conducting a NIST 800-171 Gap Analysis, which compares current security measures against the ideal … [Read more...] about What To Expect From A NIST 800-171 Gap Analysis
The Impact of NIST SP 800-171 on Small Businesses
NIST SP 800-171 is a specialized data protection framework designed to help non-federal organizations safeguard Controlled Unclassified Information (CUI). It applies particularly to small and medium-sized businesses (SMBs) handling CUI on behalf of the US federal government. Compliance with NIST SP 800-171 requires implementing security controls such as encryption, access … [Read more...] about The Impact of NIST SP 800-171 on Small Businesses
CISA Certification: A Complete Guide
The Certified Information Systems Auditor (CISA) certification, administered by ISACA, is a globally recognized credential designed for professionals who audit, control, monitor, and assess an organization’s information technology and business systems. Established in 1969, ISACA offers several certifications, including CISA, which signifies expertise in information systems … [Read more...] about CISA Certification: A Complete Guide
A Comprehensive Guide to Understanding the Role of ISO/IEC 42001 (AI Management Standard)
Artificial intelligence (AI) is transforming industries with applications like hyper-personalization, automation, and predictive analytics. However, this rapid advancement necessitates responsible development and ethical practices. The ISO/IEC 42001 standard, published in 2023, addresses these needs by providing guidelines for implementing, maintaining, and improving an AI … [Read more...] about A Comprehensive Guide to Understanding the Role of ISO/IEC 42001 (AI Management Standard)
ISO 27001:2022 Controls Annex-A: All You Need To Know
ISO 27001 provides a global standard for creating robust information security management systems (ISMS). Annex A of ISO 27001 outlines 114 controls categorized into 14 domains, which organizations use to manage security risks and achieve ISMS certification. An external certification body audits these controls to ensure the organization’s technology and processes are correctly … [Read more...] about ISO 27001:2022 Controls Annex-A: All You Need To Know
Answers to the Most Popular Predictive Prioritization Questions in IT Security
Predictive prioritization is a method of re-prioritizing vulnerabilities based on the likelihood they will be exploited in an attack. This process results in a Vulnerability Priority Rating (VPR), which ranges from zero to ten, indicating a vulnerability's severity and remediation priority. Unlike the Common Vulnerability Scoring System (CVSS), which focuses on potential impact … [Read more...] about Answers to the Most Popular Predictive Prioritization Questions in IT Security
A Global View of the CISA KEV Catalog: Prevalence and Remediation
The Known Exploited Vulnerabilities (KEV) catalog, growing at 17 new vulnerabilities per month in 2023, is crucial for understanding and managing cybersecurity risks. KEVs are significantly more prevalent and resolved faster than other vulnerabilities, with 35% of organizations having at least one KEV in 2023. Despite this, meeting CISA’s remediation deadlines remains … [Read more...] about A Global View of the CISA KEV Catalog: Prevalence and Remediation
Securing Generative AI with Non-Human Identity Management and Governance
Unique risks and security needs are associated with the rapid innovation in generative AI technologies. As businesses seek value from AI-driven applications, ensuring their safe usage and implementation is crucial. The concept of non-human identity (NHI) governance protects data privacy and integrity in applications built on the Retrieval-Augmented Generation (RAG) … [Read more...] about Securing Generative AI with Non-Human Identity Management and Governance
The Evolution of the CISO Role
This interview with an executive from publisher IDC is based upon a recent survey they conducted centered on the evolving role of Chief Information Security Officers (CISOs), emphasizing the shift from tactical to strategic responsibilities over the past decade. The survey of over 800 global participants assessed the current role and actions of CISOs. Ten years ago, CISOs … [Read more...] about The Evolution of the CISO Role
What are the four levels of PCI DSS compliance?
All companies processing credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS), which defines four levels of compliance based on the volume and type of transactions processed. The compliance levels determine companies' actions to demonstrate adherence and protect cardholder data. The Payment Card Industry Security Standards Council … [Read more...] about What are the four levels of PCI DSS compliance?
What is security information and event management (SIEM)?
Security information and event management (SIEM) combines security information management (SIM) and security event management (SEM) into a single system. It aggregates data from multiple sources, identifies deviations, and takes action by logging information, generating alerts, and instructing security controls. Initially driven by compliance needs, SIEM has become valuable for … [Read more...] about What is security information and event management (SIEM)?
Needed Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor
In order to balance the need between user protection and innovation, a software liability system should address the contextual nature of software security, reduce litigation costs, and incentivize security improvements. A workable liability standard should include a rules-based floor and a process-based safe harbor, as current secure software development frameworks lack … [Read more...] about Needed Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor
Is your ISO 9001 certification just for the wall?
Many organizations pursue ISO 9001 certification primarily due to regulatory or customer pressure, resulting in a certification that serves more as a checkbox than a tool for genuine quality improvement. This approach often leads to management viewing ISO 9001 as a costly and complicated requirement rather than a beneficial framework. Typically, the quality management system … [Read more...] about Is your ISO 9001 certification just for the wall?
Using ISO 10010 to build an effective quality culture
Developing an effective quality culture is critical for organizational success, and ISO 10010:2022 provides a structured approach. Quality culture, which encompasses the beliefs, values, and behaviors that support an organization’s quality policy and objectives, is essential for delivering products and services that meet customer and stakeholder expectations. Unlike ISO … [Read more...] about Using ISO 10010 to build an effective quality culture