Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
What Scares Me About Healthcare & Electric Power Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jdickson782
50%
50%
jdickson782,
User Rank: Author
10/31/2014 | 5:29:24 PM
Re: Accounting standard or security standard?
My overarching thought here is that every organization should have a general controls/ISO-27002 security assessment, but that this is only a starting point. More sophisticated organizations have multiple layers of security defense and do much more focused security testing to validate what's been implemented.
jdickson782
50%
50%
jdickson782,
User Rank: Author
10/31/2014 | 5:26:29 PM
Re: Healthcare
See my comments to Gary's post - unfortunately, there will have to be more high-profile losses before healthcare providers rate security up there with other risk management issues.
jdickson782
50%
50%
jdickson782,
User Rank: Author
10/31/2014 | 5:25:15 PM
Re: Stop signs are installed AFTER a traffic accident occurs.
Sadly, I think you are correct here.  Absent of more high-profile losses, many in the healthcare industry will view the threat as remote.  My thoughts in the article were really based on ~20 years reviewing healthcare organizations and their high-level posture.
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
10/31/2014 | 4:31:27 PM
Stop signs are installed AFTER a traffic accident occurs.
Action follows demand.  Until a majority of patients are negativley affected by a security issue nothing will be done.
rzw122
50%
50%
rzw122,
User Rank: Apprentice
10/29/2014 | 5:50:46 PM
Healthcare
OMG! I let out a yelp of agreement as I sprang from my seat and began clapping after reading this commentary. This is an affirmation that I've long needed in my seemingly-solo quest to help medical practitioners understand the importance and value of securing their networks. Conversations with this those in this industry- even about minor perimeter security measures- are often met with shrugs or blank stares, but even more maddening are the reactions of whatever tech staff that physicians have managed to loosely piece together. These individuals are an enigma, for it is they who are the ones that we might expect to hold a more profound understanding of the consequences of lax security, or, in some cases, no security at all. Thank you for this piece.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/29/2014 | 1:17:17 PM
Re: Accounting standard or security standard?
@Ed Telders: Agreed, and that is precisely why I have asked for either the SAS 70 or SSAE 16. I wanted to know how religiously they followed their controls and to judge their "level of maturity" as you had put it.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/29/2014 | 11:41:23 AM
Re: Accounting standard or security standard?
The SAS 70 was sunsetted in 2011 and replaced by the SSAE16 auditing standards.  They come in three flavors in the SOC1, SOC2, and SOC3 audit reports.  For each of them the reports can be a Type 1 or a Type 2.  In a Type 1 the audit simply looks at documentation and assesses them based on policies and statements, the Type 2 is where the controls are actually tested.  Naturally you want the Type 2.  Also the SOC1 is essentially the same as the old SAS 70 in that it is used to measure financial transactions and financial reporting.  Many have used that in the past as a means to assess vendors for security, although the SAS 70/SOC1 was never intended to be a security tool.  It does not assess the CIA triad nor does it look at actual enterprise security, only a subset of that.  The SOC2 Type 2 is the tool you want to look for to actually make a determination of the security posture and maturity of a vendor you're considering.  I would also recommend you review the detailed findings and managment responses to those findings to determine if any of them are of concern to you.  If for example, the audit has a finding detecting servers that are not patched, managment then responds that they have remediated them since the audit field work it sounds pretty reasonable.  Unless the number of servers found unpatched is larger than a reasonable number (ex. 100 out of 500 total) which would indicate a material procedural problem with that vendors processes.  The details can be a gold mine of information that can help you make a solid decision between vendors.  And yes the smaller "boutique" vendors and "startups" frequently haven't created this level of maturity that would be more typical of larger well-established providers, so buyer beware.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/29/2014 | 11:29:30 AM
Re: Accounting standard or security standard?
Yes, SAS 70 is an auditing standard designed to perform an in-depth examination of control objectives and activities. During the performance of this audit by an independent accounting and auditing firm, an organization's written controls are verified by auditing the actual activities related to the controls. These controls also include those specific to Information Technology and related processes. What I wanted to see was whether or not potential business partners actually practiced the controls they had in place, especially those specific to IT.
DBAJRACHARYAN/A
50%
50%
DBAJRACHARYAN/A,
User Rank: Apprentice
10/29/2014 | 9:55:04 AM
Accounting standard or security standard?
Is not SAS70 an auditing standard? Are you looking for data security standard or financial stability of the organization?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 9:03:49 AM
Re: public safety
The theft of personal information in healthcare has been pretty well documented (the prices for PII on the black market are at a record high). But my guess it will ake some life threatening medical event to shake consumer confidence in Healthcare IT -- and spur more serious action . For the power grid, holding a nation to a ransom in order to turn the lights back on is a really scary scenario.
Page 1 / 2   >   >>


7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...