What to Tell the Board of Directors About Security and Privacy

Recently at a conference I had the honor to be on a panel discussing security and privacy. I was asked to start with the following question: What should we be telling the board of directors about security and privacy? Given the current general state of cyber security I would be tempted to say “Boys and girls you are so screwed!” But seriously, I can condense what the board must know into two main points: 1) Your organization must have written policies and procedures to reasonably detect and mitigate cyber security incidents, and; 2) Don’t let your technical staff decide what level of risk your organization is to accept.

[Read more…]

Vendor Contract Checklist

Don’t forget to include a review of your contracts with vendors when reviewing your own security compliance. Here is the short version of my checklist for vendor contracts:

[Read more…]

5 types of “security audits”

We are often told by clients that they want a security audit. The word “audit” is often inappropriate. Here are five types of security evaluations and their goals and audiences:

1) Vulnerability Tests
2) Penetration Tests
3) Risk Assessments
4) Compliance Audits
5) Due Diligence Questionnaires

[Read more…]

After the Breach: Legal and Technical Issues

Long before it actually happens, every organization should prepare for when their networks are breached. Do you even know what you have to do? This presentation will discuss legal notification requirements and some of the technical solutions that reduce the reporting requirements and protect your firm. This discussion is intended to familiarize CIOs and staff with the legal issues before their firm lawyers ever get involved. We will cover:

1) Factors in deciding to act for litigation or solely for recovery
2) What kinds of internal investigations are protected from discovery in litigation and more importantly, what kinds are not.
3) Who can and should do your data forensics
4) Existing breach notification in Texas, the rest of the United States, and the world.
5) The trend in breach notification
6) Non-breach required notifications in Texas.

Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like to know more or have a version of this presentation at your organization, please contact him at jcolvin@jcolvinlaw.com.

Information Classification Should Drive IT Planning

Houston IT Symposium – 2019

Information classification is an integral part of implementing an information security framework and performing risk assessments. Proper classification leads to the selection of appropriate controls. When the goal of information security is to protect, how can this be done without knowing what value differing information types have to the organization? What’s more, information classification can be the method to trigger technology planning for the whole organization well beyond the selection of security controls.

[Read more…]

DKIM – Domainkey Identified Mail



1.      What is DKIM?

DKIM is short for DomainKeys Identified Mail. The current specification for DKIM  is RFC6376. (http://www.ietf.org/rfc/rfc6376.txt) DKIM permits organizations to add a header to emails with cryptographic signatures in a way that other organizations can verify independently. The independence is achieved by the receiving MTA checking for DKIM Resource Records in the DNS domain used in the signature. Successful DKIM verification generally means that the signer has authorized the email and that some basic set of headers have arrived unmodified.

[Read more…]