SEC OCIE Guidance on Cybersecurity

The U.S. Security and Exchange Commission’s Office of Compliance Inspections and Examinations has come out with a new guidance on cybersecurity.

Here is the money quote:

Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks. While the effectiveness of any given cybersecurity program is fact-specific, we have observed that a key element of effective programs is the incorporation of a governance and risk manage- ment program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.

Records Retention and Management Systems

Think about how many documents are created at your company, e.g. paper, electronic, all revisions of documents, emails, manuals, notes about manuals, meeting summaries, financial spreadsheets, confidential and sensitive information of all kinds, etc. Even for small companies the amount of records created is ever increasing. Now think about what would happen if all of those records were made available to your adversaries. That would be a bad day for your company. Now consider that as much as 60 percent of it must be retained for regulatory requirements.

[Read more…]

What to Tell the Board of Directors About Security and Privacy

Recently at a conference I had the honor to be on a panel discussing security and privacy. I was asked to start with the following question: What should we be telling the board of directors about security and privacy? Given the current general state of cyber security I would be tempted to say “Boys and girls you are so screwed!” But seriously, I can condense what the board must know into two main points: 1) Your organization must have written policies and procedures to reasonably detect and mitigate cyber security incidents, and; 2) Don’t let your technical staff decide what level of risk your organization is to accept.

[Read more…]

Vendor Contract Checklist

Don’t forget to include a review of your contracts with vendors when reviewing your own security compliance. Here is the short version of my checklist for vendor contracts:

[Read more…]

5 types of “security audits”

We are often told by clients that they want a security audit. The word “audit” is often inappropriate. Here are five types of security evaluations and their goals and audiences:

1) Vulnerability Tests
2) Penetration Tests
3) Risk Assessments
4) Compliance Audits
5) Due Diligence Questionnaires

[Read more…]

After the Breach: Legal and Technical Issues

Long before it actually happens, every organization should prepare for when their networks are breached. Do you even know what you have to do? This presentation will discuss legal notification requirements and some of the technical solutions that reduce the reporting requirements and protect your firm. This discussion is intended to familiarize CIOs and staff with the legal issues before their firm lawyers ever get involved. We will cover:

1) Factors in deciding to act for litigation or solely for recovery
2) What kinds of internal investigations are protected from discovery in litigation and more importantly, what kinds are not.
3) Who can and should do your data forensics
4) Existing breach notification in Texas, the rest of the United States, and the world.
5) The trend in breach notification
6) Non-breach required notifications in Texas.

Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like to know more or have a version of this presentation at your organization, please contact him at

Information Classification Should Drive IT Planning

Houston IT Symposium – 2019

Information classification is an integral part of implementing an information security framework and performing risk assessments. Proper classification leads to the selection of appropriate controls. When the goal of information security is to protect, how can this be done without knowing what value differing information types have to the organization? What’s more, information classification can be the method to trigger technology planning for the whole organization well beyond the selection of security controls.

[Read more…]

DKIM – Domainkey Identified Mail

1.      What is DKIM?

DKIM is short for DomainKeys Identified Mail. The current specification for DKIM  is RFC6376. ( DKIM permits organizations to add a header to emails with cryptographic signatures in a way that other organizations can verify independently. The independence is achieved by the receiving MTA checking for DKIM Resource Records in the DNS domain used in the signature. Successful DKIM verification generally means that the signer has authorized the email and that some basic set of headers have arrived unmodified.

[Read more…]

(Ǝx)(Px & Pj & (y)(Py -> x=y))

I have a special affinity for logic systems and this is predicate logic.  I also realize this is quite the narcissistic joke and yet I still find it funny.  Here is how to decipher:

[Read more…]