Integrate ASV data directly into your IT-GRC System

Through our award-winning IT-GRC platform, SecureAware®, we recently completed an asset-based ASV proof-of-concept demonstration to a very large merchant. This organization has over 3,000 locations globally and manage over 90,000 network assets. The consideration for the integration of asset scan data was two-fold. First, our objective was to prove the ability to automate the process of integrating the raw scan data, by asset type, identified vulnerability, and recommended remediation plan. The remediation plan was also linked (by type / class) to the policy set for instantaneous access by the asset owner. The second objective was to demonstrate the ability to integrate this information into the workflow by assigning the vulnerability to a specific asset owner along with a scheduled completion date and the ability for the task to be tracked by not only the asset owner but also the supervisor and any other designated observers / interested parties. This is all being done in an environment that captures timestamp and associated documentation for complete auditability.

Our next steps with this merchant are to collect the specifications for integration of this data into their now-current network asset compliance system to augment internal tracking, improve workflow, increase visibility into IT risk management posture – all in an effort to reduce their costs of compliance in the long-run.


Gary B. Blume
Senior Vice President - Corporate and Business Development

Lightwave Security, Inc.
Atlanta, GA

Office: 404.939.8875
Mobile: 404.276.6192
Fax: 404.751.2830
E-mail: gblume@lightwavesecurity.com
Linkedin: http://www.linkedin.com/in/garyblume

How to implement ISO 27001 - Free Webinar!

Hello,

I wanted to let you know that we are organizing a free webinar called "How to implement ISO 27001?".

This free one-hour training is designed for organizations that plan to implement ISO 27001, and have no previous experience in such projects. This session will explain all the steps in ISO 27001 implementation, and provide tips on how to proceed with this complex task.


This webinar is in English, and covers the following topics:

• Plan - Do - Check - Act cycle
• ISMS scope
• ISMS policy
• Risk assessment and treatment
• Risk assessment report
• Statement of Applicability
• Risk treatment plan
• Annex A - overview of controls
• Four mandatory procedures
• Document management
• Records management
• Internal audit
• Management review
• Corrective and preventive actions
  

The webinar is delivered by Dejan Kosutic, the author at Information Security & Business Continuity Academy.

To register for this webinar, please visit: https://www3.gotomeeting.com/register/794135934
About the organizer: Information Security & Business Continuity Academy is the leading online resource for ISO 27001 and BS 25999-2 implementation. Visit http://www.iso27001standard.com/.


Best regards,

Dejan Kosutic

HIPAA Violations Not Always Due to Data Breaches

Contributed By:
Jack Anderson

On an early album George Carlin (RIP) talked about being raised Irish Catholic. Remarking on mortal sins he observed that if you woke up in the morning and decided to go across town and commit a mortal sin, you could save your bus fare because you already committed a mortal sin just by thinking about committing a mortal sin.

Similarly you don't have to have a patient data breach to be in violation of HIPAA rules and regulations. By doing nothing, not even thinking, you probably have already committed a violation.

For example, if you have a business associate (BA) agreement in place you are required to be compliant with the terms of that agreement, now . If you don't have a breach notification program in place you are in violation, now.

If you don't have a privacy program in place you are in violation, now.

But, you say, I am a small company and how would they know? Let me count the ways:

1.Your covered entity detects a pattern of non-compliance, like you sending unsecured PHI and is required to either help you fix the problem, or sever your contract, and report you to HHS.
2.A whistleblower, (employee, ex-employee, patient, ex-patient, wife, ex-wife, etc) reports you in hopes of collecting the reward offered by HHS.
3.An unannounced audit by OCR, the enforcement arm of HHS. They are required by Congress to audit and have hired an outside firm to begin auditing in Q4 2010.
4.A state attorney general files suite in federal court as allowed by The HITECH Act.
5.A patient data breach which must be reported.

The good news is that just starting on a compliance program earns you a lot of points. Also new cloud computing solutions are cost effective and efficient for even the smallest companies. A small company can get started for only $125 and can stay compliant and prove it for only $35 per month. This is less than your latte budget.