Infosec Policies Posts

Cyber SecurityInfosec PoliciesInfosec Training

7 Fast Steps for FTC Safeguards Rule Compliance

By | Mar 23, 2021 | 0 Comments

Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule.  But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we're offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations.  Let's cut straight to the chase:

Read More

FTC Safeguards Rule Compliance - 7 Ways to Jumpstart
Cyber SecurityInfosec PoliciesVendor Onboarding

The #1 Policy Request in a Vendor Risk Assessment

By | Mar 1, 2021 | 0 Comments

recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We're motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans.  88% of the vendor risk assessments in our analysis contained questions about plans and policies.

Read More

Number 1 Most Requested Infosec Policy
Cyber SecurityInfosec PoliciesSOC 2

Movies, Photographs, and SOC 2 Type 1 vs Type 2

By | Jan 28, 2021 | 0 Comments

Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2?  If your answer was "all of the above" then you've come to the right place.

Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2.  Lets see if we can clear that up; here's what the AICPA says about it.

Read More

Movies, Photographs, and SOC 2 Type 2 vs SOC 2 Type 1
Enterprise Security QuestionnairesInfosec Policies

Uncovering Hidden Annual Security Requirements

By | Dec 26, 2020 | 0 Comments

As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time.  Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future.  Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.

Read More

Uncovering Hidden Annual Security Requirements
Cyber SecurityImplementationInfosec Policies

The Wasteful Pursuit of Security Theater

By | Dec 11, 2020 | 0 Comments

Anytime you see security policies or practices implemented in a way that seems to be more for appearances than for genuine security protection, beware that you may be witnessing Security Theater.  Be skeptical if and when you see it.

At Havoc Shield we have no interest at all in helping companies go through the motions: we're interested in helping companies improve their security posture every week, every month, every year, reducing the chance that they fall victim to cyberattacks.  In this article, we'll share some of the key indicators of Security Theater -- each of which are practices that we strongly dislike.

Read More

The Wasteful Pursuit of Security Theater
Cyber SecurityInfosec PoliciesInfosec Training

Your Incident Response Plan depends on Talent Acquisition

By | Dec 6, 2020 | 0 Comments

If you are a Havoc Shield client, we hope you've rolled out an Incident Response Plan in the Policy Manager section of the platform.   Whether you accept our battle-tested templates outright, or you choose to make some surgical modifications, it's important to get the plan into the hands of those who will participate in it.  You know the drill: planning for the worst, hoping for the best, as they say.  If you aren't a Havoc Shield client, we hope you've rolled out a similarly battle-tested plan.

With your plan in the hands of your team members, now is also a good time to talk about the hidden connection between Incident Response Plans and Talent Acquisition.  Especially if you are at the type of company that we typically serve - angel-backed, venture-backed, and growth companies.

Read More

Your Incident Response Plan depends on Talent Acquisition
Infosec Policies

How BYOD Policies Catch You Up to Reality

By | Nov 12, 2020 | 0 Comments

Does your company have BYOD policies?  For those unfamiliar with the term, BYOD is "Bring Your Own Device" -- and BYOD policies relate to what the company does (and doesn't) allow in terms of handling company business from your own devices.  When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet.  However, more recently it's adopted a meaning that includes any personal device -- including laptops, tablets, smartphones, and anything else.

Read More

How BYOD Policies Catch You Up to Reality
Cyber Security | Infosec Policies | Infosec Training