Compass IT Compliance Blog

IT GRC - Let's Talk About Risk!

Earlier this week we discussed IT Governance, Risk, and Compliance (IT GRC) with a specific focus on IT Governance. To read more of that post, click here. Today we are going to focus on the second component of IT GRC, IT Risk.

In keeping with consistency, Gartner defines IT Risk as "the potential for an unplanned, negative business outcome involving the failure or misuse of IT" (Gartner, 2012). This is a broad definition that could encompass many different aspects that an organization should be concerned about that includes two suggestions about why risk might occur: 

Critical Security Control 19: The Incident Response Plan

In the world of Information Security, we have all heard of the Center for Internet Security Top 20 Critical Security Controls (CSC's) which is formerly known as the SANS Top 20. This is a list of the 20 IT Security Controls that an organization can implement to strengthen their IT Security position and mitigate their risks of an attack. One of the CSC's that is gaining more and more attention, both in the news and through Regulatory Requirements, is CSC 19: Incident Response and Management.

The HIPAA Risk Assessment - Who Needs One and When?

Healthcare breaches are nothing new, in fact they have become quite common in the news on a weekly basis. As an example of this, a Central Florida Oncology provider recently announced that it suffered a data breach at the hands of a hacker, resulting in the compromise of the personal information of 2.2 million individuals. In fact, if you want additional proof around the seriousness of Healthcare IT Security and subsequent data breaches, take a journey over to the Department of Health and Human Services Wall of Shame where you can see all the information related to all Healthcare breaches involving over 500 individuals.

IT Risk Assessments and the SANS Top 20 - Part III

As we continue down our journey of discussing the importance of the SANS Top 20 Critical Security Controls, I want to make one important clarification that was brought to my attention by one of the readers of our blog. It should be noted that the controls that we are referring to in these blog posts and the blog posts moving forward are no longer referred to as the SANS Top 20 Controls. Rather they are now referred to as the Center for Internet Security Critical Security Controls. While there remains 20 of these CSC's and SANS remains critically involved in the development and contribution to these controls, this is a Center for Internet Security initiative and they retain the lead on compiling information and changes to these controls though most people still refer to them as the SANS Top 20. I would like to send a quick thanks to Russ Gallery for bringing this to light and making sure I explain this to our readers! On to CSC's 11 through 15: 

IT Risk Assessments and the SANS Top 20