Profile

CommunityPlatform_1350x900.jpg

Jim Dillon

Edit My Profile

My Content

1 to 10 of 10 total

RE: education/training advise for a colleague

Posted By Jim Dillon 01-19-2024 01:24:33 PM
Found In Egroup: Cybersecurity \ view thread
Scott, Given the indicated competencies, if they pursued a CIA (Certified Internal Auditor) or CISA (Certified Information System Auditor) certification there would be a high chance of placement in an audit function. These certifications are not absolute requirements, some organizations will want ...

RE: Password reset policy

Posted By Jim Dillon 02-23-2023 10:28:30 AM
Found In Egroup: Cybersecurity \ view thread
Michael, That's why I had the small tag about except "where a compliance mandate doesn't care and we agreed to accept its prescription by engaging" buried at the end of my musings. Generally our organizations will have (not all I've noticed) some sort of ethics policy that calls out complying with ...

RE: Password reset policy

Posted By Jim Dillon 02-23-2023 09:56:30 AM
Found In Egroup: Cybersecurity \ view thread
Yeah Clark, the challenge of all this is that password as a solitary control isn't incredibly effective under sophisticated and dedicated attack regardless. Particularly when the current mode is simply to trick someone into revealing credentials and we as humans are so awfully uncontrollable. Watching ...

RE: Password reset policy

Posted By Jim Dillon 02-22-2023 07:26:34 PM
Found In Egroup: Cybersecurity \ view thread
All, Pardon and ignore the TMI moment below unless you are really struggling with how to assess your own password practice. I included a number of thoughts from the risk/control perspective of a long time IT practitioner and GRC focused internal IT auditor that I think can be helpful if you are unsure ...

RE: Password Expiration Guidelines - NIST 800-63 (Remove Periodic Change Requirement unless compromised)

Posted By Jim Dillon 01-19-2023 06:06:23 PM
Found In Egroup: Cybersecurity \ view thread
Clark, First, I didn't say they were poor quality passwords. That said today's high quality passwords are tomorrow's low quality passwords, that is the unstoppable trend. 1000 ways to get a poor quality password unrelated to whether or not you force change cycles. Also accepting/piggy-backing Stefan's ...

RE: Password Expiration Guidelines - NIST 800-63 (Remove Periodic Change Requirement unless compromised)

Posted By Jim Dillon 01-19-2023 12:10:54 PM
Found In Egroup: Cybersecurity \ view thread
It also: Compensates for other basic security hygiene failures (e.g. failed access deprovisioning). Creates an awareness opportunity. Complicates social discovery and history accumulation mechanisms attackers may employ (e.g., pattern recognition.) Can support "lifetime account" measures/practice ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Jim Dillon 01-19-2023 10:13:59 AM
Found In Egroup: Cybersecurity \ view thread
The University of Colorado hit the newspapers, had to provide privacy/identity coverage, and suffered a lot of bad public press for two incidents in recent years that could be assigned to vendors, the most recent was the Atlassian breach. Atlassian was breached to my understanding, not any CU system, ...

RE: IT governance domains

Posted By Jim Dillon 01-13-2023 11:25:27 AM
Found In Egroup: IT Governance \ view thread
Piet, I've worked at a couple of institutions and collaborated with a few more. So far not impressed with the successfulness of any of them at IT Governance. Here's what I've seen: They tend to include an executive version and subcommittees, each a pool of shared governors. They tend to meet infrequently. ...

RE: CIS controls - Has anyone implemented them?

Posted By Jim Dillon 09-12-2022 05:05:25 PM
Found In Egroup: Cybersecurity \ view thread
Timothy, I think the process of having to configure certain settings and allow for a university device wipe and "find my device" on my personal phone in order to use it on the enterprise network is one of those "authorization" steps for a non-enterprise asset since it is the same phone I might play ...

RE: CIS controls - Has anyone implemented them?

Posted By Jim Dillon 09-12-2022 04:48:00 PM
Found In Egroup: Cybersecurity \ view thread
I'll give you (not you Randy, the original poster!) an auditor's take on how we would interpret this concept. 1. It is contextual to the amount/type of control you've placed on the risk of implementing a new system. If as a risk appetite decision you have decided to let all individuals install any item ...