Profile

CommunityPlatform_1350x900.jpg

Timothy Pinkham

Edit My Profile

My Content

1 to 20 of 29 total

RE: Inquiry: How Does Your Organization Meet GLBA's 'Periodic' Risk Assessment Criteria?

Posted By Timothy Pinkham 02-26-2024 12:08:14 PM
Found In Egroup: Cybersecurity \ view thread
Currently, we send customized annual self-assessment questionnaires to departments who interact with in-scope customer information. These are intended to address "foreseeable internal and external risks". Then we review responses, look for areas of improvement, and assign risk levels and recommended ...

RE: Outsource Vendor Security Risk Management- Hecvat

Posted By Timothy Pinkham 01-24-2024 09:18:00 AM
Found In Egroup: Cybersecurity \ view thread
The first thing that comes to mind is Whistic. You could check them out in case they meet your requirements. ------------------------------ Timothy Pinkham Information Security Analyst Biola University timothy.pinkham@biola.edu ------------------------------

Tandem for GRC?

Posted By Timothy Pinkham 01-23-2024 05:26:00 PM
Found In Egroup: HEISC Governance, Risk, and Compliance \ view thread
Greetings, Is anyone using Tandem for governance, risk, and compliance at your university? If so, can you provide your opinions and insights about the product? I've been reviewing several GRC products to help us simplify our risk and compliance efforts. One of the products I've been looking at ...

GRC and employee training recommendations?

Posted By Timothy Pinkham 11-28-2023 03:06:00 PM
Found In Egroup: Cybersecurity \ view thread
Will you please provide your recommendations for GRC and employee cybersecurity training vendors/services? We don't have a GRC tool yet. We attended a demo with SaltyCloud (Isora) and were impressed with it. Are there any better GRC services than this? If so, why? For employee data security and privacy ...

GLBA Safeguards Rule 4(d) and 4(g) questions

Posted By Timothy Pinkham 11-20-2023 11:18:00 AM
Found In Egroup: Cybersecurity \ view thread
I have a few GLBA questions related to 314.4: How does your institution satisfy 4(d)(2) of the Safeguards rule (continuous monitoring or periodic vulnerability assessments)? Is a CrowdStrike Falcon Complete, plus annual penetration testing, adequate to satisfy this requirement? Or is something more ...

RE: Standardized list of risk factors?

Posted By Timothy Pinkham 10-11-2023 03:40:17 PM
Found In Egroup: Cybersecurity \ view thread
Thank you for all your input! It's great to hear how others are thinking about this. I appreciate you taking time to post images and tables and links to resources. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------

Standardized list of risk factors?

Posted By Timothy Pinkham 10-03-2023 09:39:00 AM
Found In Egroup: Cybersecurity \ view thread
Does anyone know if there is a comprehensive standardized list of risk factors? (for the cybersecurity field) Let's say you need to complete a risk assessment for something - compliance, vendor review, or something else. As you identify risk factors, you need names for them. This is where the standardized ...

GLBA questions about risk management and change management

Posted By Timothy Pinkham 08-25-2023 09:20:46 AM
Found In Egroup: Cybersecurity \ view thread
Greetings, I'd appreciate input from anyone with GLBA / Safeguards Rule compliance experience. The FTC's Safeguards Rule says in section 314.4(b): Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, ...

RE: Your method for shredding sensitive paper documents?

Posted By Timothy Pinkham 04-28-2023 09:04:31 AM
Found In Egroup: Cybersecurity \ view thread
Thank you, everyone, for your responses! These are incredibly helpful. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------

Your method for shredding sensitive paper documents?

Posted By Timothy Pinkham 04-24-2023 04:38:00 PM
Found In Egroup: Cybersecurity \ view thread
What method does your institution use for shredding sensitive documents? We want to improve the reliability of securely shredding paper documents, and I'm trying to determine a cost-effective and efficient solution. Here are the three options I'm considering: Purchase a large industrial shredder ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Timothy Pinkham 01-25-2023 01:02:26 PM
Found In Egroup: Cybersecurity \ view thread
Dylan, Thank you for such a helpful and thorough response! I communicated with a Shopify rep yesterday, and I can confirm some of what you've said. Here's what I found out: The Tap & Chip Reader (model S1801) is a PCI PTS-approved device (approval no. 4-30353). The device does not accept PIN entry ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Timothy Pinkham 01-19-2023 12:54:26 PM
Found In Egroup: Cybersecurity \ view thread
Thank you to everyone for your valuable input. Once clarification about the SAQ B-IP: I didn't think this would apply since it applies to PTS-approved payment terminals. Here's their definition of PTS: "Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed ...

PCI compliance requirements for merchants like Shopify?

Posted By Timothy Pinkham 01-18-2023 05:26:00 PM
Found In Egroup: Cybersecurity \ view thread
I've been reviewing some Shopify products for use on campus. I have some questions that some of you might have answers for. For their SaaS solution, which they claim is PCI-compliant, would we have any PCI requirements? Or because THEY are the merchant, is compliance their responsibility? Shopify ...

RE: Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Status

Posted By Timothy Pinkham 12-09-2022 03:11:32 PM
Found In Egroup: Cybersecurity \ view thread
The part I'm still hung up on is defining the scope and boundaries. What is included and what isn't? I read carefully through the 314 document and the Bank Holding Company Act of 1956 1843(k)(4). The only applicable financial services I can identify are loans and insurance. But when I look at other ...

RE: GLBA compliance questions.

Posted By Timothy Pinkham 09-23-2022 02:58:00 PM
Found In Egroup: Cybersecurity \ view thread
I want to revive this topic. I would still like to know if anyone has answers to my original questions, and I have new questions. Which departments do you include in your GLBA risk assessments each year? Why those departments? How do you determine what questions to include on your assessment questionnaires? ...

RE: CIS controls - Has anyone implemented them?

Posted By Timothy Pinkham 09-12-2022 04:49:09 PM
Found In Egroup: Cybersecurity \ view thread
Randy, Do you track or manage student or adjunct computers? I'm wondering if you have any assets that classify as authorized unmanaged untracked assets. That would also mean that it's possible to have an authorized non-enterprise asset, right? ------------------------------ Timothy Pinkham Information ...

RE: CIS controls - Has anyone implemented them?

Posted By Timothy Pinkham 09-12-2022 01:34:00 PM
Found In Egroup: Cybersecurity \ view thread
Thank you, Randy! Can you tell me what the definition of "unauthorized asset" is? We're working through our 1.1 policy (with the help of the CIS enterprise asset management policy template). We're having difficulty locking in certain terms because "unauthorized asset" isn't clear to us. Is it more ...

RE: Free National Cybersecurity Awareness Month video

Posted By Timothy Pinkham 09-12-2022 12:08:00 PM
Found In Egroup: Cybersecurity \ view thread
I like what you're doing here, Neal! I'd love to have a version with our logo. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------

RE: CIS controls - Has anyone implemented them?

Posted By Timothy Pinkham 09-08-2022 03:16:18 PM
Found In Egroup: Cybersecurity \ view thread
Thank you, Tony! I appreciate your input! ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------

RE: CIS controls - Has anyone implemented them?

Posted By Timothy Pinkham 09-08-2022 09:46:23 AM
Found In Egroup: Cybersecurity \ view thread
I have a question about Safeguard 15.1, which states: "Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. When it says "enterprise contact," does ...