Profile

CommunityPlatform_1350x900.jpg

Timothy Pinkham

Edit My Profile


My Content

1 to 20 of 30 total
Posted By Timothy Pinkham 05-08-2024 01:02:00 PM
Found In Egroup: Cybersecurity and Privacy Governance, Risk, and Compliance
\ view thread
Greetings, Henry, Our official information security team is relatively new (started in 2018), so we're just now developing our risk management program as well. So I don't have years of experience to help supply answers, but I'd be happy to talk about how we're building our program and the things ...
Posted By Timothy Pinkham 02-26-2024 12:08:00 PM
Found In Egroup: Cybersecurity
\ view thread
Currently, we send customized annual self-assessment questionnaires to departments who interact with in-scope customer information. These are intended to address "foreseeable internal and external risks". Then we review responses, look for areas of improvement, and assign risk levels and recommended ...
Posted By Timothy Pinkham 01-24-2024 09:18:00 AM
Found In Egroup: Cybersecurity
\ view thread
The first thing that comes to mind is Whistic. You could check them out in case they meet your requirements. ------------------------------ Timothy Pinkham Information Security Analyst Biola University timothy.pinkham@biola.edu ------------------------------
Posted By Timothy Pinkham 01-23-2024 05:26:00 PM
Found In Egroup: Cybersecurity and Privacy Governance, Risk, and Compliance
\ view thread
Greetings, Is anyone using Tandem for governance, risk, and compliance at your university? If so, can you provide your opinions and insights about the product? I've been reviewing several GRC products to help us simplify our risk and compliance efforts. One of the products I've been ...
Posted By Timothy Pinkham 11-28-2023 03:06:00 PM
Found In Egroup: Cybersecurity
\ view thread
Will you please provide your recommendations for GRC and employee cybersecurity training vendors/services? We don't have a GRC tool yet. We attended a demo with SaltyCloud (Isora) and were impressed with it. Are there any better GRC services than this? If so, why? For employee data security and ...
Posted By Timothy Pinkham 11-20-2023 11:18:00 AM
Found In Egroup: Cybersecurity
\ view thread
I have a few GLBA questions related to 314.4: How does your institution satisfy 4(d)(2) of the Safeguards rule (continuous monitoring or periodic vulnerability assessments)? Is a CrowdStrike Falcon Complete, plus annual penetration testing, adequate to satisfy this requirement? Or is something ...
Posted By Timothy Pinkham 10-11-2023 03:40:00 PM
Found In Egroup: Cybersecurity
\ view thread
Thank you for all your input! It's great to hear how others are thinking about this. I appreciate you taking time to post images and tables and links to resources. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ----------------------------- ...
Posted By Timothy Pinkham 10-03-2023 09:39:00 AM
Found In Egroup: Cybersecurity
\ view thread
Does anyone know if there is a comprehensive standardized list of risk factors? (for the cybersecurity field) Let's say you need to complete a risk assessment for something - compliance, vendor review, or something else. As you identify risk factors, you need names for them. This is where the standardized ...
Posted By Timothy Pinkham 08-25-2023 09:21:00 AM
Found In Egroup: Cybersecurity
\ view thread
Greetings, I'd appreciate input from anyone with GLBA / Safeguards Rule compliance experience. The FTC's Safeguards Rule says in section 314.4(b): Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, ...
Posted By Timothy Pinkham 04-28-2023 09:05:00 AM
Found In Egroup: Cybersecurity
\ view thread
Thank you, everyone, for your responses! These are incredibly helpful. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------
Posted By Timothy Pinkham 04-24-2023 04:38:00 PM
Found In Egroup: Cybersecurity
\ view thread
What method does your institution use for shredding sensitive documents? We want to improve the reliability of securely shredding paper documents, and I'm trying to determine a cost-effective and efficient solution. Here are the three options I'm considering: Purchase a large industrial shredder ...
Posted By Timothy Pinkham 01-25-2023 01:02:00 PM
Found In Egroup: Cybersecurity
\ view thread
Dylan, Thank you for such a helpful and thorough response! I communicated with a Shopify rep yesterday, and I can confirm some of what you've said. Here's what I found out: The Tap & Chip Reader (model S1801) is a PCI PTS-approved device (approval no. 4-30353). The device does not accept ...
Posted By Timothy Pinkham 01-19-2023 12:54:00 PM
Found In Egroup: Cybersecurity
\ view thread
Thank you to everyone for your valuable input. Once clarification about the SAQ B-IP: I didn't think this would apply since it applies to PTS-approved payment terminals. Here's their definition of PTS: "Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed ...
Posted By Timothy Pinkham 01-18-2023 05:26:00 PM
Found In Egroup: Cybersecurity
\ view thread
I've been reviewing some Shopify products for use on campus. I have some questions that some of you might have answers for. For their SaaS solution, which they claim is PCI-compliant, would we have any PCI requirements? Or because THEY are the merchant, is compliance their responsibility? ...
Posted By Timothy Pinkham 12-09-2022 03:12:00 PM
Found In Egroup: Cybersecurity
\ view thread
The part I'm still hung up on is defining the scope and boundaries. What is included and what isn't? I read carefully through the 314 document and the Bank Holding Company Act of 1956 1843(k)(4). The only applicable financial services I can identify are loans and insurance. But when I look at other ...
Posted By Timothy Pinkham 09-23-2022 02:58:00 PM
Found In Egroup: Cybersecurity
\ view thread
I want to revive this topic. I would still like to know if anyone has answers to my original questions, and I have new questions. Which departments do you include in your GLBA risk assessments each year? Why those departments? How do you determine what questions to include on your assessment questionnaires? ...
Posted By Timothy Pinkham 09-12-2022 04:49:00 PM
Found In Egroup: Cybersecurity
\ view thread
Randy, Do you track or manage student or adjunct computers? I'm wondering if you have any assets that classify as authorized unmanaged untracked assets. That would also mean that it's possible to have an authorized non-enterprise asset, right? ------------------------------ Timothy Pinkham ...
Posted By Timothy Pinkham 09-12-2022 01:34:00 PM
Found In Egroup: Cybersecurity
\ view thread
Thank you, Randy! Can you tell me what the definition of "unauthorized asset" is? We're working through our 1.1 policy (with the help of the CIS enterprise asset management policy template). We're having difficulty locking in certain terms because "unauthorized asset" isn't clear to us. Is it ...
Posted By Timothy Pinkham 09-12-2022 12:08:00 PM
Found In Egroup: Cybersecurity
\ view thread
I like what you're doing here, Neal! I'd love to have a version with our logo. ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------
Posted By Timothy Pinkham 09-08-2022 03:16:00 PM
Found In Egroup: Cybersecurity
\ view thread
Thank you, Tony! I appreciate your input! ------------------------------ Timothy Pinkham Information Security Analyst Biola University ------------------------------