Profile

CommunityPlatform_1350x900.jpg

Brian Kirk

Edit My Profile

My Content

1 to 20 of 26 total

A1 Plus Retirement August 1st 2024

Posted By Brian Kirk 05-30-2024 07:14:00 AM
Found In Egroup: CIO \ view thread
I searched for this topic and saw some posts a year ago when this was announced but just a reminder that Microsoft plans to retire A1 Plus for Faculty and Students on August 1st of this year. Good write-up here from Microsoft on how to see if you're impacted. https://www.microsoft.com/en-us/educatio ...

Palo Alto GlobalProtect Exploit

Posted By Brian Kirk 04-19-2024 08:39:00 PM
Found In Egroup: Cybersecurity \ view thread
For those schools running Palo Alto GlobalProtect VPN that are concerned about potential impact, I just wanted to note that Palo Alto seems to have a process now that scans technical support files (TSF's) and can determine if your device was impacted and at what level (0-3). Results are returned for ...

RE: Digital Equity/Laptops for all incoming students

Posted By Brian Kirk 10-06-2023 08:23:00 AM
Found In Egroup: CIO \ view thread
For those who do not have a virtual desktop environment currently configured, the "enterprise browser" market appears to be a disruptive technology that allows organizations to present web applications to any computer without the need for virtualization software or VPN connectivity. In addition to providing ...

RE: Bogus Ransomware Payment Requests

Posted By Brian Kirk 08-25-2023 06:31:00 AM
Found In Egroup: Cybersecurity \ view thread
The email posted above by Jesse is identical to the note my client received ------------------------------ Brian Kirk Vice President, Cybersecurity Services Strata Information Group ------------------------------

RE: Bogus Ransomware Payment Requests

Posted By Brian Kirk 08-25-2023 06:21:00 AM
Found In Egroup: Cybersecurity \ view thread
Yes, I have a client that has been looking into this email all week. Feel free to message for details. Thanks for posting this thread, I've been wondering if this was widespread. ------------------------------ Brian Kirk Vice President, Cybersecurity Services Strata Information Group ------ ...

RE: Cybersecurity/IT Security Tools

Posted By Brian Kirk 07-21-2023 06:15:00 AM
Found In Egroup: Cybersecurity \ view thread
Ron, For a low cost SIEM, if you have some storage and the ability to add a virtual machine, check out Graylog at graylog.org (they have a free version). It's a great log storage and correlation platform and it can be implemented with no licensing costs. I know many organizations that have implemented ...

RE: Cybersecurity/IT Security Tools

Posted By Brian Kirk 07-20-2023 10:40:00 AM
Found In Egroup: Cybersecurity \ view thread
Ron, I'm sure you will get a lot of different opinions, but one thing to perhaps consider is to outline where your school currently stands against an industry framework and then seek tools to meet the controls where you have gaps. The problem with looking at tools first is that many vendors advertise ...

RE: MFA - Reauthorization Requirements

Posted By Brian Kirk 07-18-2023 07:47:00 AM
Found In Egroup: Cybersecurity \ view thread
Tara, I recently worked with an insurance provider that required the reauthentication settings that Eric highlighted that he has in place at the University of Nebraska. They also required a demonstration that all local administrative privileges had been removed. They would NOT issue coverage until ...

RE: NSC Breach

Posted By Brian Kirk 06-29-2023 05:41:00 AM
Found In Egroup: Cybersecurity \ view thread
The communications from NSC are vague making it difficult to determine next steps. You cannot communicate with impacted individuals until you receive more specifics from them. In the interim, a few things to consider: 1) Communicate the notification to campus leadership and explain that student information ...

RE: Monetizing IPv4

Posted By Brian Kirk 05-24-2023 12:31:00 PM
Found In Egroup: CIO \ view thread
I haven't done the transition at a University but I was responsible for switching a Fortune 500 to RFC 1918 addresses and we had over 300 locations. The thing to consider is that you don't have to 'big bang' the transition. Key devices like servers, switches and routers can be multi-homed (have your ...

RE: GLBA - Monitor service providers

Posted By Brian Kirk 05-01-2023 04:05:00 PM
Found In Egroup: Cybersecurity \ view thread
Bing, Tough one here as its not a one size fits all method to be in compliance. I was hoping others would weigh in on this to describe what they have in place. I think its best to review the commissions notes on this subject here to get a better understanding of intent. Regarding SOC2 certification, ...

RE: GLBA Annual Report Template

Posted By Brian Kirk 04-04-2023 06:29:00 AM
Found In Egroup: Cybersecurity \ view thread
Good narrative here on what the commission was looking for in this report. Schools have significant latitude as to how to format this report. As with any type of report to a non-executive audience I think you want to keep it very high level with little technical jargon. SIG has helped prepare these and ...

RE: Password reset policy

Posted By Brian Kirk 03-02-2023 12:11:00 PM
Found In Egroup: Cybersecurity \ view thread
I really like the language in Benjamin's policy. As Rusty mentioned, its common in higher education environments to have adjunct accounts that are dormant for several months for normal reasons and this is an area where schools often decline to adhere to framework guidelines (CSF, NIST, etc) regarding ...

RE: New FSA Notice on Safeguards Rule Compliance

Posted By Brian Kirk 02-14-2023 10:04:00 AM
Found In Egroup: Cybersecurity \ view thread
Great points Jarrett! Very helpful. I don't think they can update the published audit objective until the new SafeGuards Rule is in effect. Who knows it could even be delayed again. It will be interesting to see when the new controls will be part of the compliance audit but if I had to guess I think ...

RE: New FSA Notice on Safeguards Rule Compliance

Posted By Brian Kirk 02-13-2023 10:39:00 AM
Found In Egroup: Cybersecurity \ view thread
I would love to hear Jarrett's answer to your questions Tom, but its my understanding that as of 2019 this is included in the Federal Single Audit which requires internal and external CPA's to audit against the requirements. https://www2.ed.gov/about/offices/list/oig/nonfed/cpa1901.pdf I think the ...

RE: New FSA Notice on Safeguards Rule Compliance

Posted By Brian Kirk 02-13-2023 08:13:00 AM
Found In Egroup: Cybersecurity \ view thread
Thanks for posting this Jarret. I read the new post a few times and to me it seems like they wanted to issue a 'cleaner'/less technical communication on what's expected and what could be audited. It outlines that 9 elements that auditors will want to see documented in a school's written information security ...

RE: GLBA Compliance (Risk Assessment)?

Posted By Brian Kirk 01-23-2023 11:23:00 AM
Found In Egroup: Cybersecurity \ view thread
For those choosing to do their own assessment, this is the best resource I could find on what is expected by the Commission. It goes into the thought process behind the risk assessment requirement and some of the objections raised (and denied). https://www.federalregister.gov/d/2021-25736/p-207. ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Brian Kirk 01-19-2023 08:20:00 AM
Found In Egroup: Cybersecurity \ view thread
Two blogs for review. The first is Shopify outlining your responsibilities when using their platform https://www.shopify.com/enterprise/pci-compliance-checklist The second is from Arrow Payments outlining how using P2PE devices can reduce (but not eliminate) your compliance scope: https://arrowpa ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Brian Kirk 01-19-2023 06:35:00 AM
Found In Egroup: Cybersecurity \ view thread
Many organizations use a third party payment processor like Shopify to process payments so they do not have to become PCI compliant. The key is to architect your site/solution so that you are never processing/storing any merchant data. When its time for payment the site users would be redirected to the ...

RE: DoD Grant Compliance Primer

Posted By Brian Kirk 01-06-2023 10:02:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
No Ricardo, I think you have it right. As part of a firm that was pursuing becoming a CMMC auditor, I sat through the DoD audit and it is extensive. Some of the controls that we felt had subjective language were not viewed that way by the DoD. For instance, they required an MFA login to every computer ...