Policy & Compliance

Table of Contents

SOX


General

To Sort: * Documentation for OpenSCAP Base * Penetration Testing Shouldn't be a Waste of Time - Jim Bird * COBIT 2019 Publications & Resources * Moldovan bank fraud scandal - Wikipedia * The Red Book: A Roadmap for Systems Security Research * Sheltered Harbor FAQ * FFIEC Cybersecurity Resource Guide for Financial Institutions(2018) * Documentation for OpenSCAP Base * Cloud Controls Matrix Working Group * Penetration Testing Shouldn't be a Waste of Time - Jim Bird * Please don’t kill your CISO if he doesn’t know how a virus works - M S Sripati * The normalization of deviance in healthcare delivery - John Banja * Understanding Security Regulations in the Financial Services Industry - David Hoelzer

  • COMPLY

    • Comply is a SOC2-focused compliance automation tool: Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents; Ticketing Integration: automate compliance throughout the year via your existing ticketing system; SOC2 Templates: open source policy and procedure templates suitable for satisfying a SOC2 audit
  • When to Test and How to Test It - Bruce Potter - Derbycon7

    • “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.