My thoughts, observations, and readings on different facets of GRC.
What is an IDOR vulnerability? IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability. An access control vulnerability is when an attacker can gain access to information or actions not intended for them. An IDOR vulnerability can occur when a web server receives user-supplied input to retrieve objects (files,…
The HITECH Act HITECH is an acronym for Health Information Technology for Economic & Clinical Health. How is HITECH Act related to HIPAA? The HITECH Act is a part of an economic stimulus package introduced in 2009 during the Obama administration, the American Recovery and Reinvestment (ARRA) Act of 2009. The purpose of the HITECH…
Authorization A Covered Entity (CE) is not allowed to share or disclose Protected Health Information (PHI) for reasons other than those specifically allowed by the HIPAA Privacy Rule. The Privacy Rule covers allowable usage and disclosure of PHI including to whom the information can be disclosed and under what circumstances the information can be shared….
Having worked in the healthcare industry for almost a year now, I feel compelled to simplify the requirements of HIPAA compliance. I hope this and the upcoming articles in the series will help you to better understand these requirements. The purpose of this series is to give an introduction to the HIPAA (Health Insurance Portability…
Cloud Computing – storing your data at someone else’s computer / using someone else’s CPU to perform processing / both Infrastructure as a Service (IaaS) – Hardware, bare-metal Platform as a Service (PaaS) – Infrastructure + Operating System Software as a Service (SaaS) – Infrastructure + Operating System + Software Scalability – Easily grow based on demand Elasticity – Easily shrink…
ISACA’s CGEIT certification is aimed at IT professionals responsible for directing, managing, and supporting the governance of IT. I passed the ISACA’s CGEIT exam on Apr 26, 2020. Here’s a brief of my preparation strategy and the resources I used. Strategy: Like previous ISACA and (ISC)2 certifications, I started with the CGEIT Review Manual from ISACA…
What is Microsegmentation? The idea behind Microsegmentation is to split a single corporate network into lots of multiple application/workflow networks that are separated by a firewall to achieve better speed and security. This process of having a dedicated microsegment also helps reduce the attack surface on a network and make the trust regions smaller. Though…
Vulnerability Management (VM) is one of the most important exercises for keeping a system secure. In his post, I would sum up the different phases of Vulnerability Management. But before that, I would like to clarify the distinction between Vulnerability Management and Penetration Testing (PT). Difference between VM and PT VM is the practice of…
Many people use ‘Accreditation’ and ‘Certification’ interchangeably, but they are not the same. Certification is a technical review that assesses the security mechanisms and evaluates their effectiveness. Accreditation is management’s official acceptance of the information in the certification process findings. For example, if a company is planning to undergo an ISO 27001 certification. The company…
I was going through ISO 27001 and COBIT to understand the Third-Party (or vendors) Risk Management process in detail. And though both the frameworks provide enough guidance on ensuring the proper due diligence on the vendors, I could not find any material on what happens before the vendors are onboard – how does the Information…