Photo by Mike van Schoonderwalt from Pexels

Organizations preparing for HITRUST certification typically have questions around Control Reference 05.h Independent Review of Information Security: "The organization's approach to managing information security and its implementation (control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, at a minimum annually, or when significant changes to the security implementation occur."

The first question is typically: Does the requirement for an "independent" review necessitate hiring external auditors? The second question is often: How does this differ from other review requirements?

Defining independent: The first question is easy. "The review ... is carried out by individuals independent of the area under review (e.g. the internal audit function, an independent manager or a third-party organization specializing in such reviews," according to the Level 1 notes for 05.h in the Cyber Security Framework (CSF). In addition, the HITRUST glossary defines Independent as "With respect to an assessor or measure, one that is not influenced by the person or entity that is responsible for the implementation of the requirement/control being evaluated or measured." So an independent review can be conducted either by staff in a separate department or on a separate team from the function being reviewed, or by an external team. 

"Review of the organization's approach to managing information security and its implementation:"  Baseline requirements are a subset of 700+ potential HITRUST controls selected for the organization based on its answer to scoping questions. At a minimum, in addition to independent review, baseline requirements for assessments or reviews typically include:

1. A HITRUST validated assessment (recertification) every other year.
2. A HITRUST interim assessment on the alternating years.
3. An annual review of the Information Security Management Program (ISMP) or set of information security policies.(Control Reference 00.a Information Security Management Program).
4. A Risk Assessment on the scoped environment that addresses all HITRUST domains (Control Reference 03.b Performing Risk Assessments). 
5. Penetration testing (Control Reference 10.m Control of Technical Vulnerabilities).

In addition, these organizations may also be subject to SOC, PCI-DSS, ISO27001, or other independent reviews with scopes that may or may not exactly line up with the HITRUST scope.

So how does the independent review add to or fit with other assessment requirements? The answer to that question depends on the baseline requirements selected for that organization. In addition to the baseline requirements tatements, organizations should also look at the "illustrative procedure" (IP) language for selected 05.h baseline requirements to understand how they are being tested. (Organizations can export a spreadsheet from the reporting section of MyCSF that includes the baseline requirements and the IP language for each requirement for the areas HITRUST auditors will be assessing: policy, process/procedure, implemented, and sometimes managed and measured.) With a solid understanding of the organization-specific controls, the organization must consider whether existing assessment efforts are sufficient. If no gaps are present, an organization may  create an assurance plan specifying how the independent review requirements are met by existing efforts instead of performing an additional review. Any baseline requirements that aren't already met must also be addressed.

Keep in mind that if an organization wants to achieve HITRUST certification with efficiency, it should not consider the HITRUST CSF as equivalent to its scope. Not all CSF  "Implementation Requirements" apply for every organization. Organizations should set aside the CSF and primarily focus on their baseline requirements and IPs. The CSF should be reviewed only for context only. 

By Ann Grove, Logical's President

Added Hacker Valley and other updates: 10/2/2020
Original post: 8/2/2017

​If you are looking for opportunities to keep your finger on the pulse of security, podcasts fit the bill. Here are some of our favorite security podcasts, in alphabetical order.

1. Brakeing Down Security covers a range of topics such as conferences, software bloat, containerization, and technology culture. Hosts Bryan Brake, Brian Boettcher, and Amanda Berlin broadcast every week or two.  
2. Crypto-Gram Security Podcast is Bruce Schneier's newsletter, read by Dan Henage. Schneier covers news and books that are often overlooked by others.
3. Cyber Security Interviews offers insights into the minds of security thought leaders and the direction of the industry.
4. Cyberwire podcast lineup includes a daily 20-minute podcast covering news about cyberspace and commentary.
5. Defensive Security Podcast is a deep dive into recent cyber security breaches with Jerry Bell and Andrew Kalat. 
6. DevSecCon (previously The Secure Developer) covers application security, security tools for developers, and development best practices. Guy Podjarny, CEO at Snyk, launched this podcast in 2016.
7. Down the Security Rabbithole Podcast provides "a business-first approach" to security hacks, risks, and threats.
8. Hacker Valley Blue by Ron and Chris (a friend of mine) focused on threat intelligence. Coming soon: Hacker Valley Red, focused on the human element of security.
9. ITSPmagazine discusses security within the context of IT, privacy, and society.
10. Malicious Life by Cybereason tells the unknown stories of the history of cybersecurity, with comments and reflections by real hackers, security experts, journalists, and politicians
11. Paul's Security Weekly (aka Paul Dotcom), in play since about 2005, hasn't published for some time but some of the team's other shows including Enterprise Security Weekly are still in play. 
12. Risky Business, hosted by Patrick Gray since 2007. Security luminaries provide commentary. For instance, a 2020 episode talks about identity as the new perimeter.  
13. SANS Internet Storm Center StormCast, daily security threat updates in 10 minutes or less for the TL;DR crowd.
14. Security Now! with Steve Gibson and Leo Laporte in part focuses on the evolution of threats, vulns and security with a smattering of news and trends. On the air since 2005.
15. 7-minute Security Podcast has been talking about pentesting, blue teaming, and building a career in security since 2004. Bonus: Check out host Brian Johnson's  original song, CryptoLocker'd, inspired by a client experience in 2017.
16. ​Social-Engineer Podcast (broken link in 2020) is about the risks humans create in interacting with technology. 
17. Unsupervised Learning Podcast features Daniel Miessler providing perspective on the human impact of technology and security. It's Daniel's summary of 20 hours of reading each week. 

Let us know if you have any podcasts to add! 


About Ann

​Ann Grove, president of Logical, is Logical’s lead consultant. Logical's clients include security and compliance vendors as well as penetration test consultants. 

By Ann Grove, Logical's President

Amazon recently changed its policies so that customers and their security consultants can perform security assessments without pre-approval on customer-owned AWS resources that make use of eight key services:

• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments

Teri Radichel alerted the security community to the change on Twitter on March 1. Amazon has since acknowledged the change.
 
Previously, penetration testers looking for security weaknesses on AWS had to request permission a week before testing, and AWS sometimes requested additional information.

This follows Microsoft's lead. Microsoft decided to drop pre-approvals in 2017 for Azure. No pre-approval is required when penetration testing Azure resources. 

Both organizations test the security of their own cloud infrastructure, and allow customers to conduct certain types of additional testing. Although pre-approvals are no longer required, testers still need to follow any other rules or conditions for testing.

By Ann Grove, Logical's President

Note from Ann: I wrote a draft of this article in 2012 and just stumbled across it today. Still true!
 
Whatever you are bringing to the market, you really don’t need to create a brand … because whatever you want to brand, even if it is "brand new," already has some brand attributes.
 
A brand is simply the feelings or themes associated with an item or experience. When people think of you, your company, or your products or services, they probably already have some adjectives in mind. That is a brand.
 
What can have a brand? Practically any noun has a brand. Your dog, cockroaches, a bridge you travel, your mother-in-law, the governor, and Homeland Security, to name a few. Each evokes a certain connotation when mentioned. Even some experiences such as sky diving have a brand.
 
Examples:

• An employee says, “That team is difficult to work with.” That team’s brand includes the theme “not helpful.”


• A user says, “Rather than improve my efficiency, this piece of software is making me less productive.” That software product’s brand includes the theme “not intuitive” or “buggy.”


• An employee who has a great reputation for getting things done. That person’s brand includes the theme “productive.”

So what about a completely new company, product, or service? Surely that doesn’t have a brand, right? Well, brand attributes are transferable. For instance, customers could hear about a new offering and say: “I am not going to buy that because once you sign a contract with that type of offering or company, you don’t get the promised support.” A new company takes on additional attributes from its founders.
 
So really your goal in a branding exercise is to better manage or even change your brand’s themes and messages and also to differentiate your brand so that it is distinguishable from other brands. You want to influence the picture that pop’s into people’s heads when they think of your brand. That’s not always as simple as adjusting your messaging; in fact often, especially with mature brands, upleveling brand perception requires a dedicated effort to deliver that delightful customer experience the brand already aspires to.
 
Yes, it can be hard work. But since the market consistently moves to commoditize every product and service to create a race to the bottom for costs and fees, brand management and brand differentiation are absolutely necessary for brand success.
 
Other thoughts
 
Here are some related topics I might hit in future articles:

• Branding is about perception, not reality.
• Be willing to hear about negative things people say about your brand, so you can address them.
• Brand magic: Be who you say you are.
• Why do some brands succeed in the short-term and fail in the long-term?

About Ann
 
Ann has been writing about branding since at least 2007 when she created a job hunter boot camp, titled “Personal Marketing 101: The Brand Called You.” She would love to work with you on your next white paper project or any other compliance or security documentation you need.  Reach Ann using the Contact page.  

True story: I once helped a client go from winning an average of one out of 10 Requests for Proposal (RFPs) to winning 12 out of 15. In other words, they went from a 10% win ratio to 75%. For my three crazy months with them, we won won won.
 
Another success: a different client had an existing customer that issued an RFP specifically written to my client’s perceived weaknesses. After reviewing our response, the customer canceled the RFP and continued retaining my client.
 
More typically, I help organizations that have a 10 to 15% win ratio; together we increase the win ratio to 35 to 50%.
 
A good foundation
 
Of course, these organizations have a good foundation to build on. They typically have an understanding of their own strengths and the strengths of competitors, a system to identify opportunities, and a system to make good go-no go decisions to ensure they aren’t shooting blind. They also have some great, willing client references. Still the win ratio doesn’t align with these strengths.
 
Incorrect focus
 
The most common problem that depresses an organization's win ratio is that it values holding down expenses more than it values increasing sales. It saves money by not hiring a skilled RFP writer or perhaps not hiring enough of them or not deploying technologies that allow a team to scale. Therefore, a significant portion of RFP responsibilities fall to others such as sales, business development, administrative, and technical personnel. Although some organizations believe that sales and business development professionals are well positioned for proposal development because they are intimately familiar with clients and sales messaging, these people are talkers, not writers. Because the gold is still in the phone for the most part, let’s keep those people talking and find someone else to do the writing. But don’t look to technical and administrative parties to pick up the slack; they are unlikely to get exceptional results due to the burdens of their primary (sometimes billable) roles.
 
Some bad math
 
The irony is that making do in this case doesn’t actually make sense mathematically. How much is an organization saving if the lack of a solid proposal generation infrastructure is keeping the win ratio at 10 to 15% instead of 35 to 50%? Besides suppressing revenue, this approach holds down the average deal size, significantly limits the number of RFPs an organization can pursue, and distracts the organization.
 
Win more often
 
Even without a dedicated writer, it is possible to win more often by doing what that top-notch writer would do. He or she would help the proposer differentiate and stand apart from competitors based on factors in addition to price.
 
Think about the RFP process – it is designed to create a level playing field so that the buyer can compare apples to apples. An RFP demands a structured response that drives buyers and proposers to view offerings as commodities with a heavy emphasis on price. In fact, the RFP system is founded on the belief that all offerings are roughly equivalent.
 
The only way to combat this push toward commoditization is differentiation. The winning offer stands out from the pack, demonstrating that the winner is proposing not merely an apple but a superior fruit. The response points out how the buyer will not be well served by an apple. This doesn’t eliminate consideration of price but it does demote its importance by placing it within the context of other factors. I’m not talking about using slippery sales language. I’m talking about helping the buyer understand its true needs. For instance, my responses often include follow-up questions that the buyer may want to put to short-listed vendors, to deepen the buyer’s understanding of proposed offerings.
 
Conclusion
 
Let’s get to the bottom line. What is required to win more often? An organization begins winning more when it realizes that the RFP response and any short-list presentation are opportunities to address the requirements hidden behind the stated RFP requirements.
 
About Ann
 
Ann Grove, president of Logical Writing Solution, Inc., helps security teams and security vendors with all sorts of communication including RFP responses, proposals, and statements of work. She also helps enterprises with security policies and documentation. Learn more at https://www.logicalwriters.com or call Ann at +1.717.891.3282.