News Article

Focal Point Recognized as a 2018 SailPoint Delivery Admiral

Tampa, FL – January 30, 2019 – Focal Point, a market-leading risk management firm, announced today that it has been named a SailPoint Delivery Admiral, a designation given to SailPoint’s most successful partners in 2018.

Data Privacy Day 2019: Privacy Trends to Watch in 2019

It's hard to believe it's already Data Privacy Day 2019. At this point last year, the data privacy world was in an all-consuming scramble to prepare for the GDPR. In some ways, we've come a long way since then - the GDPR is here, many companies have adjusted, and new laws and trends are beginning to edge into the spotlight. But in other ways, much is still the same - organizations are still redesigning key privacy processes (thanks to the CCPA), we're still waiting on federal legislation in the U.S., and breaches and fines are still piling up. A lot happened in 2018, and we could spend days reflecting on all the changes we saw. But on Data Privacy Day 2019, we'd like to take a few minutes to look ahead at what 2019 has in store for the world of data privacy.

2018 in Review: A Year of Internal Penetration Testing

I had a manager who liked to say, "There are no advanced techniques – only the basics, mastered." While I'm not sure that always applies to this field, I think the core lesson holds a lot of wisdom for information security professionals. So, in the interest of getting better at the basics, I reviewed our 2018 penetration testing projects and reports to see what issues were at the heart of these engagements. Even though each assessment took place in a different environment, noteworthy trends became apparent as I looked at them side by side. I focused on internal penetration testing engagements, which occur from within a client network and allows our team to identify security risks posed by an attacker who has bypassed the external defenses (through phishing, vulnerable applications, etc.) or gained physical access to the network as an employee, contractor, or visitor. These assessments give us a unique perspective on an organization's security posture. During this process, I looked at the exploit chain (the discrete steps taken between gaining network access and achieving the assessment goals) for each engagement and identified the most prominent issues repeated across internal testing engagements. This allowed me to see what the most successful attacks have been and what the most effective mitigations might be. In this post, I’ll examine five of the most common issues found in internal environments throughout 2018 that directly contributed to domain, system, and data compromise:

Prevention Is the Best Medicine: A Guide to SAP Security Health Checks

Preventative ongoing maintenance and monitoring of your users’ SAP security access is critical to avoiding significant deficiencies or control weaknesses.  A governance, risk, and compliance (GRC) tool (such as SAP GRC, Control Panel, ComplianceNow, ERP Maestro) is a great start, but there is more to monitor! System parameters and client settings are also part of your audit but are outside the monitoring scope of most GRC applications. Regular security health checks are key to (1) identifying these access issues before they spiral out of control, (2) mitigating the risk from control deficiencies, and (3) ensuring your security administrators are following best practices. In an SAP environment, security health checks are periodic assessments of key application-layer ITGC controls related to user access. They should cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC controls your external auditor may assess.

Understanding the Differences between PIAs and the GDPR’s DPIAs

Since May 25, 2018, organizations have been required to perform data protection impact assessments (DPIAs) under the General Data Protection Regulation (GDPR).  Organizations use DPIAs to assess whether certain data processing activities are a risk to the rights and freedoms of individuals. However, because DPIAs are similar in name to the much more familiar PIA (privacy impact assessment), there has been some confusion among privacy and risk management teams, who have mistakenly considered them the same type of assessment. But DPIAs and PIAs are actually very different, helping teams achieve separate goals and assess different areas of privacy. This post focuses on the key differences between these two types of assessments and the roles they each play in a GDPR-compliant privacy program.

Case Study: Implementing SailPoint’s IdentityIQ for a National Water Company

Client Overview One of the largest and most geographically expansive water utility companies located in both the United States and…

Thinking Inside the Box: A Guide to Configuring Your Database Monitoring Solution

Database activity monitoring is an integral part of an organization's security. But without a well-configured solution (DMS), you can get lost in the noise, unable to focus on suspicious or inappropriate activity. In this guide, our experts lay out a step-by-step approach to configuring your DMS...

Your Roadmap to U.S. Breach Notification Laws

Keeping up with each state's data breach notification laws is close to impossible. That's why we created this handy guide - a quick reference to all 50 states and...

Enabling Key SoD Controls in a Workday Environment

New Search