How to Use Privacy KRIs to Predict Future Risks
GDPR enforcement has kicked off, and the CCPA countdown has begun. With the threat of significant penalties for non-compliance looming, many organizations are placing a greater focus on data privacy. But is “checking the box” on compliance the only (or best) way to evaluate the effectiveness of your program?
Companies working to develop privacy programs that adapt with regulatory, industry, and technology change need a way to quantify and prioritize privacy risk. Privacy key risk indicators (KRIs) are designed to do exactly this. KRIs quantify the anticipated risks associated with an area of your privacy program, so you can prioritize risk mitigation appropriately, set clear objectives for your program, and establish a privacy risk appetite. In this post, we will look at how to apply KRIs, how to use the types of KRIs, and how to design a KRI framework for your privacy program.
Why compromise just one website when you can compromise a whole bunch of them all at once?
8 Areas to Include in SAP Access Control Testing
Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support.
Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.
Let’s Get Cracking: A Beginner’s Guide to Password Analysis
The Focal Point Attack & Penetration team performs many internal penetration tests that culminate in a compromise of Windows Active Directory domains and access to the password hashes of all domain users. Like many teams that provide pen testing services, we have a high-powered GPU-based password-cracking rig that we use to recover high-value or time-sensitive passwords. But sometimes we’re on-site without access to our VPN or we’re in the the reporting window following a test, and someone is using the rig for an active test. Whatever the reason, we still get a lot of mileage from the classic password cracker, john, even in this age of GPU-based cracking with hashcat (which we also love but is not the focus of this post).