RE: Binary Analysis with Internal Solutions

["Mikhail A. Utin" <mutin () commonwealthcare org>]

Just to add on practical note.
For people involved in HIPAA related compliance, such estimate of risk can be done pretty easy. That is my own finding 
I would like to share.
Department of Health and Human Services (DHHS) and the Centers for Medicare and Medicaid Services have checklist named 
"Sample - Interview and Documents Request for HIPAA Onsite Investigation and Compliance Reviews". This document will be 
very likely the basis for starting in 2013 preventive audit of HIPAA compliance across the US. So, basically print the 
list and put check marks next to p.2 required items. Of course, items are not equal in their weight, so you can sort 
them down to "critical", "important", not-so-important" (you cannot say to US Government that something is its document 
is not important :)). Then use your imagination to create a compliance estimate based on the number of "critical" and 
"important" that your organization lacks, or partially implemented. And finally you can give your management current 
compliance rate in percent. Sounds like a dream?
I think that having two "critical" failed will mean the audit failure. What does it mean for your organization? Ask the 
boss.

Regards

Mikhail Utin, CISSP

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Simon Thornton
Sent: Wednesday, July 25, 2012 4:25 AM
To: security-basics () securityfocus com
Subject: RE: Binary Analysis with Internal Solutions

  
As you say, a full risk assessment is often not justified; however I would counter that the issue is not at the level 
of the security specialists but at management level. We generally understand the issues and the relative importance, 
however at the management level the understanding is often minimal and it can boil down to equating  perceived security 
risk to business risk and time = money arguments; why should I spend the money. You don't need to write a book, just 
enumerate your thought processes and why you think it is necessary. If you can convince them once to do such an 
exercise then the rational can be used again.

Rgds, 

Simon 

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------