If like me you attend a lot of cybersecurity conferences, you can’t help but have noticed one of the recurring themes is about greater information sharing as a way of improving the security posture of the wider community. So, in that spirit, we present some of the very useful resources which we regularly refer to and from which we gain knowledge.
The publications and blogs listed here cover a broad spectrum of data security, information governance and security innovation. I think everyone will find some interesting thoughts or practical advice which they can apply and share in their own organisations.
There are some excellent information security documents both of general interest and also specific to particular sectors like financial services and healthcare. The UK Government has begun publishing reports and resources like the cyber assurance framework, which are available to download free of charge.
ENISA has a series of papers on cloud security, including what features to look for in a cloud provider and the importance of mapping your infrastructure. The Cloud Security Alliance, although slightly commercial in my opinion, also publishes some interesting material that is worth your time.
The Verizon Data Breach Investigations Report is published every year and is a document we use all the time at VigiTrust. It’s very highly regarded inside and outside the industry. Similarly, the Experian Data Breach Industry Forecast is always a useful point of comparison with other reports that detail what goes wrong when a data leak or breach occurs. On a related note, the Ponemon Institute always produces very highly regarded industry studies. Its 2016 report on the cost of data breaches was produced in association with IBM.
If you’ll permit me a quick plug, I was part of the special interest group that worked on the PCI DSS third-party assurance guide. It covers vetting, selecting and on-boarding vendors with the right contracts and the right termination clauses and I highly recommend it. It also covers a subject we’ve spoken about on this blog, namely the importance of educating your people in order to boost your cybersecurity profile.
The Information Governance Initiative might not be familiar to all readers. It’s an initiative run out of New York, with the premise of building a movement to create a chief information governance officer role. The group’s Annual Report 2015-2016 raises many interesting and thought-provoking issues such as knowing what data you have and where you have it, the rules that should apply to that data during its lifetime, up to its eventual destruction.
More good reading can be found in the Institute for Critical Infrastructure Technology’s Hacking Healthcare IT. The group also publishes a similar report for the financial services industry.
This is just a brief selection of some of the reading material I personally find valuable, and I hope you do too. Newsletters are another excellent source of security thinking. They include ARMA, the association for records managers, and you can subscribe to the ARMA newsletter without being a member. Legal tech news also provides a useful perspective.
If there are other trusted sources you would like to recommend, please let us know and we can link to them on the blog. Email us or talk to us and let’s share.