The Anti-Checklist Manifesto

The Anti-Checklist Manifesto

44CON Information Security Conference via YouTube Direct link

Do you have written information security, data security, encryption, acceptable use, and physical security policies?

16 of 18

16 of 18

Do you have written information security, data security, encryption, acceptable use, and physical security policies?

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

The Anti-Checklist Manifesto

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
  3. 3 Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
  4. 4 What Is To Be Done?
  5. 5 Ask questions. Up front.
  6. 6 A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
  7. 7 Speed bump. No more than 10 questions.
  8. 8 To work, these questions must be simple, and proxies for Security'.
  9. 9 Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
  10. 10 Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
  11. 11 Describe your internal authentication regime.
  12. 12 Please describe how you maintain least-privilege in your environments.
  13. 13 Do any of your internal systems use static credentials? How do you audit their use?
  14. 14 How do you manage secrets in your production and non-production environments?
  15. 15 Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
  16. 16 Do you have written information security, data security, encryption, acceptable use, and physical security policies?
  17. 17 Does your company require all engineers to undergo regular secure coding training?
  18. 18 PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answe…

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.