The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


Frameworks do work!

See Article Here

If your vendor risk program solely relies on public information available about your vendor through various tools, contract language and long questionnaires it may be time to take another look at how you are managing those risks. Historically, maybe this would suffice, however the better you are in your cyber security and privacy programs the more likely an attacker will go to the next weaker link. We all remember how Target had it's breach, it was an attack leveled against their a HVAC vendor. 

The attached article talks about a new council, the Provider Third Party Risk Management Council, which is made up of healthcare CISO's wanting to work together to require its vendors be HITRUST Common Security Framework Certified. I think it is important that any sized organization use a framework whether it be HITRUST, NIST, FISMA, ISO/IEC 27001, etc. to, if nothing else, get a comprehensive view of what a cyber security and privacy programs should cover. It is also important to understand as the last line in the article suggests "The risks involved with a one- to three-person transcriptionist service that uses one method of obtaining and then sending results back to their healthcare clients is going to be different from the vendor used to constantly monitor and process the data within the same provider's patient implanted medical devices."

In other words, what is reasonable for one organization may not be necessary for the other and it is important that companies, especially small and mid-sized, understand their risk and address those risk through the use of an overall framework specific to their business processes.