Physical Facility Access Policy Best Practices | A SOC 2 Primer

Physical security is not just a concern for large companies. A small business also needs an established physical security policy to protect their physical assets and provide their employees with a sense of protection and safety. In this policy, you will define the controls, monitoring, and removal of physical access to your company’s facilities. Here are five practices for writing your office physical security policy: Create an access control system

Read more

Implement a BYOD Policy | Best Practices for SOC 2 Compliance

Writing Your BYOD PolicyThis article will point you to the core concepts of BYOD, removable device, and cloud storage policies so that you understand best practices before writing your own. Removable media, cloud storage, and BYOD devices can be a quick and convenient way for employees to handle data.  But with this convenience comes some serious security concerns. Unprotected removable storage is an easy entry point for end users to

Read more

Automating Access For On-Call

If you manage any system that requires consistent availability then you are probably already familiar with services like PagerDuty. For those of you who are unfamiliar with on-call management, it is a class of services that integrates with your monitoring and alerting systems to ensure that someone gets notified of issues in a timely manner. Typically there is a team who shares the responsibility of being on call on a

Read more

Why ASICS Digital Builds 12-Factor Apps with a Focus on Infrastructure

How ASICS Digital Created a Culture of You Build it, You Run it John Noss is a Senior Site Reliability Engineer at ASICS Digital, formerly Run Keeper. In this talk, he shares how ASICS Digital builds 12-Factor apps with an emphasis on infrastructure. Listen as they walk through how and why they made a dev culture of 'You Build It, You Run It' and download the slides now.

Read more

How Hearst Eliminates DevOps Complexity — An Architecture Review

Hearst Eliminates DevOps Complexity with Automation Jim Mortko is responsible for leading all Internet-based engineering and digital production efforts, along with ecommerce and marketing initiatives that support Hearst Magazines’ diverse units including 20 U.S. magazines, Hearst Digital Media, the Hearst App Lab and Hearst Magazines UK. He is credited with spearheading the launch of five internal systems, along with supporting the launch of more than 10 websites. In this talk,

Read more

How Betterment Secures Server Access – Automate the Boring Stuff

Chris Becker, SRE, Betterment Chris Becker is an SRE at Betterment. Previously, he did similar work on Warby Parker's Infrastructure team. At Betterment, he earned the label APT (advanced persistent threat) thanks to consistently tripping alarms with his peculiar scripts and commands. In this talk, he discusses how Betterment's approach to server access controls evolved as the team grew exponentially. With more people and keys to manage, the SRE team

Read more

Log management best practices: auditing production systems

Log Management Best Practices

Why would I need to audit my production systems?First reason: Legal RequirementsSome regulated environments requires that access and action on a database be tracked.The image below is a capture of version 3.2.1 of the PCIDSS standard:For health data the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information is a bit less prescriptive but the obligation results in a good audition system in place:“Persons and entities

Read more

DevSecOps Conference Highlights | Speakers from Splunk, Betterment, Fair, ASICS

See What You MissedWatch highlights from all the speakers Why ASICS Digital Builds 12-Factor Apps with a Focus on Infrastructure By Laura Franzese August 1, 2019 Blog, Conference, Uncategorized How ASICS Digital Created a Culture of You Build it, You Run it John Noss is a Senior Site Reliability Engineer at ASICS… Read more How Hearst Eliminates DevOps Complexity — An Architecture Review By strongDM July 31, 2019 Blog, Conference

Read more

How Splunk Built A Practical Approach to DevSecOps At Scale

What Splunk Does Joel Fulton is the Chief Information Security Officer for Splunk. At Splunk, they've put effort into transforming their organization from a waterfall approach to agile, to now a DevSecOps approach. In case you're not familiar, Splunk is a software development company focused on machine data aggregation. They collect your data on to your on-prem and they count on you to manage and protect that. Splunk relies on

Read more

How To Make Network Segmentation More Secure And Less Difficult For Everyone

Why Network Segmentation Is Hard Very few things frustrate me more than administrative roadblocks that slow me down or make it more difficult to do work. I want to get from staging to production with as little interference as possible. The question every engineering team faces is how to allow that without compromising security? That’s the challenge of network segmentation. The goal is a segmentation strategy that creates enough segmentation

Read more