Podcasts about iso iec

An international standard-setting body composed of representatives from national organizations for standards

  • 116PODCASTS
  • 223EPISODES
  • 39mAVG DURATION
  • 1WEEKLY EPISODE
  • Jun 22, 2026LATEST

POPULARITY

20192020202120222023202420252026


Best podcasts about iso iec

Latest podcast episodes about iso iec

InfosecTrain
Auditing ISO 42001 The 5 Pillars of AI Management System Compliance

InfosecTrain

Play Episode Listen Later Jun 22, 2026 36:37


As AI adoption grows, the ability to audit AI systems will become one of the most valuable skills in governance and compliance. Moving beyond static software, artificial intelligence introduces non-deterministic outputs, model drift, and complex algorithmic risks. In this practical masterclass episode, InfosecTrain provides a thorough breakdown of how to evaluate an Artificial Intelligence Management System (AIMS) under the definitive international standard, ISO/IEC 42001.The "course titled" ISO/IEC 42001 Lead Auditor (LA) Certification Training serves as the ultimate roadmap for risk professionals transitioning into the algorithmic era. We walk through the complete audit lifestyle - from defining boundaries and data lineage during audit scoping to evaluating unique risks like data bias, system transparency, and ethical safety. Learn how to validate machine learning controls, collect defensible model logs as evidence, and structure nonconformity reports that drive continuous optimization.

InfosecTrain
The ISO 42001 Roadmap: Building a World-Class AI Management System

InfosecTrain

Play Episode Listen Later Jun 9, 2026 43:57


AI governance doesn't happen by accident - it requires a structured strategy, clear accountability, and effective execution. As the world's first international standard for AI Management Systems (AIMS), ISO/IEC 42001 is becoming the global gold standard for responsible innovation. In this expert masterclass, InfosecTrain provides a comprehensive walkthrough of the implementation journey, taking you from initial strategy to full-scale operational execution.The "course titled" ISO 42001 Lead Implementer Training is specifically designed to help organizations bridge the gap between AI experimentation and enterprise-grade governance. We break down the lifecycle of building an AIMS, from performing a critical gap analysis to integrating AI-specific controls into your existing business and compliance frameworks. Learn how to manage the unique risks associated with machine learning while maintaining the agility required for 2026's fast-moving technological landscape.

InfosecTrain
Mastering ISO 27701:2025: Navigating Privacy Information Management Systems

InfosecTrain

Play Episode Listen Later Jun 3, 2026 49:16


Privacy compliance is not just documentation - it's evidence, controls, and audit readiness. As global data protection laws tighten across the 2026 corporate landscape, the newly updated ISO/IEC 27701:2025 standard serves as the ultimate benchmark for creating a resilient Privacy Information Management System (PIMS). In this comprehensive masterclass episode, InfosecTrain explores how abstract privacy controls translate directly into concrete audit findings and actionable governance.The "course titled" ISO 27701 Lead Auditor Training provides the perfect blueprint for professionals aiming to blend traditional information security with dedicated data privacy engineering. We dissect the structural relationship between ISO 27701:2025 and ISO 27001:2022, breaking down the full audit lifecycle from initial planning to reporting. Learn how to independently evaluate data controller and processor requirements, conduct thorough root-cause analyses on nonconformities, and implement corrective actions that withstand regulatory inspection.

Hacker Public Radio
HPR4647: UNIX Curio #7 - Compression

Hacker Public Radio

Play Episode Listen Later May 26, 2026


This show has been flagged as Clean by the host. This series is dedicated to exploring little-known—and occasionally useful—trinkets lurking in the dusty corners of UNIX-like operating systems. In UNIX Curio #4 ( HPR episode 4617 ), I teased the subject of file compression. Today I'm circling back to that. The history of data compression goes back at least to the 1970s, and in contexts outside UNIX and computers, probably even earlier. Somehow, it is refreshing to learn that humans have always struggled to have enough storage space to keep all the data they want to hang on to. One way around this limitation is to use some form of compression. I am only going to dive into lossless compression for this episode—that is, a compression method that can be reversed and will spit out the original data bit for bit. Lossy compression methods also have their places: you might be familiar with their use for audio (such as Ogg Vorbis or MP3); it's also used for images (such as JPEG). Lossy compression allows some of the original data to be thrown away, resulting in a smaller file than is possible with lossless compression, but the intent is for the result to still sound or look "good enough" to a human observer. Also, I am going to limit my discussion to generic methods used for many types of data; while FLAC does lossless compression, it is specifically designed just for audio. I should make clear that I have never studied computer science or information theory, so this episode will not get into the science behind various types of compression algorithms and how they differ. But in general, these methods take advantage of the fact that many types of data have recurring patterns. English text mostly consists of words that often re-appear many times—source code similarly has keywords and variable names that recur. Compression is accomplished by representing a piece of data that occurs multiple times with a symbol that is shorter in length. The first compression program in the UNIX world I could find is called pack , from 1978 1 . It was shortly followed in 1979 by a similar program called compact 2 . Both of these used a technique called Huffman coding, but with some differences between them. Files compressed with pack were given a .z extension and compact gave filenames a .C extension. Roughly every five or ten years after this, a new program would come along and achieve lasting popularity. There were, and still are, two opposing forces facing any new form of compression. Working in favor was the advantages it provided—first among these was achieving a better compression ratio, but performance improvements such as speed or reduced memory usage could also be compelling. The force against any new method was the fact that it was not yet widely supported—it doesn't much help to have a smaller file if the people you share it with cannot decompress it. The next major advance in compression arose out of three scientific papers: two in 1977 and 1978 by Abraham Lempel and Jacob Ziv (called LZ77 and LZ78), and one by Terry Welch in 1984 which built on LZ78. This last method is typically referred to as LZW. Our UNIX Curio for today is a program called compress 3 that implements the LZW method. Files compressed this way are named with the extension .Z . I had always assumed that this was to honor Jacob Ziv, but now that I've researched the history, it seems more likely to be a follow-on from how files compressed by pack were named. Since pack did not use any of the Lempel-Ziv methods, I would guess that it used .z because that wasn't already taken by anything else, but that's pure speculation. I do recall encountering .Z files in the wild, but feel certain that hasn't happened in the last 25 years, maybe longer. If you need to expand one of these, uncompress 4 is the program to use ( GNU's gunzip can also handle them 5 ). However, there was a serious problem that arose with the LZ78 and LZW compression methods. Both of them were patented, and the owner became aggressive in seeking payment from developers and users. The compress utility was developed within two months of the publication of Welch's 1984 paper and was included in Bell Laboratories' Eighth Edition UNIX before these shakedowns started. The paper did not disclose that a patent had been filed, and apparently Spencer Thomas and the other developers of compress were unaware of it. The utility became popular for a while, and was even standardized by POSIX, but people moved away from LZW once the legal threats started. Another important advance came in 1991 and was called the DEFLATE compression method. It combined the un-patented LZ77 method with Huffman coding to achieve a similar level of compression as LZW (actually, often better) without the legal trouble. DEFLATE was developed for PKZIP and was soon adopted by the GNU project's gzip compressor. While Phil Katz (the "PK" in PKZIP ) patented one way of implementing the DEFLATE method, it was possible to write a compressor and decompressor without infringing 6 ; also, he apparently never tried to enforce the patent 7 . As I mentioned in UNIX Curio #4, .zip is both an archive and a compression format. Each archive member can be compressed with one of several possible methods (or stored without compression). Unlike a tar file where compression can be applied to the entire archive, in .zip each archive member is compressed individually. This often means a .zip file will be slightly bigger than a tar file with the same contents compressed with gzip , because the .zip format cannot take advantage of duplication that occurs among more than one member of the archive. The vast majority of .zip files use only the DEFLATE and uncompressed storage methods and these are the only options if you want to follow the profile standardized in ISO/IEC 21320-1. Actually, since they both use DEFLATE, gzip is able to extract a .zip file in the special case where it only holds one member compressed with that method. From the 1990s onward, people paid significant attention to avoiding patent landmines, so only methods that didn't have that problem became broadly popular. While the patents on LZ78 and LZW have since expired, I feel like their most successful legacy was in discouraging people from using those methods, leading to DEFLATE taking the popularity crown. The next step came in 1996 and 1997 with the development of bzip and bzip2 by Julian Seward. The original method was quickly followed by bzip2 , which was the version that achieved true popularity. They use the Burrows-Wheeler transform, which does not itself compress data but re-arranges it to make it more compressible; this is combined with other techniques 8 . (At least, that's my understanding. I told you, I'm not up on information theory.) This provides a significant reduction in the compressed size of the data compared to earlier methods—however, it is slower than DEFLATE both during compression and decompression. Separate projects have developed parallel versions of gzip and bzip2 that can take advantage of multi-processor machines, but the original utilities run single-threaded. Another five years later, in 2001, Igor Pavlov added the Lempel-Ziv-Markov chain algorithm (LZMA), an enhancement to LZ77, to his 7-Zip compression tool. This was followed a few years later by LZMA2, a container format that allowed for LZMA compression to be split between multiple threads. Broad LZMA2 support came to the UNIX world in 2009 with the xz utility 9 . It offers roughly similar compression ratios to bzip2 , though it can be better or worse depending on the data to be compressed. While compression generally takes even longer than bzip2 , decompression is significantly faster (though still not as fast as gzip ). The Linux kernel relatively quickly supported booting from xz-compressed images 10 because it was a good match for that use case—compression, the time-consuming activity, only has to be done once while the more frequent decompression during boot happens relatively fast. The last method I will cover is Zstandard 11 , often written as zstd . This came about in 2015, and is another variation on LZ77 that uses finite-state entropy (which means nothing to me, but you might understand it). It performs about as well as DEFLATE in terms of compression ratios, but is much faster both when compressing and decompressing data. I should say that these statements are true with the typical default settings—depending on the compression level selected, it can compress more slowly, but compress the data smaller. However, decompression is always speedier than DEFLATE. This makes it attractive for some uses, and it is heavily promoted by Meta/Facebook, where Yann Collet developed it. For example, shipping large amounts of actively-used data between machines in a data center can go more quickly when the size is reduced; however, if the compression and decompression steps take too long that benefit is lost. A speedy method can be valuable even if it doesn't result in the greatest reduction in size. This use case stands in contrast to, say, a compressed backup file which might only be accessed in a disaster recovery scenario or never accessed at all, making size more important than speed. Both the xz and zstd utilities have some built-in support for multi-threading, but the default is to run in a single thread. While xz can use multiple threads for decompression (but only if the file was compressed in multi-thread mode), the reference zstd utility can only use more than one thread for compression, not decompression. There are many other methods of lossless compression that have been developed over the decades, but I believe these are the ones you are most likely to encounter in the world of UNIX-like systems. This is a personal opinion, and others might choose a different set. As mentioned, it can be tough for a new method to gain popularity and 35-year-old DEFLATE is still probably the most commonly used despite not being the fastest or offering the greatest reduction in size. Even systems like FreeBSD, NetBSD, and OpenBSD that do not like to include GNU tools supported it by developing their own version of gzip based on the permissively-licensed zlib library. Technically, the LZW method used by the compress utility is still standardized by POSIX, so one might expect it to have the widest support. However, aggressive patent enforcement discouraged adoption, especially by Free and Open Source Software systems—even though the patent has expired, it is still out of favor compared to DEFLATE. For this reason, I feel justified in calling it a curio. References: Eighth Edition UNIX pack.c https://www.tuhs.org/cgi-bin/utree.pl?file=V8/usr/src/cmd/pack/pack.c 2.9BSD compact.c https://www.tuhs.org/cgi-bin/utree.pl?file=2.9BSD/usr/src/ucb/compact/compact.c Compress specification https://pubs.opengroup.org/onlinepubs/009695399/utilities/compress.html Uncompress specification https://pubs.opengroup.org/onlinepubs/009695399/utilities/uncompress.html GNU Gzip manual https://www.gnu.org/software/gzip/manual/gzip.html RFC 1951: DEFLATE Compressed Data Format Specification version 1.3 https://tools.ietf.org/html/rfc1951 History of Lossless Data Compression Algorithms: The Rise of Deflate https://ethw.org/History_of_Lossless_Data_Compression_Algorithms#The_Rise_of_Deflate bzip2 https://en.wikipedia.org/wiki/Bzip2 XZ Utils https://en.wikipedia.org/wiki/XZ_Utils 2.6.38 merge window part 2 https://lwn.net/Articles/423541/ zstd https://en.wikipedia.org/wiki/Zstd Appendix The table below demonstrates the results of compressing different types of data using tools described in this episode. While not totally rigorous, I did run each compression and decompression multiple times to ensure I was getting consistent results. The laptop I used has an Intel Core i5-6200U CPU running at 2.30GHz, and the system had at least 5 GB of free memory for each run. While this processor has two cores and can run four simultaneous threads, all utilities were run single-threaded. The term "best" means the highest level of compression available (the exact level used is shown). For bzip2 , the default is the best. For zstd , "best" is -19, which is the highest "normal" level, but "ultra" levels that are even higher also exist. Ratios are the percentage of the original size that the file was reduced to (other sources might instead express the compression ratio as the reduction in size achieved). In all results, smaller numbers are better. ┌────────────────────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┐ │ │ gzip │ gzip │ bzip2 │ xz │ xz │ zstd │ zstd │ │ │(default -6) │ (best -9) │ (-9) │(default -6) │ (best -9) │(default -3) │ (best -19) │ ├──────────────┬─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Size (ratio) │ 22,036,508 │ 21,891,623 │ 15,795,698 │ 13,487,768 │ 12,938,464 │ 20,454,657 │ 13,709,078 │ │ │ │ (24%) │ (24%) │ (17%) │ (15%) │ (14%) │ (23%) │ (15%) │ │English Text ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │(90,532,092 │Compression │ 4.8s │ 7.6s │ 8.5s │ 49.8s │ 58.8s │ 0.6s │ 65.2s │ │bytes │time │ │ │ │ │ │ │ │ │uncompressed) ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Decompression│ 0.7s │ 0.8s │ 3.7s │ 1.2s │ 1.2s │ 0.4s │ 0.4s │ │ │time │ │ │ │ │ │ │ │ ├──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Size (ratio) │ 125,291,122 │ 124,189,544 │ 98,016,512 │ 84,882,492 │ 81,954,344 │ 120,604,855 │ 87,298,645 │ │ │ │ (21%) │ (21%) │ (17%) │ (14%) │ (14%) │ (20%) │ (15%) │ │Source Code ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │(590,008,320 │Compression │ 22.0s │ 39.3s │ 54.8s │ 241s │ 298s │ 3.7s │ 348s │ │bytes │time │ │ │ │ │ │ │ │ │uncompressed) ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Decompression│ 5.1s │ 5.1s │ 20.3s │ 8.1s │ 7.8s │ 2.4s │ 2.4s │ │ │time │ │ │ │ │ │ │ │ ├──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Size (ratio) │ 32,830,905 │ 32,371,241 │ 26,856,579 │ 20,717,288 │ 20,352,880 │ 28,538,810 │ 23,154,582 │ │ │ │ (19%) │ (19%) │ (16%) │ (12%) │ (12%) │ (17%) │ (13%) │ │Binary Program├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │(171,972,264 │Compression │ 6.4s │ 22.4s │ 18.6s │ 62.2s │ 67.8s │ 0.8s │ 111s │ │bytes │time │ │ │ │ │ │ │ │ │uncompressed) ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Decompression│ 1.5s │ 1.5s │ 5.6s │ 2.3s │ 2.3s │ 0.7s │ 0.7s │ │ │time │ │ │ │ │ │ │ │ ├──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Size (ratio) │ 146,397,772 │ 146,397,757 │ 144,485,451 │ 131,950,232 │ 130,926,780 │ 147,154,979 │ 145,703,840 │ │ │ │ (89%) │ (89%) │ (88%) │ (80%) │ (80%) │ (90%) │ (89%) │ │WAVE Audio ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │(164,396,302 │Compression │ 9.2s │ 9.2s │ 25.1s │ 70.4s │ 97.7s │ 0.7s │ 58.3s │ │bytes │time │ │ │ │ │ │ │ │ │uncompressed) ├─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │Decompression│ 2.0s │ 2.0s │ 13.5s │ 12.2s │ 12.1s │ 0.6s │ 0.8s │ │ │time │ │ │ │ │ │ │ │ ├──────────────┴─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤ │ │ gzip │ gzip │ bzip2 │ xz │ xz │ zstd │ zstd │ │ │(default -6) │ (best -9) │ (-9) │(default -6) │ (best -9) │(default -3) │ (best -19) │ └────────────────────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┘ English text consists of Titles 1 through 10 of the 2020 U.S. Code of Federal Regulations . Source code consists of a tar file containing the Linux kernel source, version 4.0. Binary program consists of an ELF-format executable of the pandoc application, version 2.17.1.1 found on Debian 12. Audio consists of a 24-bit Signed Integer PCM WAVE file with 2 channels at 44.1kHz, about 10:21 in length. For comparison, the audio-specific flac lossless compression utility reduced this file to 97,962,711 bytes (60%) in 2.6 seconds at the default (-5) level and to 97,714,876 bytes (59%) in 5.4 seconds at the highest (-8) level. Provide feedback on this episode.

CannMed Coffee Talk
Putting Cannabis Labs to the Test with Morgan Keefer

CannMed Coffee Talk

Play Episode Listen Later May 20, 2026 38:51


Morgan Keefer is a Board Member for the Institute of Cannabis Science, and an experienced cannabis testing laboratory accreditation professional. She has presented at conferences, including CannMed, Pittcon, and Cannabis Science Conference regarding the importance of inter-laboratory comparison and method validation for the cannabis industry. At CannMed 26, Morgan will present Frequently Identified Nonconformances Applicable to Cannabis Testing, which will explore some of the challeges that come with operating a cannabis lab as well as opportunities for improvement. During our conversation, we discuss: Cannabis labs must be ISO/IEC 17025 accredited to prove they are competent to test for potency, contaminants, and other critical safety markers that protect consumers. Inconsistent state regulations and federal illegality create unique challenges for cannabis labs, including the need to rapidly validate new test methods as rules change. Sample manipulation by producers (i.e., bleaching samples or inflating potency) is a real problem that undermines lab results and puts consumers at risk. Many labs fall short on method validation and measurement uncertainty, sometimes reporting results for years without fully validating their methods across all product types. Consumers can protect themselves by requesting certificates of analysis, asking labs to confirm their results directly, and watching for measurement uncertainty disclosures. Thanks to This Episode's Sponsor: CANN Since 2015, CANN has been building a strong network of scientists in the cannabis space to promote scientific innovation, safety, and development through education, research, and the empowerment of the scientific community. To learn more about what CANN has to offer please visit their website at www.cann-acs.org. Additional Resources Institute of Cannabis Science Tip Line – tipline@cannsci.org  Coalition for Cannabis Worker Safety – Cannabisworkersafety@gmail.com Register for CannMed 26 Meet the CannMed 26 Speakers Review the Podcast CannMed Archive

InfosecTrain
AI Auditing vs. Traditional Auditing: Mastering the ISO/IEC 42001 Shift

InfosecTrain

Play Episode Listen Later May 1, 2026 34:14


Auditing is evolving - are you ready to audit intelligent systems? As AI transforms global business operations, the methodologies used to ensure compliance must also transform. In this episode of InfosecTrain Tech Talks, we provide a definitive guide to the world's first AI Management System standard: ISO/IEC 42001. We break down the practical shift from checking static records to evaluating dynamic, evolving algorithms.The "course titled" AI Auditor Training is the key for professionals looking to move from traditional IT auditing into the high-demand world of AI risk management. We dive into the mindset shift required for this transition, focusing on accountability, transparency, and the unique lifecycle of AI systems that traditional frameworks often miss.

Outgrow's Marketer of the Month
Snippet- Matthew Blakemore, CEO of AI Caramba!, Explains The Importance of ISO/IEC 8183 in Shaping Responsible AI.

Outgrow's Marketer of the Month

Play Episode Listen Later Apr 24, 2026 0:59


Why AI Needs Standards Like ISO/IEC 8183In this clip, Matthew Blakemore, CEO of AI Caramba!, explains the importance of ISO/IEC 8183 in shaping responsible AI.This standard acts as a foundation for the AI data lifecycle, helping businesses design, manage, and optimize AI projects while ensuring ethical data usage

Hacker Public Radio
HPR4617: UNIX Curio #4 - Archiving Files

Hacker Public Radio

Play Episode Listen Later Apr 14, 2026


This show has been flagged as Clean by the host. This series is dedicated to exploring little-known—and occasionally useful—trinkets lurking in the dusty corners of UNIX-like operating systems. When you think about creating and managing archives on a UNIX system, tar is probably the utility that comes to mind. But this was not the first archiving program; ar was in First Edition UNIX 1 and cpio also pre-dates it, sort of 2 . According to the NetBSD manual page, cpio was developed within AT&T before tar , but did not get widely released until System III UNIX after tar was already well known from the earlier release of Seventh Edition UNIX (a.k.a. Version 7). You might think that ar and cpio are old and irrelevant these days, but these formats do live on. Each Debian package file 3 is an ar archive which in turn contains two tar files. On Red Hat, Fedora, SUSE, and some other distributions, each .rpm package file 4 contains a cpio payload. So these may very well still be in use on your modern Linux system. But let's get back to the subject of what you might want to use to create archives today. The tar utility has persisted in its popularity over the decades, and you most probably have a version installed on your UNIX-like systems. One of the problems with tar , however, is that it has not kept a consistent file format. Also, different implementations have used differing syntax at times. There are excellent reasons for the file format changing 5 . The names people give files have gotten longer over time, and the original Seventh Edition tar format could only handle a total pathname length of 100 bytes for each archive member. In addition, filenames were in ASCII format, and modern filesystems now accommodate richer encodings with characters that aren't in ASCII. The size of each archive member was limited to 8 gigabytes—unthinkably large back then, but not so big these days. User and group ownership could only be specified by numeric ID, which can vary from one system to another. Many other types of files and information simply couldn't be stored: block and character device nodes, FIFOs, sockets, extended attributes, access control lists, and SELinux contexts. As a result, the tar format had to evolve over the years. One important version was the ustar format, created for the 1988 POSIX standard. The POSIX committee wanted to try standardizing both the file format and syntax for the tar command. While the ustar format addressed some shortcomings, progress marched on. Filesystems started allowing filenames in different character sets and more types of information to be attached to files, so for the 2001 revision of POSIX they gave up on standardizing the tar utility and came up with a new format and utility, which is our actual UNIX Curio for this episode: pax 6 . Since the pax program didn't have historical baggage, they could specify its options, behavior, and file format and be sure everyone's implementation would match. Developers of different tar implementations had been reluctant to change away from their historical option syntax to the standard. The pax utility was also an attempt to avoid taking sides between those who advocated for tar and fans of cpio . The pax file format was an extension of ustar with the ability to add arbitrary new attributes tied to each archive member as UTF-8 Unicode. Some of these attribute names were standardized, but implementers could also define their own, making the format more future-proof. Older versions of tar that could handle the ustar format should still be able to process pax archives, but might not know what to do with the extra attributes. GNU tar developed its current archive format 7 alongside the standardization of the ustar format. The GNU format was based on an early draft which later underwent incompatible changes, so the two unfortunately are not interchangable. Unlike ustar , the GNU format has no limits on the size of files or the length of their names. In addition to its own format, GNU tar is able to detect and correctly process both ustar and pax archives. In situations where its native format can't store necessary information about a file (such as POSIX access control lists or extended attributes), GNU tar will automatically output the pax format instead (called "posix" in documentation). However, it still uses the GNU format by default, though the documentation has been threatening to move to the POSIX format for at least 20 years 8 . The good news is that the ustar , pax , GNU tar , and Seventh Edition tar formats are well documented and utilities across many UNIX-like systems 2,7,9,10,11 are able to handle these, depending on which formats existed when the utility was developed. While your system may not have pax itself installed, there are other archiving utilities that can read the file format, including GNU tar . (Somewhat amusingly, Debian and some other Free Software operating systems package a pax utility developed by MirBSD 12 which largely follows the POSIX-specified interface, but doesn't support reading or writing archives in pax format!) Look at the manual page for the tar , cpio , or pax utilities on your system to see if they can handle pax archives. Perhaps one aspect that has worked in favor of tar and other UNIX archive formats is that they only concern themselves with storing files and make no attempt at compression. Instead, it is common for a complete archive file to be compressed after creation; many utilities can be told to do this step for you, but it is not typically the default behavior. Therefore, if a better compression method comes along, the archive format doesn't need to change. If you do use compression, be careful to choose a method that is available on the destination system. Compressing files is a big enough subject to deserve its own episode, so we won't talk more about it here. So which format should you use when creating an archive? Unfortunately, there is no single answer that applies in all circumstances. The pax format is supported among modern UNIX-like systems and can represent all types of files and metadata. While other systems, their filesystems, and archive utilities might not be able to properly make use of all the metadata, they should at least be able to extract the data contained in files and, if Unicode is supported, give them appropriate filenames. If you intend to unpack the archive on an older system, more research might be needed to figure out what formats it is able to handle. The Seventh Edition tar format (often called "v7") is widely supported, including by older systems, but has limitations in what it can contain as described earlier. Moving beyond the UNIX world, things get even more complicated. Apple's macOS, with its FreeBSD underpinnings, easily handles tar files. However, when it comes to MS-DOS and Windows, it's a bit different. There, a multitude of archiving programs and formats arose, usually combining archiving with compression. PKZIP was probably the most popular of these and its .zip format became common in many places, helped by the fact that PKWARE openly published the specification. While there is only a single .zip format, it has many options, some proprietary, and different implementations have diverged in the way some aspects are handled (or not handled). An ISO/IEC standard for .zip 13 was published in 2015 giving a baseline profile, and sticking to it produces files that can be widely extracted successfully. Other file formats like OpenDocument use the .zip format and typically hew to the standardized profile. Windows' File Explorer, starting with Windows XP, can natively extract .zip files 14 . The Info-ZIP program 15 is a Free Software implementation for a wide variety of systems (even rather obscure ones); while it might not be installed on yours, if you're copying the archive file over, you can probably copy over its unzip utility at the same time to unpack it. So .zip probably has the broadest support, although it might not already be present on every system. However, as Klaatu points out in Hacker Public Radio episode 4557 16 , .zip files and applications handling them aren't always great at maintaining metadata about files. The .zip format doesn't seem to have any way to represent UNIX file permissions, and user/group ownership can only be included as numeric IDs. Other types of metadata on UNIX-like systems are not saved at all. This is probably not a problem in some cases, such as with a collection of photos, but for others it might be a concern. While pax as a utility does not seem to have gained much popularity or support, except on commercial UNIX systems where including it was required to conform to the POSIX standard, its file format has persisted. Free Software systems have generally avoided the pax interface, preferring to stick with the tar utility on the command line, but usually have good support for archive files in the pax format. Outside of UNIX-like systems, .zip seems to have become the most common file format, and support for it is also good in the UNIX world, though it might not be built in. References: Archive (library) file format https://man.cat-v.org/unix-1st/5/archive NetBSD 10.0 cpio manual page https://man.netbsd.org/NetBSD-10.0/cpio.1 Debian binary package format https://manpages.debian.org/trixie/dpkg-dev/deb.5.en.html RPM V6 Package format https://rpm.org/docs/6.0.x/manual/format_v6.html NetBSD 10.0 libarchive-formats manual page https://man.netbsd.org/NetBSD-10.0/libarchive-formats.5 Pax specification https://pubs.opengroup.org/onlinepubs/009695399/utilities/pax.html GNU tar manual https://www.gnu.org/software/tar/manual/tar.html GNU tar manual for version 1.15.90 https://web.cvs.savannah.gnu.org/viewvc/*checkout*/tar/tar/manual/tar.html?revision=1.3 FreeBSD 15.0 libarchive-formats manual page https://man.freebsd.org/cgi/man.cgi?query=libarchive-formats&sektion=5&apropos=0&manpath=FreeBSD+15.0-RELEASE+and+Ports OpenBSD 7.8 tar manual page https://man.openbsd.org/OpenBSD-7.8/tar HP-UX Reference (11i v3 07/02) - 1 User Commands N-Z (vol 2) https://support.hpe.com/hpesc/public/docDisplay?docId=c01922474&docLocale=en_US MirBSD pax(1) manual page http://www.mirbsd.org/htman/i386/man1/pax.htm#Sh.STANDARDS ISO/IEC 21320-1:2015 Information technology - Document Container File Part 1: Core https://www.iso.org/standard/60101.html Mastering File Compression on Windows https://windowsforum.com/threads/mastering-file-compression-on-windows-how-to-zip-and-unzip-files-effortlessly.369235/ About Info-ZIP https://infozip.sourceforge.net/ HPR4557::Why I prefer tar to zip https://hackerpublicradio.org/eps/hpr4557/index.html Provide feedback on this episode.

Hacker Public Radio
HPR4615: Clicking through an audit

Hacker Public Radio

Play Episode Listen Later Apr 10, 2026


This show has been flagged as Explicit by the host. ISO 27001 from Wikipedia.org: ISO/IEC 27001 is an information security standard . It specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Organizations with an ISMS that meet the standard's requirements can choose to have it certified by an accredited certification body following successful completion of an audit . Information security audit from Wikipedia.org: An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Factors contributing to cybersecurity fatigue Source: Adapted from Factors contributing to cybersecurity fatigue by L. J. J. S. (2024), Abertay University. Available at: https://rke.abertay.ac.uk/en/publications/factors-contributing-to-cybersecurity-fatigue/ In cloud-based environments, the push for high-security standards often leads to "cybersecurity fatigue," which creates unintended psychological strain on employees. Constant interruptions from repetitive access requests. Overload of security checks and decision fatigue. Lack of clear understanding regarding actual cybersecurity risks. Impact on Behavior Fatigue frequently leads to negative outcomes, including the bypassing of security protocols, abandonment of necessary tasks, and total disengagement from mandatory training. Key Concept The study highlights "attitudinal fatigue" (an employee's negative mindset toward security) as a major barrier to organizational resilience and compliance. Strategic Recommendations: Transition to "contextualized training" that uses relatable, real-world scenarios. Streamline security workflows to minimize disruption to daily productivity. Develop targeted interventions. National Institute of Standards and Technology 2011 Report: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Tangentially ) related Episodes hpr3779 :: Just Because You Can Do a Thing... - Trey hpr0061 :: Punk Computing - Klattu hpr0002 :: Customization the Lost Reason - Deepgeek Provide feedback on this episode.

InfosecTrain
AI Auditing Masterclass: Mastering ISO/IEC 42001 for GRC Leaders

InfosecTrain

Play Episode Listen Later Apr 9, 2026 38:06


The future of auditing isn't just IT; it's AI. As artificial intelligence integrates into every layer of the enterprise, the role of the auditor must evolve to ensure transparency, accountability, and compliance in intelligent environments. In this episode, InfosecTrain simplifies the world's first AI Management System standard: ISO/IEC 42001.The "course titled" AI Auditor Training is designed to bridge the gap between traditional IT auditing and the unique challenges posed by algorithmic decision-making. We provide a high-level briefing on how auditing principles are applied to AI systems and what specific technical and ethical markers an AI Auditor must look for to mitigate organizational risk.

InfosecTrain
ISO 42001 Explained: Defining Your Organization's Role in the AI Ecosystem

InfosecTrain

Play Episode Listen Later Mar 27, 2026 36:06


Identifying your role in the AI lifecycle is no longer just a technicality it's a regulatory and ethical necessity. In this episode, we break down ISO/IEC 42001:2023, the world's first auditable standard for an Artificial Intelligence Management System (AIMS). From global tech giants to the individual subjects impacted by AI decisions, discover how this framework ensures responsible development, transparency, and data privacy.

GrowCFO Show
#276 Why Information Security Is Now a CFO Responsibility, Howard Francioni, Lead Auditor, Akton Boundrie Group

GrowCFO Show

Play Episode Listen Later Mar 24, 2026 32:37


https://www.youtube.com/watch?v=wvSRX-na_Ho .entry-img img{ display:none !important; } .single .hentry .entry-img{ display:none !important; } https://open.spotify.com/episode/5viwKl2fFV1BFDZGyag2rN In episode 276 of the GrowCFO Show, host Kevin Appleby is joined by Howard Francioni, Lead Auditor at Akton Boundrie Group, to explore why information security has become a core responsibility for today's CFO. The conversation frames cyber risk not just as an IT problem but as a strategic, financial, and reputational threat that CFOs must own. Using high‑profile breaches such as Jaguar Land Rover and others, Kevin and Howard illustrate how attacks can halt production, disrupt supply chains, destroy value, and inflict long‑term brand damage, issues that sit squarely in the CFO's remit of safeguarding enterprise value. From there, the discussion moves into practical guidance for finance leaders who may not have a CISO or large security team. Howard explains how CFOs can embed information security into risk registers, adopt a “defense in depth” mindset across customers and suppliers, and drive culture change around password hygiene, endpoint security, backups, and data leakage prevention. The episode concludes with forward‑looking insights on AI, data governance, and why standards such as ISO 27001 and ISO 42001 offer powerful frameworks—even for smaller, growing finance organizations—to systematically reduce cyber and data risks. Key topics covered: Why information security has shifted from a pure IT concern to a strategic CFO responsibility, given its impact on operations, finances, and reputation. Real‑world breach examples (e.g., Jaguar Land Rover, Marks & Spencer, Co‑op) showing how attacks on suppliers can cascade through the entire value chain. Practical foundations of defense in depth: robust password hygiene, secure endpoint configuration, dual user/admin accounts, disk encryption, patching, VPN use, and regular device hygiene. The critical difference between data leakage and data loss, and how everyday behaviors, such as conversations on trains or visible screens, can quietly leak sensitive information. How immutable offline backups and structured risk registers enable organizations to survive ransomware incidents without paying attackers. Emerging risks from AI and agents: systems built without security by design, hallucinations, IP ownership issues, and the need for AI‑specific governance frameworks like ISO 42001. About Howard Francioni Howard Francioni is an Information Security specialist with nearly two decades of experience in the card-payments industry—one of the most heavily targeted sectors for cyber-attacks—working across ATMs, POS, online payments, and MOTO environments. He led projects including pioneering contactless EMV acceptance in mass transit for Transport for London and building secure X.509 infrastructures for payment terminals, while also heading a PCI DSS function supporting around 140,000 merchants with data-driven compliance and breach investigations. Today, he helps organizations develop ISO/IEC 27001-aligned information security frameworks and serves as an independent auditor for UKAS-accredited certification bodies, combining consultancy and auditing to strengthen organizational security practices. Links Howard Francioni on LinkedIn Kevin Appleby on LinkedIn GrowCFO Mentoring Timestamps:  00:00:38 – Howard explains how breaches cause production outages, operational disruption, and severe reputational harm—core concerns for any CFO. 00:02:21 – Discussion of how threat actors target less secure suppliers to reach larger organizations, and why CFOs must think in terms of ecosystem‑wide defense in depth. 00:05:00 – Howard outlines the three recurring problem areas he sees: poor password hygiene, insecure endpoints, and lack of a healthy “suspicious mindset” among staff. 00:10:19 – Concrete measures for devices, including PIN/biometric login, dual standard/admin accounts, disk encryption, patching, reboots, local backups, and use of VPNs on public networks. 00:18:23 – Stories about overheard conversations, visible screens, and password Post‑its illustrate how data can be leaked without being “lost,” and why leakage is often more insidious. 00:21:26 – Howard stresses that once files are encrypted, recovery is only possible if immutable, offline backups and clear mitigation actions were in place beforehand. 00:28:27 – Comparison between how the internet was built without security in mind and how AI is repeating the pattern, plus why AI‑specific standards are now essential. 00:35:52 – Kevin summarizes what CFOs should do next: understand potential large‑scale and insider risks, quantify reputational impact, and implement practical controls ahead of any incident. Find out more about GrowCFO If you enjoyed this podcast, you can subscribe to the GrowCFO Show with your favorite podcast app. The GrowCFO show is listed in the Apple podcast directory, Spotify and many others. Why not subscribe there today? That way, you never miss an episode. GrowCFO is a great place to extend your professional network. Join GrowCFO as a free member today and participate in our regular networking events and webinars. Premium members can also access our extensive training center and CFO Digital Toolkit. You can enroll in our flagship Future CFO or Finance Leader programs here. You can find out more and join today at growcfo.net

The Standards Show
Inside AI - trust, trends and standards

The Standards Show

Play Episode Listen Later Mar 13, 2026 23:40


AI is rapidly moving into mainstream use across industries, driving huge growth in computing, model development, and startup investment, while raising concerns around safety, bias, and regulation.Global AI summits have tracked this evolution, from Bletchley Park 2023 to Seoul and Paris, with the 2026 AI Impact Summit in New Delhi, India marking the first in the Global South, highlighting innovation, inclusion, governance, and global cooperation.In this episode, Matthew speaks with BSI's Tim McGarr about the AI India Impact Summit, the key drivers of global AI adoption, and why trust, governance, and real-world AI use are more important than ever.They also explore how organizations can use emerging frameworks and standards – and in particular ISO/IEC 42001 - to ensure responsible and trustworthy AI and prepare for evolving regulations.Plus, since it's The Standards Show, Tim also shares his standards journey.Find out more about the issues raised in this episode.BSI Report – Trust in AIISO/IEC 42001Get involved with standardsGet in touch with The Standards Showeducation@bsigroup.comsend a voice messageFind and follow on social mediaX @StandardsShowInstagram @thestandardsshowLinkedIn | The Standards Show

Cyber Security Happy Hour Podcast
Episode 45 Zero Trust in Action – Compliance Meets Strategy

Cyber Security Happy Hour Podcast

Play Episode Listen Later Mar 11, 2026 18:08


In this episode of Cyber Security Happy Hour, Christie breaks down how the Zero Trust security model aligns with major compliance frameworks, including PCI DSS v4.0 and ISO/IEC 27001. Zero Trust is no longer just a buzzword it is a strategic, adaptive approach built on “never trust, always verify.” But how does that fit with prescriptive or risk‑based compliance requirements? Christie explores where Zero Trust naturally strengthens compliance, where gaps emerge, and what organisations can do to bridge them. In this episode, you'll learn: How Zero Trust principles map to PCI DSS v4.0 access controls, MFA, and segmentation Why Zero Trust complements ISO 27001's risk-based ISMS approach Real-world challenges organisations face when shifting to Zero Trust Practical steps to make Zero Trust work with your compliance programmes Tools and technologies that support both Zero Trust and compliance readiness Whether you're planning a Zero Trust rollout or preparing for your next audit, this episode provides clear, actionable insights to help you navigate both worlds with confidence. Grab your drink of choice, tune in, and enjoy another round of practical cyber‑security wisdom.   Enjoy!   Need help  preparing for PCI DSS v4.0? Book a free 20‑minute consultation with our cybersecurity team at https://intexit.co.uk/pci-dss/     You can listen on:   At Intex IT Website: https://intexit.co.uk/podcast/   ITUNES: https://podcasts.apple.com/gb/podcast/cyber-security-happy-hour/id1515379723/  Do not forget to subscribe to the podcast so you never miss an episode. #podcast #CyberSecurity #InfoSec #DataProtection #PrivacyMatters #ThreatIntelligence #ZeroTrust #SecureTheFuture #CyberAware #RiskManagement #DigitalDefense #SecurityAwareness #Encryption #ITSecurity #CloudSecurity #HackerDefense #NetworkSecurity #PhishingPrevention #IdentityProtection #SecurityEducation #IncidentResponse #MalwareDefense #IoTSecurity #CyberResilience #SecureSoftware #PatchManagement #CISOInsights CyberHygiene  #CyberThreats #SecureInfrastructure  #ThreatDetection #SecurityConsulting   

Irish Tech News Audio Articles
Secure? Or just certified? Why compliance isn't the end of your security story

Irish Tech News Audio Articles

Play Episode Listen Later Mar 5, 2026 6:37


Guest post Martin Petrov, Chief Technology Officer, Payments Compliance at Integrity360 It is tempting to view payments compliance as the finish line, a signal that a business is secure. But in practice, compliance is just the starting point. It provides a baseline security level, not a digital fortress. Standards are designed to raise the floor and eliminate obvious vulnerabilities, but they cannot cover every emerging threat or nuance – such as a supplier getting breached or a shortcut taken by an engineer at 2 a.m. That is where organisations risk becoming complacent or overly literal in their interpretations. True security demands a harder question than: "Are we compliant"? It demands: "Would this stop an attacker today?" That demands understanding not just what control requirements state, but why they exist. Multi-factor authentication (MFA), for example, is not just a checkbox; it is a concept rooted in stopping unauthorised access. Compliance must be interpreted in context: against the weakest vendor, the most exposed system, the riskiest business process, and the evolving threat landscape. Too many breaches have exploited gaps that audits never covered because compliance became the ceiling, not the floor. Regional and cultural factors also play a part. In Northern Europe, payments compliance frameworks like PCI DSS are often seen as a baseline to exceed, with layered defences added beyond the minimum. In other regions, standards such as PCI DSS or ISO/IEC 27001 are treated more as a destination. Certification becomes the end goal – a badge to display, not a baseline to exceed. These differences matter because they determine whether compliance protects you or just protects your reputation. The supplier slip-up that could cost you everything One of the most urgent blind spots is the supply chain. You can harden and patch all of your own systems, mandate MFA, and lock down every endpoint. But a vendor's default service account, an abandoned test tenant, or an over-permissioned API can undermine everything. As integrations and dependencies grow, so does the potential blast radius. And while many organisations know who their suppliers are, far fewer know what access they have, how often they are reviewed, or whether they follow the same standards. Supplier risk must now be managed as rigorously as internal operations; tiered, tested, and tightly controlled. The three-body problem: when PCI DSS, GDPR, and the EU AI Act collide Then there is the pace of innovation, particularly in areas like artificial intelligence (AI). For European compliance officers, this creates a three-body problem: the EU AI Act, PCI DSS, and GDPR orbiting each other with overlapping – but misaligned – requirements. And unlike physics, there is no elegant equation to solve it. Meanwhile, global response remains inconsistent, and the tension between innovation and oversight is only going to grow. The organisations that succeed in this environment will not just meet standards; they will go further and question whether they are compliant on paper but vulnerable in practice. By treating compliance as a foundation, not a finish line, organisations will unlock new ways to stay secure and trusted. The question is, what does that really look like? What good is a lock if no one checks the door? One of the easiest traps for modern security teams is assuming that tools alone provide protection. But no matter how advanced the platform or how rigid the policy, it is people and processes that hold it all together – or let it fall apart. This is especially true in payments compliance, where new platforms and integrations emerge faster than policies can adapt. Organisations that treat compliance as a checklist often over-rely on technology, by trusting automated scans, secure settings, or third-party certifications to keep them safe. But without context and human judgement, these defences can create a false sense of security and leave the business exposed. In the b...

CERIAS Security Seminar Podcast
Danny Vukobratovich, ISO 27001 as the Engine, NIST CSF 2.0 as the Dashboard, A Practical Operating Model

CERIAS Security Seminar Podcast

Play Episode Listen Later Feb 25, 2026 63:15


Many organizations adopt security frameworks but struggle to turn them into day-to-day operations that reduce risk without slowing delivery. This talk presents a practical operating model that pairs ISO/IEC 27001 (as the certifiable management system that runs governance, risk management, internal audit, and continual improvement) with NIST Cybersecurity Framework 2.0 (as the outcome-focused "dashboard" for aligning security priorities to business objectives and communicating posture to leaders). Attendees will see how to translate business goals into CSF 2.0 current and target profiles, convert those profiles into ISO 27001 objectives and control ownership, and design "evidence by default" workflows that reduce audit fire drills. The session will include real-world design patterns (paved roads, tiered decision rights, exception handling with expiry, and control health metrics) and highlight where assurance programs often drift into "control theater." The goal is a repeatable approach that both practitioners and researchers can critique, improve, and apply. About the speaker: Danny Vukobratovich is a Sr. IT Security Analyst at Purdue University, where he manages Purdue IT's ISO program spanning ISO/IEC 27001 (information security), ISO 9001 (quality management), and ISO/IEC 20000-1 (IT service management). He also oversees Purdue IT's business continuity and disaster recovery planning, with an emphasis on building resilient, auditable operating models that support research and administrative missions. Danny's professional focus is translating risk and governance into practical mechanisms, including clear decision rights, "evidence by design," and metrics that measure control health rather than control presence. His background includes security risk assessments, incident response, monitoring and logging, identity and access management, and standards-based audits across diverse environments. Danny holds the CISSP, ISO/IEC 27001:2022 Lead Implementer, and ITIL 4 Strategic Leader certifications, and an M.S. in Cybersecurity Management.

The ITAM Review Podcast
Change Makers Podcast: Elevating ITAM - ISO Certification

The ITAM Review Podcast

Play Episode Listen Later Feb 9, 2026 23:34


In this episode, we speak with Ash Dharas (Softline Group Northern Europe) and Patrick Milas (HDI Group) about their experiences achieving ISO/IEC 19770-1 certification - these are the world's first two organisations to achieve ISO ITAM certification. Here' are two of our favourite clips from this episode: “The benefits of ITAM are much broader than people think. It is the nucleus for every other IT process. If you don't know what you have, you can't manage it. The audit process was the perfect way to get all the relevant stakeholders across the business in one room to make the case for ITAM and demonstrate its value.” - Patrick Milas, HDI Group “It is a humbling experience, but it ultimately improves the quality of your ITAM practices. It was a very enlightening journey and well worth the effort.” - Ash Dharas, Softline Group Northern Europe

The ITAM Review Podcast
Change Makers Podcast: Meet an ISOIEC 19770-1 auditor

The ITAM Review Podcast

Play Episode Listen Later Feb 9, 2026 29:27


In this episode, we speak with Yorick Heijink from Brand Compliance, the official auditor of the ISO/IEC 19770-1 Certification Scheme. If your organisation is considering certification, this is a must-listen-to episode - it provides you with great insight direct from the person who will be on-site with your team performing the audit. Yorick talks us through a typical audit process, explains what a 'management system' is, why you need management buy-in, and the importance of reading and understanding the -1 standard itself. He also shares what he likes most about being a certification auditor. Here's one of our favourite clips from the episode: “These customers are my clients, and my job is to certify them, when they are compliant. I'm not there to find non-conformities. I'm not there to break down the system. In the end, my objective is to help you. But, in my role, I have to stay objective, and I cannot give any advise, which is always the tricky part."

InfosecTrain
ISO/IEC 42001 AI Governance & Implementation Bootcamp

InfosecTrain

Play Episode Listen Later Feb 9, 2026 111:28


In this bootcamp session, Prabh Nair breaks down ISO/IEC 42001 and the practical reality of AI governance inside organizations.If you are trying to implement an AI Management System (AIMS), this session walks you through the governance principles, the clause structure, the documentation mindset, and how to run AI risk assessments and impact assessments in a way that stands up to audits. We move beyond the theory and look at how to define roles, whether you are an AI provider, producer, or customer; and how to build a Project Charter that scales.Watch the full episode on YouTube: https://www.youtube.com/watch?v=jhQRtCO_5n0

CISSP Cyber Training Podcast - CISSP Training Program
CCT 320: OT Attacks And CISSP Domain 6.4 Essentials

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Feb 2, 2026 41:11 Transcription Available


Send us a textWhat happens when custom malware turns IoT into a springboard for OT, and gas pumps become levers for panic? We open with a timely look at Iranian-linked operations targeting PLCs and use that story to ground a full, practical tour of CISSP Domain 6.4: how to analyze scan output and generate reports that actually drive action.We break down the anatomy of a high-value vulnerability report—clean executive summaries, CVE and CVSS clarity, and the business context that separates theoretical risk from real-world impact. From there, we map a repeatable cadence for internal scans full of misconfigurations, default creds, and end-of-life software, plus a strategy to turn noisy findings into steady wins through prioritization, trend metrics, and small, fast fixes that build momentum.On the perimeter, we focus on external scans across web apps, APIs, cloud edges, and third parties. You'll hear hard-earned tactics for handling M&A exposure, vendor VPNs, misconfigured buckets, and certificate drift without breaking production. We share validation steps that avoid false positives and chaos in prod, then show how to formalize exceptions with risk assessments, compensating controls, and an auditable register that satisfies PCI DSS, HIPAA, SOX, and GDPR expectations.We close with ethical disclosure done right—timelines, ISO/IEC 29147 alignment, and when to coordinate versus publish—so you protect users and your organization without stepping into legal traps. If you're studying for the CISSP or building a vulnerability management program that survives contact with reality, this guide will help you prioritize what matters, communicate clearly, and keep improving.Enjoyed the show? Subscribe, share with a teammate, and leave a quick review so others can find it. Tell us: what metric best proves your remediation progress?Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

The Cloud Pod
336: We Were Right (Mostly), 2026: The New Prophecies

The Cloud Pod

Play Episode Listen Later Jan 6, 2026 68:15


Welcome to episode 335 of The Cloud Pod, where the forecast is always cloudy! Welcome to the first show of 2026, and it's a full house, too! Justin, Jonathan, Ryan,  and Matt are all here to reflect on 2025, plus bring you their predictions for 2026. Let's get started!  Titles we almost went with this week SQL Me Maybe: AlloyDB Gets Chatty With Your Database **OpenAI SELECT * FROM natural_language WHERE accuracy LIKE ‘100%’ **Anthropic etcd You Were Worried About Database Limits: CloudWatch Has Your Back CSV You Later: Looker Adds Drag-and-Drop Data Uploads AWS Spots an Opportunity to Manage Your Container Costs EKS Network Policies: No More IP Address Whack-a-Mole AWS Security Hub Splits: It’s Not You, It’s CSPM Spot On: ECS Finally Manages Your Cheapest Compute TOON Squad: DigitalOcean’s New Format Makes JSON Look Bloated The Price is Wrong: AWS Breaks Two Decades of Downward Pricing Tradition Show Your Work: Why AI-Generated Code Without Tests is Just Expensive Spam No More Agent Orange: Google Simplifies VM Extension Deployment AWS Discovers Prices Can Go Both Ways, Raises GPU Costs 15 Percent Sovereignty Washing: When Your European Cloud Still Answers to Uncle Sam Agent Builder Gets a Memory Upgrade: Google’s AI Finally Remembers Where It Put Its Keys Ctrl+F for the Future: A year-end Scorecard & Next-Gen Bets AI Agents, GPU Prices, and The best of the Cloud Pod 2025 Beyond the Hype: The Cloud Pods Definitive 2025 Year in Review Apocalypse Now… What? Our 2026 Forecast Follow Up  01:27 RYAN’S PREDICTIONS Prediction Status Notes Quick LLM models for individuals ACCURATE Meta-Llama-3.1-8B-Instruct, GLM-4-9B-0414, and Qwen2.5-VL-7B-Instruct—each chosen for an outstanding balance of performance and computational efficiency, making them ideal for edge AI deployment. A new AI inference application called Inferencer allows even modest Apple Mac computers to run the largest open-source LLMs. AI at the edge natively (Lambda-esque) ACCURATE Akamai launched a new Inference Cloud product for edge AI using Nvidia’s Blackwell 6000 GPUs in 17 cities. AWS IoT Greengrass with Lambda functions for edge logic. “Edge AI allows for instant decision-making where it matters most—close to the data source.” Cloud native security mesh multi-cloud UNCLEAR Service mesh technologies continue to evolve (Istio, Linkerd), but I didn’t find a breakthrough “app-to-app at the edge” security mesh product announcement in 2025. This one needs more specific evidence. Ryan Score: 2/3 02:25 MATTHEW’S PREDICTIONS Prediction Status Notes FOCUS adopted by Snowflake or Databricks ACCURATE FOCUS version 1.2 was ratified on May 29, 2025. Three new providers announced support: Alibaba Cloud, Databricks, and Grafana. Databricks officially adopted FOCUS! AI security/ethical standard (SOC or ISO) ACCURATE ISO 42001 is the first international standard outlining requirements for AI governance. Major companies achieving certification in 2025: Automation Anywhere is among the first 100 companies worldwide to earn ISO/IEC 42001:2023 certification. Anthropic also achieved ISO 42001 certification. Amazon deprecates 5+ services (WorkMail bonus) ACCURATE (no bonus) 19 services are mothballed, four are being sunset, and one is end of its supported life. Deprecated services include CodeCommit, Cloud9, S3 Select, CloudSearch, SimpleDB, Forecast, Data Pipeline, QLDB, Snowball Edge, and more. WorkMail NOT deprecated – WorkDocs was (April 2025), but WorkMail remains active. Matthew Score: 3/3 03:22 JONATHAN’S PREDICTIONS Prediction Status Notes Company claims AGI achieved ACC

Paul's Security Weekly
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Paul's Security Weekly

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

Paul's Security Weekly TV
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Paul's Security Weekly TV

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

Application Security Weekly (Audio)
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Application Security Weekly (Audio)

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

Application Security Weekly (Video)
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Application Security Weekly (Video)

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

SPOT Radio
The 5 common mistakes with medical device pouch sealers

SPOT Radio

Play Episode Listen Later Dec 4, 2025 34:42


On this episode of SPOT Radio, Charlie Webb, CPPL, breaks down five common mistakes medical device manufacturers make around equipment purchase, maintenance, and calibration. These gaps create significant process risk and are frequent root causes of failed seals in sterile barrier systems.Charlie draws on 30 years of experience in medical device packaging to explain how improper procurement choices, inconsistent maintenance schedules, and inadequate calibration practices undermine seal integrity and increase the likelihood of product recalls and patient risk. He outlines practical steps to tighten controls, improve documentation, and design validation protocols that reduce failure modes.Listen in for clear, actionable guidance on preventing seal failures, streamlining validation, and protecting patients from exposure to non‑sterile devices. Whether you manage packaging engineering, quality, or regulatory affairs, Charlie's insights will help your organisation avoid costly mistakes and strengthen your sterile barrier strategy.About Charlie Webb CPPL: Charlie Webb CPPL is the founder and President of Van der Stahl Scientific, a medical device packaging and testing machine provider and packaging testing and calibration laboratories.He is also a certified internal auditor and is the Quality Manager for Van der Stähl Scientific's demanding ISO/IEC 17025 Laboratory accreditation. Under Charlie's quality management system, his lab received the MSI Continuous Improvement Award. Charlie is a member of the IOPP Medical Device Packaging Technical Committee. He is a former co-PM in the Kiip group and voting ASTM F02 technical committee and has multiple granted and pending patents on medical device packaging machinery and pouch testers.His current patent-pending technologies include a medical device tray sealer that will integrate pouch testing within the packaging machine to provide 100% real-time seal testing. Also, in development is his patented HTIP system (human tissue isolation pouch) this disposable system is designed to help avoid packaging machine contamination.Charlie Webb CPPL Email: Charlie@vanderstahl.comwebsite:  www.vanderstahl.com

il posto delle parole
Massimiliano Bellavista "AI Compliance e Certificazione"

il posto delle parole

Play Episode Listen Later Dec 4, 2025 14:13


Massimiliano Bellavista"AI Compliance e Certificazione"La norma ISO 42001:2023 e i vantaggi della certificazione dell'AI complianceFrancoAngeli Editorewww.francoangeli.itIl volume, primo nel suo genere in Italia, si propone di guidare il lettore attraverso i processi di progettazione, implementazione, controllo e audit di un Sistema di gestione dell'Intelligenza Artificiale nel contesto aziendale. In un panorama assai complesso e in continua evoluzione come quello dell'applicazione dell'Intelligenza Artificiale ai processi organizzativi e di business, il libro offre a manager e consulenti una guida per la gestione di numerosi aspetti inerenti all'etica, alla progettazione, alla comunicazione e alla compliance in accordo con i vigenti aspetti legali e regolamentari, a cominciare dall'AI ACT.Le applicazioni dell'IA oggi spaziano dalla sanità alla finanza, dalla pubblica amministrazione alla produzione industriale, dalla mobilità urbana ai servizi educativi e culturali.Questo diffuso radicamento dell'IA solleva interrogativi cruciali in termini di responsabilità, trasparenza, sicurezza, protezione dei dati, sostenibilità e impatti sulle persone e sull'ambiente.È dunque evidente la necessità, non più rinviabile, di un quadro sistemico che consenta alle organizzazioni di gestire l'IA in modo strutturato, documentato e verificabile, creando valore, e non più come una contingente esigenza di compliance, La norma ISO/IEC 42001 rappresenta il primo tentativo compiuto, su scala globale, di costruire un Sistema di Gestione per l'Intelligenza Artificiale (AIMS). Pur collocandosi nel filone delle norme basate sulla High Level Structure (HLS), essa ne amplia significativamente l'impianto attraverso l'introduzione di strumenti specifici e innovativi. Certiquality nel 2025 ha rilasciato il primo certificato di questo tipo in Italia. Diventa un supporter di questo podcast: https://www.spreaker.com/podcast/il-posto-delle-parole--1487855/support.IL POSTO DELLE PAROLEascoltare fa pensarehttps://ilpostodelleparole.it/

Global Medical Device Podcast powered by Greenlight Guru
#432: China MedTech Compliance: Regulatory Risks, Rewards, & Strategy with Elaine Tan

Global Medical Device Podcast powered by Greenlight Guru

Play Episode Listen Later Nov 10, 2025 45:34


This episode dives into the complex and often misunderstood MedTech market in China, featuring Elaine Tan, creator of MedTech Chopsticks, who translates the nation's stringent regulatory language into actionable insights. Elaine and host Etienne Nichols discuss the substantial risks and rewards of bringing a medical device to China, highlighting the country's rapid execution, intense internal competition, and the shift from low-end manufacturing to a focus on high-level innovation. A key risk is that existing international certifications (like ISO and IEC) do not guarantee compliance, requiring local type testing and adherence to specific national standards.The conversation addresses how global medical device companies can structure their strategy amid ongoing geopolitical shifts and the "China for China" policy, which favors domestic products through initiatives like the Volume-Based Procurement (VBP). Strategies such as the dual-strategy approach—localizing low-consumable manufacturing while protecting high-technology IP through joint ventures or careful CMO/CDMO selection—are explored as pragmatic ways to secure market presence and margin. Understanding the regulatory landscape, particularly the NMPA's 2021 overhaul, is crucial for success.Finally, Elaine provides practical guidance for regulatory professionals intimidated by the market. This includes understanding the specific regulatory and clinical pathways, performing a gap analysis against Chinese standards (Product Technical Requirements or PTR), and the critical process of selecting and qualifying a local partner/agent. Elaine reveals a specific, often overlooked hurdle: the agent must possess an NMPA-approved CA (Certification Authorization) USB key to electronically submit registration files on behalf of the foreign manufacturer, a critical piece of the submission puzzle. The discussion also touches on leveraging special zones, like the Hainan Free Trade Zone, for crucial real-world data collection applicable to the Chinese population.Key Timestamps[02:40] Introduction to Elaine Tan, MedTech Chopsticks, and the show's focus on the China market.[05:05] High-level risks and rewards: complexity, lengthy registration, local testing requirements, and IP concerns.[08:08] Discussing the NMPA's 2021 regulatory overhaul and the geopolitical shift toward "China for China."[11:00] The Dual Strategy approach: balancing low-end localization with protecting high-tech IP.[14:48] Using CDMOs/CMOs for pilot projects to manage financial investment risk.[16:20] Leveraging the Hainan Free Trade Zone (Bo'ao region) for pre-market clinical data collection and urgent needs product access.[18:42] Ethological differences and their impact on clinical data justification (e.g., Pulse Oximeters).[20:17] NMPA predicate search: The importance of using the Chinese Classification Catalog to find registered, local predicate devices.[23:00] Guidance for overwhelmed regulatory professionals entering the China market: Clinical strategy and Product Technical Requirements (PTR).[25:52] Pitfalls in partner selection: The necessity of the NMPA-approved CA (Certification Authorization) USB key for submissions.[29:30] Partner qualification: Ensuring the agent can support Post-Market Surveillance (PMS) and QMS self-inspection requirements.[30:52] Final pitfall: International compliance (ISO/IEC) does not automatically ensure China...

Engineering Kiosk
#219 Technische Schulden: Bewusst aufbauen, gezielt abbauen

Engineering Kiosk

Play Episode Listen Later Oct 28, 2025 60:53


Technische Schulden: Code veröffentlichen und weiterziehen oder doch erst aufräumen?Technische Schulden fühlen sich oft nach Ballast an, können aber dein stärkster Hebel für Speed sein. Der Knackpunkt ist, sie bewusst und sichtbar einzugehen und konsequent wieder abzubauen. In dieser Episode sprechen wir darüber, wie wir technische Schulden strategisch nutzen, ohne uns langfristig festzufahren.Ward Cunningham sagt: Technische Schulden sind nicht automatisch schlechter Code. Wir ordnen ein, was wirklich als “Debt” zählt und warum Provisorien oft länger leben als geplant. Dann erweitern wir die Perspektive von der Code‑ und Architektur‑Ebene auf People und Prozesse: Knowledge Silos, fehlendes Code Review und organisatorische Entscheidungen können genauso Schulden sein wie ein any in TypeScript. Wir diskutieren sinnvolle Indikatoren wie DORA Metriken, zyklomatische Komplexität und den CRAP Index, aber auch ihre Grenzen. Warum Trends über Releases hilfreicher sind als Einzelwerte oder wie Teamskalierung die Kennzahlen beeinflusst. Dazu die Business Seite: reale Kosten, Produktivitätsverluste, Frust im Team und Fluktuation. Als Anschauung dient der Sonos App Rewrite als teures Lehrstück für akkumulierte Schulden.Wenn du wissen willst, wie du in deinem Team Technical Debt als Werkzeug nutzt, Metriken und Kultur klug kombinierst und den Business Impact sauber argumentierst, dann ist diese Episode für dich.Bonus: Wir verraten, warum Legacy allein keine Schuld ist und wie Open Source, Plattformteams und Standardisierung dir echte Zinsen sparen können.Unsere aktuellen Werbepartner findest du auf https://engineeringkiosk.dev/partnersDas schnelle Feedback zur Episode:

RIMScast
Navigating Cyber and IT Practices to Legal Safe Harbors

RIMScast

Play Episode Listen Later Oct 14, 2025 42:07


Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Katherine Henry of Bradley, Arant, Boult, Cummings, and Harold (Hal) Weston of Georgia State University, Greenberg School of Risk Science, who are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview.” Katherine and Hal take the discussion beyond the pages and delve into best cybersecurity practices, cyber insurance, and Safe Harbor laws offered by some states and possibly to be offered soon by others. They discuss frameworks and standards, and what compliance means for your organization, partly based on your state law.   Listen for advice to help you be prepared against cybercrime.   Key Takeaways: [:01] About RIMS and RIMScast. [:16] About this episode of RIMScast. We will be joined by the authors of the legislative review, “A 2025 Cybersecurity Legal Safe Harbor Overview”, Katherine Henry and Harold Weston. Katherine and Harold are also prominent members of the RIMS Public Policy Committee. [:48] Katherine and Harold are also here to talk about Cybersecurity Awareness Month and safe practices. But first…  [:53] RIMS-CRMP Prep Workshops! The next RIMS-CRMP Prep Workshops will be held on October 29th and 30th and led by John Button. [1:05] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode's show notes. [1:23] RIMS Virtual Workshops! RIMS has launched a new course, “Intro to ERM for Senior Leaders.” It will be held again on November 4th and 5th and will be led by Elise Farnham. [1:37] On November 11th and 12th, Chris Hansen will lead “Fundamentals of Insurance”. It features everything you've always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on the virtual workshops! [1:56] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes. [2:08] Several RIMS Webinars are being hosted this Fall. On October 16th, Zurich returns to deliver “Jury Dynamics: How Juries Shape Today's Legal Landscape”. On October 30th, Swiss Re will present “Parametric Insurance: Providing Financial Certainty in Uncertain Times”. [2:28] On November 6th, HUB will present “Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World”. Register at RIMS.org/Webinars. [2:40] Before we get on with the show, I wanted to let you know that this episode was recorded in the first week of October. That means we are amid a Federal Government shutdown. RIMS has produced a special report on “Key Considerations Regarding U.S. Government Shutdown.” [2:58] This is an apolitical problem. It is available in the Risk Knowledge section of RIMS.org, and a link is in this episode's show notes. Visit RIMS.org/Advocacy for more updates. [3:12] Remember to save March 18th and 19th on your calendars for the RIMS Legislative Summit 2026, which will be held in Washington, D.C. I will continue to keep you informed about that critical event. [3:24] On with the show! It's National Cybersecurity Awareness Month here in the U.S. and in many places around the world. Cyber continues to be a top risk among organizations of all sizes in the public and private sectors. [3:40] That is why I'm delighted that Katherine Henry and Harold (Hal) Weston are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview”. [3:52] This report provides a general overview of expected cybersecurity measures that organizations must take to satisfy legal Safe Harbor requirements. [4:01] It summarizes state Safe Harbor laws that have been developed to ensure organizations are proactive about cybersecurity and that digital, financial, and intellectual assets are legally protected when that inevitable cyber attack occurs. [4:15] We are here to extend the dialogue. Let's get started! [4:21] Interview! Katherine Henry and Hal Weston, welcome to RIMScast! [4:41] Katherine was one of he first guests on RIMScast. Katherine is Chair of the Policyholder Insurance Coverage Practice at Bradley, Arant, Boult, Cummings. Her office is based in Washington, D.C. She works with risk managers all day on insurance issues. [5:05] Katherine has been a member of the RIMS Public Policy Committee for several years. She serves as an advisor to the Committee. [5:12] Justin thanks Katherine for her contributions to RIMS. [5:25] Hal is with Georgia State University. He has been with RIMS for a couple of decades. Hal says he and Katherine have served together on the RIMS Public Policy Committee for maybe 10 years. [5:48] Hal is a professor at Georgia State University, a Clinical Associate in the Robinson College of Business, Greenberg School of Risk Science, where he teaches risk management and insurance. Before his current role, Hal was an insurance lawyer, both regulatory and coverage. [6:05] Hal has a lot of students. He is grading exams this week. He has standards for his class. In the real world, so does a business. [6:46] Katherine and Hal met through the RIMS Public Policy Committee. They started together on some subcommittees. Now they see each other at the annual meeting and on monthly calls. [7:05] Katherine and Hal just released a legislative review during RIMS's 75th anniversary, “A 2025 Cybersecurity Legal Safe Harbor Overview”. It is available on the Risk Knowledge page of RIMS.org. [7:20] We're going to get a little bit of dialogue that extends beyond the pages. [7:31] Katherine explains Safe Harbor: When parties are potentially liable to third parties for claims, certain states have instilled Safe Harbor Laws that say, If you comply with these requirements, we'll provide you some liability protection. [7:45] Katherine recommends that you read the paper to see what the laws are in your state. The purpose of the paper is to describe some of those Safe Harbor laws, as well as all the risks. [8:04] October 14th, the date this episode is released, is World Standards Day. Hal calls that good news. Justin says the report has a correlation with the standards in the risk field. [8:43] Justin states that many states tie Safe Harbor eligibility to frameworks like NIST, the ISO/IEC 27000, and CIS Controls. [9:27] Hal says, There are several standards, and it would be up to the Chief Information Security Officer to guide a company on which framework might be most appropriate for them. There are the NIST, UL, and ISO, and they overlap quite a bit. [9:56] These are recognized standards. In some states, if a company has met this standard of cybersecurity, a lawsuit against the company for breach of its standard of care for maintaining its information systems would probably be defensible for having met a recognized standard. [10:23] Katherine adds that as risk managers, we can't make the decision about which of these external standards is the best. Many organizations have a Cybersecurity Officer responsible for this. [10:44] For smaller organizations, there are other options, including outsourcing to a vendor. Their insurance companies may have recommendations. So you're not on your own in making this decision. [11:14] Katherine says firms should definitely aim for one recognized standard. Katherine recommends you try to adhere to the highest standard. If you are global, you need to be conscious of standards in other countries. [11:46] Hal says California tends to have the highest standards for privacy and data protection. If you're a financial services company, you're subject to New York State's Department of Financial Services Cyber Regulation. [12:02] If you're operating in Europe, GDPR is going to be the guiding standard for what you should do. Hal agrees with Katherine: Any company that spans multiple states should pick the highest standard and stick to that, rather than try to implement five or 52 standards. [12:23] When you're overseas, you may not be able to just pick the highest standard; there are challenges in going from one country or region of Europe back to the U.S. If one is higher, it will probably be easier. [12:38] There are major differences between the U.S., which has little Federal protection, vs. state protection. [13:10] Katherine says if you don't have the internal infrastructure, and you can't afford that infrastructure, the best thing is to pivot to an outside vendor. There are many available, with a broad price range. Your cyber insurer may also have some vendors they already work with. [13:40] Hal would add, Don't just think about Safe Harbors. That's just a legal defense. Think about how you reduce the risk by adopting standards or hiring outside firms that will provide that kind of risk protection and IT management. [13:59] If they're doing it right, they may tell you the standards they use, and they may have additional protocols, whether or not they fall within those standards, that would also be desirable. A mid-sized firm is probably outsourcing it to begin with. [14:21] They have to be thinking about it as risk, rather than just Safe Harbor. You have to navigate to the Safe Harbor. You don't just get there. [14:31] Quick Break! RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through the 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when you register by October 30th! [14:50] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by October 30th, and you will also be entered to win a $500 raffle! Do not miss out on this chance to plan and score some of these extra perks! [15:03] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us! Visit RIMS.org/Membership and build your network with us here at RIMS! [15:16] The RIMS Legislative Summit 2026 is mentioned during today's episode. Be sure to mark your calendar for March 18th and 19th in Washington, D.C. Keep those dates open. [15:28] Join us in Washington, D.C., for two days of Congressional Meetings, networking, and advocating on behalf of the risk management community. Visit RIMS.org/Advocacy for more information and updates.  [15:41] Let's return to our interview with Katherine Henry and Hal Weston! [15:54] We're talking about their new paper, “A 2025 Cybersecurity Legal Safe Harbor Overview”. Katherine mentions that some businesses are regulated. They have to comply with external regulatory standards. [16:38] Other small brick-and-mortar businesses may not have any standards they have to comply with. They look for what to do to protect themselves from cyber risk, and how to tell others they are doing that. [16:54] If you can meet the standards of Safe Harbor laws, a lot of which are preventative, before a breach, you can inform your customers, “These are the protections we have for your data.” You can tell your board, “These are the steps we're taking in place.” [17:13] You can look down the requirements of the Safe Harbor law in your state or a comparable state, and see steps you can take in advance so you can say, “We are doing these things and that makes our system safer for you and protects your data.” [17:34] Hal says you don't want to have a breach, and if you do, it would be embarrassing to admit you were late applying a patch, implementing multi-factor authentication, or another security measure. By following standards of better cyber protection, you avoid those exposures. [18:07] Hal says every company has either been hacked and knows it, or has been hacked and doesn't know it. If you're attacked by a nation-state that is non-preventable, you're in good shape. [18:26] If you're attacked because you've left some ports open on your system, or other things that are usually caught in cybersecurity analyses or assessments, that's the embarrassing part. You don't want to be in that position. [18:43] Katherine says it's not just your own systems, but if you rely on vendors, you want to ensure that the vendors have the proper security systems in place so that your data, to the extent that it's transmitted to them, is not at risk. [19:07] Also, make sure that your vendors have cyber insurance and that you're an additional insured on that vendor's policy if there's any potential exposure. [19:22] Hal says If you're using a cloud provider, do you understand what the cloud provider is doing? In most cases, they will provide better security than what you could do on your own, but there have been news stories that even some of those have not been perfect. [20:22] Hal talks about the importance of encryption. It's in the state statutes and regulations. There have been news stories of companies that didn't encrypt their data on their servers or in the cloud, and didn't understand encryption, when a data breach was revealed. [20:52] Hal places multi-factor authentication up with encryption in importance. There was a case brought against a company that did not have MFA, even though it said on its application on the cyber policy that the company used it. [21:13] Hal says these are standard, basic things that no company should be missing. If you don't know that your data is encrypted, get help fast to figure that out. [21:51] Hal has also seen news stories of major companies where the Chief Technology Officer has been sued individually, either by the SEC or others, for not doing it right. [22:07] Katherine mentions there are insurance implications. If you mistakenly state you're providing some sort of protection on your insurance application that you're not providing, the insurer can rescind your coverage, so you have no coverage in place at all. [22:23] Katherine says, These are technical safeguards, but we know the human factor is one of the greatest risks in cybersecurity. Having training for everyone who has access to your computer system, virtually everyone in your organization, is very important. [22:49] Have a test with questions like, Is this a spam email or a real email? There are some vendors who can do all this for you. Statistics show that the human element is one of the most significant problems in cybersecurity protection. [23:05] Justin says it's October, Cybersecurity Awareness Month in the U.S. Last week's guest, Gwenn Cujdik, the Incident Response and Cyber Services Lead for North America at AXA XL, said the number one cyber risk is human error, like clicking the phishing link.  [23:45] Justin brings up that when he was recently on vacation, he got an email on his personal email account, “from his CEO,” asking him to handle something for them. Justin texted somebody else at RIMS, asking if they got the same email, and they hadn't. [24:14] Justin sent the suspect email to the IT director to handle. You have to be vigilant. Don't let your guard down for a second. [24:48] Katherine has received fake emails, as well. [24:51] Hal says it has happened to so many people. Messages about gift cards or the vendor having a new bank account. Call the vendor that you know and ask what this is. [25:12] Hall continues. It's important to train employees in cybersecurity, making sure that they are using a VPN when they are outside of the office, or even a VPN that's specific to your company. [25:32] Hal saw in the news recently that innocent-looking PDF files can harbor lots of malware. If you're not expecting a PDF file from somebody, don't click on that, even if you know them. Get verification. Start a new thread with the person who sent it and ask if it is a legitimate PDF. [26:08] Justin says of cybercriminals that they are smart and their tactics evolve faster than legislation. How can organizations anticipate the next generation of threats? [26:34] Katherine says, You need to have an infrastructure in your organization that does that, or you need to go to an outside vendor. You need some sort of protection, internally or externally. [27:11] Katherine says she works with CFOs all the time. If an organization isn't large enough to have a risk manager, it's a natural fit for the CFO, who handles finances, to handle insurance. When it comes to cybersecurity, a CFO needs help. [27:46] The CFO should check the cyber policy to see what support services are already there and see if there are any that are preventative, vs. after a breach. If there are not, Katherine suggests pivoting to an outside vendor. [28:07] Hal continues, This interview is for RIMS members who are risk managers and the global risk community. Risk managers don't claim to know all the risk control measures throughout a company. They rely upon the experts in the company and outside. [28:29] If the CFO is the risk manager, he or she has big gaps in expertise needed for risk management. It's the same for the General Counsel running risk management. Risk managers are known for having small staffs and working with everybody else to get the right answers. [28:55] If you're dealing with the CFO or General Counsel in those roles, they need to be even more mindful to work with the right experts for guidance. [29:09] One Final Break! As many of you know, the RIMS ERM Conference 2025 will be held on November 17th and 18th in Seattle, Washington. We recently had ERM Conference Keynote Speaker Dan Chuparkoff on the show. [29:26] He is back, just to deliver a quick message about what you can expect from his keynote on “AI and the Future of Risk.” Dan, welcome back to RIMScast! [29:37] Dan says, Greetings, RIMS members and the global risk community! I'm Dan Chuparkoff, AI expert and the CEO of Reinvention Labs. I'm delighted to be your opening keynote on November 17th at the RIMS ERM Conference 2025 in Seattle, Washington. [29:52] Artificial Intelligence is fueling the next era of work, productivity, and innovation. There are challenges in navigating anything new. This is especially true for risk management, as enterprises adapt to shifting global policies, economic swings, and a new generation of talent. [30:10] We'll have a realistic discussion about the challenges of preparing for the future of AI. To learn more about my keynote, “AI and the Future of Risk Management,”  and how AI will impact Enterprise Risk Management for you, listen to my episode of RIMScast at RIMS.org/Dan. [30:29] Be sure to register for the RIMS ERM Conference 2025, in Seattle, Washington, on November 17th and 18th, by visiting the Events page on RIMS.org. I look forward to seeing you all there. [30:40] Justin thanks Dan and looks forward to seeing him again on November 17th and hearing all about the future of AI and risk management! [30:48] Let's Conclude Our Interview about Navigating Cyber and IT Practices to Legal Safe Harbors with Katherine Henry and Hal Weston! [31:17] Katherine tells about how Safe Harbor compliance influences cyber insurance. If your organization applies for cyber insurance and you can't meet some minimum threshold that will be identified on the application, the insurer will not even offer you cyber insurance. [31:34] You need to have some cyber protections in place. That's just to procure insurance. Cyber insurance availability is growing. Your broker can bring you more insurers to quote if you can show robust safeguards. [32:05] After the breach, your insurer is supposed to step in to help you. Your insurer will be mindful of whether or not your policy application is correct and that you have all these protections in place. [32:21] The more protections you have, the quicker you might be able to shut down the breach, and the resulting damage from the breach, and that will lower the resulting cost of the claim and have less of an impact on future premiums. [32:36] If the cyber insurer just had to pay out the limits because something wasn't in place, that quote next year is not going to look so pretty. Your protections have a direct impact on both the availability and cost of coverage. [32:50] Justin mentions that the paper highlights Connecticut, Tennessee, Iowa, Ohio, Utah, and Oregon as the states with Safe Harbor laws. The Federal requirements are also listed. Katherine expects that more states will offer Safe Harbor laws as cybercrime lawsuits increase. [33:42] Hal says Oregon, Ohio, and Utah were the leaders in creating Safe Harbors. Some of the other states have followed. Safe Harbor is a statutory protection against liability claims brought by the public. [34:06] In other states, you can't point to a statute that gives protection, but you can say you complied with the highest standards in the nation, and you probably have a pretty defensible case against a claim for not having kept up with your duty to protect against a cyber attack. [34:55] Hal adds that every company is going to be sued, and the claim is that you failed to do something. If you have protected yourself with all the known best practices, as they evolve, what more is a company supposed to do? [35:18] The adversaries are nation-states; they are professional criminals, sometimes operating under the protection of nation-states, and they're using artificial intelligence to craft even more devious ways to get in. [36:19] Katherine speaks from a historical perspective. A decade ago, cyber insurance was available, but there was no appetite for it. There wasn't an understanding of the risk. [36:32] As breaches began to happen and to multiply, in large amounts of exposure, with companies looking at millions of dollars in claims, interest grew. Katherine would be surprised today if any responsible board didn't take cyber risk extremely seriously. [36:55] The board's decision now is what limits to purchase and from whom, and not, “Should we have cyber insurance at all?” Katherine doesn't think it's an issue anymore in any medium-sized company. [37:17] The risk manager should present to the board, “We benchmark. Our broker benchmarks. Companies of our size have had this type of claim, with this type of exposure, and they've purchased this amount of limits. We need to be at least in that place.” Boards will be receptive. [37:43] If they are not receptive, put on a PowerPoint with all the data that's out there about how bad the situation is. The average cost of a breach is well over $2 million. The statistics are quite alarming. A wise decision-maker will understand that you need to procure this coverage. [38:10] Katherine says, from the cybersecurity side, you procure the coverage, you protect the company, and take advantage of the Safe Harbors. All of those things come together with the preventative measures we've been talking about. [38:24] You can show your decision-makers and stakeholders that if you do all those things, comply with these Safe Harbor provisions, you're going to minimize your exposure, increase the availability of insurance, and keep your premiums down. It's a win-win package. [38:41] Justin says, It has been such a pleasure to meet you, Hal, and thank you for joining us. Katherine, it is an annual pleasure to see you. We're going to see you, most likely, at the RIM Legislative Summit, March 18th and 19th, 2026, in Washington, D.C. [39:01] Details to come, at RIMS.org/Advocacy. Katherine, you'll be there to answer questions. Katherine looks forward to the Summit. She has gone there for years. It's a great opportunity for risk managers to speak directly to decision-makers about things that are important to them. [39:42] Special thanks again to Katherine Henry and Hal Weston for joining us here today on RIMScast! Remember to download the new RIMS Legislative Review, “A 2025 Cybersecurity Legal Safe Harbor Overview”. [39:58] We are past the 30-day mark now, so the review is publicly available through the Risk Knowledge Page of RIMS.org. You can also visit RIMS.org/Advocacy for more information. In this episode's notes, I've got links to Katherine's prior RIMScast appearances. [40:18] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [40:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [41:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [41:22] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [41:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [41:53] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [42:05] Practice good risk management, stay safe, and thank you again for your continuous support!   Links: RIMS Professional Report: “A 2025 Cybersecurity Legal Safe Harbor Overview” RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RIMS ERM Conference 2025 — Nov. 17‒18 RISKWORLD 2026 — Members-only early registration through Oct 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS Risk Management magazine | Contribute RIMS Now Cybersecurity Awareness Month World Standards Day — Oct 14, 2025 Upcoming RIMS Webinars: RIMS.org/Webinars “Jury Dynamics: How Juries Shape Today's Legal Landscape” | Oct. 16, 2025 | Sponsored by Zurich “Parametric Insurance: Providing Financial Certainty in Uncertain Times” | Oct. 30, 2025 | Sponsored by Swiss Re “Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World” | Nov. 6 | Sponsored by Hub   Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Virtual Exam Prep — Oct. 29‒30, 2025 RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule “Risk Appetite Management” | Oct 22‒23 | Instructor: Ken Baker “Intro to ERM for Senior Leaders” | Nov. 4‒5 | Instructor: Elise Farnham “Fundamentals of Insurance” | Nov. 11‒12 | Instructor: Chris Hansen “Leveraging Data and Analytics for Continuous Risk Management (Part I)” | Dec 4. See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Related RIMScast Episodes about Cyber and with Katherine Henry: “National Cybersecurity Awareness Month 2025 with Gwenn Cujdik” “AI Risks and Compliance with Chris Maguire” “Data Privacy and Protection with CISA Chief Privacy Officer James Burd” “Cyberrisk Trends in 2025 with Tod Eberle of Shadowserver” “Legal and Risk Trends with Kathrine Henry (2023)”   Sponsored RIMScast Episodes: “The New Reality of Risk Engineering: From Code Compliance to Resilience” | Sponsored by AXA XL (New!) “Change Management: AI's Role in Loss Control and Property Insurance” | Sponsored by Global Risk Consultants, a TÜV SÜD Company Demystifying Multinational Fronting Insurance Programs | Sponsored by Zurich “Understanding Third-Party Litigation Funding” | Sponsored by Zurich “What Risk Managers Can Learn From School Shootings” | Sponsored by Merrill Herzog “Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor “Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL “How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog “Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant “RMIS Innovation with Archer” | Sponsored by Archer “Navigating Commercial Property Risks with Captives” | Sponsored by Zurich “Breaking Down Silos: AXA XL's New Approach to Casualty Insurance” | Sponsored by AXA XL “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Partnering Against Cyberrisk” | Sponsored by AXA XL “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guests: Katherine Henry, Partner and Chair of the Policyholder Coverage Practice, Bradley, Arant, Boult, and Cummings   Harold Weston, Clinical Associate Professor and WSIA Distinguished Chair in Risk Management and Insurance, Georgia State University College of Law Production and engineering provided by Podfly.  

Metrology Today Podcast
Metrology Today Podcast S4E7: Jane Weitzel

Metrology Today Podcast

Play Episode Listen Later Sep 17, 2025 71:17


Jane Weitzel has been working in analytical chemistry for over 40 years for pharmaceutical and mining companies.  She was elected to the United States Pharmacopeia Council of Experts as chair of the 2020-2025 General Chapters–Measurement and Data Quality Expert Committee and is a member of the 2025-2030 EC Pharmaceutical Analysis Lifecycle and Data Science. She was a member of the USP 2015-2020 Statistics Expert Committee. She has been Director of pharmaceutical Quality Control laboratories. She has experience with many different regulatory environments.   She is currently a consultant specializing in laboratory management systems, GMP testing, and ISO/IEC 17025. She is an auditor and an educator. Jane has applied Quality Systems and statistical techniques, including the evaluation and use of measurement uncertainty, in a wide variety of technical and scientific businesses. Recently she is focusing on the implementation of the new USP General Chapter 1220 Analytical Procedures Life Cycle. 

The Compliance Guy
Episode 382 - A Game Changer for AI Governance - Walter Haydock

The Compliance Guy

Play Episode Listen Later Sep 5, 2025 37:41


SummaryIn this conversation, Sean M Weiss and Walter Haydock discuss the implications of ISO IEC 42001 in the healthcare sector, focusing on AI governance, regulatory compliance, and the management of bias in AI systems. They explore the challenges faced by multi-site healthcare organizations, the importance of leadership in ethical AI use, and real-world examples of organizations implementing ISO 42001. The discussion also touches on the legislative landscape surrounding AI and the need for clear policies in healthcare AI applications.TakeawaysISO 42001 is a blueprint for managing AI risk.Bias in AI is unavoidable but can be managed.Leadership commitment is essential for effective AI governance.ISO 42001 aids in compliance with regulations like HIPAA.Multi-site healthcare systems face unique challenges in AI implementation.Ethical AI use is crucial in telemedicine applications.Real-world examples show the benefits of ISO 42001 certification.Behavioral health can greatly benefit from AI governance.Integrating ISO standards enhances overall AI governance.Legislators need to improve their understanding of AI issues.

The FIT4PRIVACY Podcast - For those who care about privacy
Where Does Digital Trust Fit into Board's Agenda with Bruno Soares and Punit Bhatia in the FIT4PRIVACY Podcast E146 S06

The FIT4PRIVACY Podcast - For those who care about privacy

Play Episode Listen Later Aug 28, 2025 28:42


Ever wondered where digital trust fits in your company's strategy? We live in a world that's buzzing with AI, cybersecurity, and digital innovation. Everywhere you look, there's a new app, a smarter tool, or a faster system. But in the middle of all this tech hype, there's one thing we often overlook—trust.In this insightful conversation, Punit discusses with Bruno about the crucial influence of technology, economy, and other external factors on business strategies. They delve into how companies navigate different environments, the role of digital transformation, and the importance of maintaining a balanced ecosystem approach.If you're a leader, strategist, privacy professional, or tech enthusiast trying to make sense of innovation, trust, and governance in today's world—this conversation is a must-watch.KEY CONVERSION00:02:02 What is the concept of digital trust? Was it trust enough?00:04:40 Can we expect digital trust in an emerging world of new technology in 10-20 years?00:09:15 Is the board convinced about the value of digital trust or are they still in compliance mode?00:13:15 How do we sell this concept of digital trust on the boards? 00:18:51 Linking concept of trust, security and privacy to the broader agenda 00:25:58 What is it that you can sell them with and how can they reach out?  ABOUT GUESTBruno Horta Soares is a seasoned executive advisor, professor, and keynote speaker with over 20 years of experience in Governance, Digital Transformation, Risk Management, and Information Security. He is the founder of GOVaaS – Governance Advisors as-a-Service and has worked with organizations across Portugal, Angola, Brazil, and Mozambique to align governance and technology for sustainable business value.Since 2015, Bruno has served as Leading Executive Senior Advisor at IDC Portugal, guiding C-level leaders in digital strategy, transformation, governance, and cybersecurity. He is also a professor at top Portuguese business schools, including NOVA SBE, Católica Lisbon, ISCTE, ISEG, and Porto Business School, teaching in Masters, MBA, and Executive programs on topics such as IT Governance, Cybersecurity, Digital Transformation, and AI for Leadership.He holds a degree in Management and Computer Science (ISCTE), an executive program in Project Management (ISLA), and numerous professional certifications: PMP®, CISA®, CGEIT®, CRISC™, ITIL®, ISO/IEC 27001 LA, and COBIT® Trainer. As a LEGO® SERIOUS PLAY® Facilitator, he brings creativity into strategy and leadership development.Bruno received the ISACA John Kuyers Award for Best Speaker in 2019 and is the founder and current President of the ISACA Lisbon Chapter. A frequent international speaker, he shares expertise on governance and digital innovation globally.ABOUT HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach professionals.Punit is the author of books “Be Ready for GDPR' which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's value to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe.RESOURCES Websites www.fit4privacy.com,www.punitbhatia.com, https://www.linkedin.com/in/brunohsoares/ Podcast https://www.fit4privacy.com/podcast Blog https://www.fit4privacy.com/blog YouTube http://youtube.com/fit4privacy   

Technology Tap
I'm back and Security Plus Chapter 1

Technology Tap

Play Episode Listen Later Aug 20, 2025 25:33 Transcription Available


Send us a textProfessor JRod makes a triumphant return to Technology Tap after a year-long hiatus, bringing listeners up to speed on his personal journey and diving straight into Security Plus 701 fundamentals. Having completed his doctorate and subsequently focusing on his health—resulting in an impressive 50-pound weight loss—he reconnects with his audience with the same passion and expertise that made his podcast popular.The heart of this comeback episode centers on essential cybersecurity concepts, beginning with the CIA triad (confidentiality, integrity, availability) that forms the foundation of information security. Professor J-Rod expertly breaks down complex frameworks including NIST, ISO/IEC standards, and compliance-driven approaches like HIPAA and GDPR, explaining how organizations should select frameworks based on their specific industry requirements.With his trademark clear explanations, he walks listeners through the process of gap analysis—a methodical approach to identifying differences between current security postures and desired standards. The episode then transitions to a comprehensive overview of access control models, including Discretionary, Mandatory, Role-Based, Attribute-Based, and Rule-Based controls, each illustrated with practical examples that bring abstract concepts to life.What sets this episode apart is the interactive element, as Professor JRod concludes with practice questions that challenge listeners to apply their newly acquired knowledge. This practical approach bridges the gap between theory and real-world implementation, making complex security concepts accessible to professionals and students alike. Whether you're preparing for certification or simply expanding your cybersecurity knowledge, this return episode delivers valuable insights from an educator who clearly missed sharing his expertise with his audience.Support the showIf you want to help me with my research please e-mail me.Professorjrod@gmail.comIf you want to join my question/answer zoom class e-mail me at Professorjrod@gmail.comArt By Sarah/DesmondMusic by Joakim KarudLittle chacha ProductionsJuan Rodriguez can be reached atTikTok @ProfessorJrodProfessorJRod@gmail.com@Prof_JRodInstagram ProfessorJRod

Intangiblia™
Plug, Play, or Pay: The Legal Code Behind AI Interoperability

Intangiblia™

Play Episode Listen Later Aug 4, 2025 50:23 Transcription Available


The invisible legal architecture behind AI systems, either talking to each other or failing spectacularly, takes center stage in this deep dive into interoperability. Far more than technical specifications, the ability of AI models to connect and share data represents a battlefield where intellectual property rights, competition law, and global governance clash to determine who controls the digital ecosystem.Starting with IBM's mainframe antitrust case, we trace how European regulators forced a tech giant to provide third parties with technical documentation needed for maintenance. This early precedent established that when your system becomes essential infrastructure, monopolizing access raises legal red flags. The SAS v. World Programming Limited ruling further clarified that functionality, programming languages, and data formats cannot be protected by copyright, giving developers freedom to create compatible systems without infringement concerns.Patent battles reveal another dimension of interoperability politics. Cases like Huawei v. ZTE established detailed protocols for negotiating Standard Essential Patents, preventing companies from weaponizing their intellectual property to block competitors. The Microsoft v. Motorola judgment defined what "reasonable" licensing fees actually look like, protecting the principle that interoperability shouldn't bankrupt smaller players.Google's decade-long fight with Oracle over Java API copyright culminated in a Supreme Court victory validating that reimplementing interfaces for compatibility constitutes fair use, a landmark decision protecting the ability to build systems that communicate with existing platforms without permission. Meanwhile, the Oracle v. Rimini ruling reinforced that third-party software support isn't derivative copyright infringement, even when designed exclusively for another company's ecosystem.Beyond courtrooms, international frameworks increasingly shape AI interoperability standards. From UNESCO's ethics recommendation to ISO/IEC 42001 certification, from the G7 Hiroshima AI Process to regional initiatives like the African Union's Data Policy Framework, these governance mechanisms are establishing a global language for compatible, trustworthy AI development.Whether you're building AI systems, crafting policy, or simply trying to understand why your tools won't work together, these legal precedents reveal that interoperability isn't just about good coding. It's about who controls the playground, the rulebook, and ultimately, the future of AI innovation.Send us a text

Intangiblia™ en español
Conectar, Jugar o Pagar: El Código Legal detrás de la Interoperabilidad en la IA

Intangiblia™ en español

Play Episode Listen Later Aug 4, 2025 50:21 Transcription Available


Send us a textLas batallas legales por la interoperabilidad están definiendo silenciosamente el futuro de la inteligencia artificial. Mientras desarrolladores y empresas se concentran en crear sistemas cada vez más potentes, el verdadero poder radica en quién controla los estándares, protocolos y ecosistemas donde estos sistemas operan.Nuestro recorrido comienza con casos emblemáticos como IBM frente a la Comisión Europea, donde se estableció que cuando una tecnología se vuelve infraestructura crítica, sus propietarios adquieren responsabilidades especiales. El tribunal europeo en el caso SAS vs World Programming revolucionó nuestra comprensión de los límites del copyright al determinar que funcionalidades y lenguajes de programación no están protegidos, abriendo la puerta a la ingeniería inversa para compatibilidad.Las guerras de patentes esenciales para estándares también han moldeado el panorama de interoperabilidad. Desde Microsoft contra Motorola hasta la batalla entre FTC y Qualcomm, estas disputas han definido cuándo y cómo los titulares de patentes incorporadas en estándares deben licenciarlas bajo términos justos, razonables y no discriminatorios (FRAND). El caso Google vs Oracle sobre APIs estableció un precedente crucial para la reimplementación de interfaces en nuevos contextos, vital para el desarrollo de ecosistemas de IA compatibles.Más allá de los tribunales, marcos internacionales como la Recomendación de la UNESCO sobre ética en IA, el estándar ISO IEC 42001 y la Declaración de la Década Digital europea están creando una infraestructura global de gobernanza que prioriza la interoperabilidad como requisito fundamental. Estas iniciativas reconocen que la IA del futuro no solo debe ser potente, sino también compatible, transparente y capaz de funcionar a través de fronteras y plataformas.Si estás desarrollando sistemas de IA o invirtiendo en ellos, comprender estas dinámicas legales no es opcional—es estratégico. La verdadera innovación no está solo en crear la IA más avanzada, sino en construir sistemas que puedan colaborar, cumplir con estándares globales y escalar responsablemente. ¿Tu sistema de IA está preparado para este nuevo paradigma de interoperabilidad jurídica y técnica?Support the show

Cybersecurity Where You Are
Episode 146: What Security Looks Like for a Security Company

Cybersecurity Where You Are

Play Episode Listen Later Jul 30, 2025 34:01


In episode 146 of Cybersecurity Where You Are, Tony Sager is joined by Angelo Marcotullio, Chief Information Officer at the Center for Internet Security®(CIS®); and Stephanie Gass, Sr. Director of Information Security at CIS. Together, they look back on periods of transition at CIS to discuss what security looks like for a security company. Here are some highlights from our episode:00:58. Introductions with Angelo and Stephanie02:07. A pro and a con of IT consulting work04:12. The importance of soft skills in bringing the Multi-State Information Sharing and Analysis Center® into CIS06:12. Looking at security from a corporate perspective with the CIS Critical Security Controls07:08. How IT and IT security are essential to corporate strategy07:45. The use of governance to support merging three business units into an integrated security company12:04. The value of security champions in adapting to regulatory and business changes15:15. What IT and Security teams can accomplish when they work as partners17:18. The use of data to inform Board decisions and conversations around risk20:38. How getting a seat at the table helps with understanding a Board's risk appetite and communicating that out to teams25:01. How infrastructure built for growth, not the smallest business case, produced a smooth transition to work from home in March 202029:30. Advice for folks starting out in security31.28. The importance of collaboration and culture in implementing security as an organizationResourcesEpisode 144: Carrying on the MS-ISAC's Character and CultureThe CIS Security Operations Center (SOC): The Key to Growing Your SLTT's Cyber MaturityGuide to Implementation Groups (IG): CIS Critical Security Controls v8.1CIS Controls v8.1 Mapping to ISO/IEC 27001:2022CIS Controls v8.1 Mapping to SOC2CIS Controls v8.1 Mapping to NIST SP 800-171 Rev 3Reasonable CybersecurityEpisode 110: How Security Culture and Corporate Culture MeshIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

The Standards Show
Ethics, AI, and Africa

The Standards Show

Play Episode Listen Later Jun 20, 2025 37:30


In this episode, Matthew speaks with academic and philosopher Catherine Botha, Professor of Art, Culture, and Technology at the University of Johannesburg. Together, they explore whether there's a uniquely African context for AI development - and what cultural, social, and economic values should guide its deployment across the continent. They also dive into ISO/IEC 42001, asking whether this AI management systems standard is flexible and inclusive enough to reflect Africa's specific needs. Catherine also unpacks the concept of the Philosophy of AI - what it means, and why it matters - and shares her ‘standards journey', one inspired by her very savvy students.It's part conversation, part audio love letter to the stakeholder-driven standards process: grounded in transparency, consensus, and voluntarism, and - as Catherine argues - essential to delivering social justice in the age of AI.Find out more about the issues raised in this episodeISO/IEC 42001 – AI management systemsThe Standards Show | Revisiting ISO/IEC 42001Get involved with standardsGet in touch with The Standards Showeducation@bsigroup.comsend a voice messageFind and follow on social mediaX @StandardsShowInstagram @thestandardsshowLinkedIn | The Standards Show

SPOT Radio
“Sterile Summer” Patient Safety Road Trip 2025

SPOT Radio

Play Episode Listen Later May 24, 2025 15:57


On this episode of SPOT Radio, Charlie Webb, CPPL, discusses the Sterile Summer Patient Safety Road Trip 2025—an outreach initiative designed to raise awareness about sterile packaging practices and awareness. Joined by his wife, Lisa Webb, General Manager of Van der Stähl Scientific, the duo will actively support the Sterile Aware initiative, engaging medical device manufacturers by distributing awareness bracelets and posters while demonstrating advanced medical device packaging machinery.Beyond their mission to promote patient safety, Charlie and Lisa are also weaving moments of vacation and exploration into their journey, striking a balance between industry advocacy and personal adventure.Tune in to hear more about this unique road trip blending education, engagement, and a bit of summer fun!About Charlie Webb CPPL: Charlie Webb CPPL is the founder and President of Van der Stahl Scientific; a medical device packaging and testing machine provider and packaging testing and calibration laboratories.He is also a certified internal auditor and is the Quality Manager for Van der Stähl Scientific's demanding ISO/IEC 17025 Laboratory accreditation. Under Charlie's quality management system his lab received the MSI Continuous Improvement Award. Charlie is a member of the IOPP Medical Device Packaging Technical Committee, he is a former co-PM in the Kiip group and voting ASTM F02 technical committee and has multiple granted and pending patents on medical device packaging machinery and pouch testers.His current patent-pending technologies include a medical device tray sealer that will integrate pouch testing within the packaging machine to provide 100% real-time seal testing. Also, in development is his patented HTIP system (human tissue isolation pouch) this disposable system is designed to help avoid packaging machine contamination.About Lisa Webb: As the General manager of Van der Stähl Scientific she has grown the company sales by double in her 15-year tenure. Her technical acumen is impressive as there is not a packaging machine in Van der Stähl Scientific's offering that she does not know every nut and bolt and its placement.Beyond understand the medical device packaging and testing machines operation and build she also understands the ISO 11607 processes for which they are held under. Lisa also oversees many of the functions in Van der Stähl Scientific's ISO/IEC 17025 medical device pouch test and calibration laboratory. She is Kaizen trained and certified and continues to improve Van der Stähl Scientific's operation from product development to market reach.Team Email: info@vanderstahl.comRoadtrip webpage:  https://www.linkedin.com/in/missy-travis-b8588b45/Roadtrip Video: https://youtu.be/s58_ih8G7IM?si=Vglm3Nm60M5-3EmW Storyteller Hilt: https://www.storytelleroverland.com/pages/hilt 

Metrology Today Podcast
Metrology Today Podcast S4E3: Rob Knake, NIST

Metrology Today Podcast

Play Episode Listen Later Apr 30, 2025 74:08


Rob Knake is a professional specializing in quality systems, metrology, and standards development. He is actively employed with the National Institute of Standards and Technology (NIST) and involved with NCSL International, where he contributes to training, technical exchanges, and the advancement of measurement science. With expertise in ISO/IEC 17025, measurement traceability, and laboratory accreditation, Rob frequently leads seminars and workshops aimed at enhancing metrology practices. His roles encompass coaching, public speaking, and organizational leadership, focusing on improving quality systems and fostering collaboration within the metrology community. Rob's professional endeavors are highlighted through his active participation in events like the NCSL International Technical Exchange and the MSC Annual Training Symposium. His contributions have been recognized in various capacities, including hosting sessions and delivering presentations on metrology and digitalization topics. For more detailed information about Rob Knake's professional background and contributions, you can visit his LinkedIn profile.

Digital Government podcast
What leaders must know about the game of AI governance

Digital Government podcast

Play Episode Listen Later Apr 30, 2025 41:36


Artificial intelligence is moving into the mainstream of government and industry, and with it comes new responsibilities. Mapping today's AI landscape, then, means looking into the behavioural shifts it triggers, the governance frameworks it demands, and the global power dynamics it reshuffles. In this Digital Government Podcast episode we're joined by Matthew Blakemore, CEO of AI Caramba! and a leading architect behind the ISO/IEC 8183 international AI standard. Known for bridging cutting-edge innovation with public value, Blakemore has helped shape global conversations on AI data governance, ethical deployment, and public sector readiness. In preparation for his keynote at the e-Governance Conference 2025, we draw from practical frameworks and his experience advising governments and media networks to explore how to govern AI with clarity, caution, and intention. Well before algorithms outpace the institutions meant to oversee them. 

Paul's Security Weekly
ISO 42001 Certification, CIOs Struggle to Align Strategies, and CISOs Rethink Hiring - Martin Tschammer - BSW #392

Paul's Security Weekly

Play Episode Listen Later Apr 23, 2025 63:55


AI Governance, the next frontier for AI Security. But what framework should you use? ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems. But how do you get certified? What's the process look like? Martin Tschammer, Head of Security at Synthesia, joins Business Security Weekly to share his ISO 42001 certification journey. From corporate culture to the witness audit, Martin walks us through the certification process and the benefits they have gained from the certification. If you're considering ISO 42001 certification, this interview is a must see. In the leadership and communications section, Are 2 CEOs Better Than 1? Here Are The Benefits and Drawbacks You Must Consider, CISOs rethink hiring to emphasize skills over degrees and experience, Why Clear Executive Communication Is a Silent Driver of Organizational Success, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-392

Paul's Security Weekly TV
ISO 42001 Certification, CIOs Struggle to Align Strategies, and CISOs Rethink Hiring - Martin Tschammer - BSW #392

Paul's Security Weekly TV

Play Episode Listen Later Apr 23, 2025 63:55


AI Governance, the next frontier for AI Security. But what framework should you use? ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems. But how do you get certified? What's the process look like? Martin Tschammer, Head of Security at Synthesia, joins Business Security Weekly to share his ISO 42001 certification journey. From corporate culture to the witness audit, Martin walks us through the certification process and the benefits they have gained from the certification. If you're considering ISO 42001 certification, this interview is a must see. In the leadership and communications section, Are 2 CEOs Better Than 1? Here Are The Benefits and Drawbacks You Must Consider, CISOs rethink hiring to emphasize skills over degrees and experience, Why Clear Executive Communication Is a Silent Driver of Organizational Success, and more! Show Notes: https://securityweekly.com/bsw-392

Business Security Weekly (Audio)
ISO 42001 Certification, CIOs Struggle to Align Strategies, and CISOs Rethink Hiring - Martin Tschammer - BSW #392

Business Security Weekly (Audio)

Play Episode Listen Later Apr 23, 2025 63:55


AI Governance, the next frontier for AI Security. But what framework should you use? ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems. But how do you get certified? What's the process look like? Martin Tschammer, Head of Security at Synthesia, joins Business Security Weekly to share his ISO 42001 certification journey. From corporate culture to the witness audit, Martin walks us through the certification process and the benefits they have gained from the certification. If you're considering ISO 42001 certification, this interview is a must see. In the leadership and communications section, Are 2 CEOs Better Than 1? Here Are The Benefits and Drawbacks You Must Consider, CISOs rethink hiring to emphasize skills over degrees and experience, Why Clear Executive Communication Is a Silent Driver of Organizational Success, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-392

The Standards Show
Revisiting ISO/IEC 42001 | AI management systems

The Standards Show

Play Episode Listen Later Apr 22, 2025 39:40


Artificial Intelligence (AI) holds immense promise to transform lives, benefit society, and support a sustainable future. But as AI advances rapidly, it's crucial to understand what AI is—and isn't—and how it can be developed and used responsibly. In this episode, Matthew welcomes back Pauline Norstrom, CEO of AI business Anekanta, to discuss ISO/IEC 42001—the AI management systems standard. Designed to help organizations maximize the benefits of AI while ensuring responsible development, the standard also helps build public trust.Pauline shares the key features of ISO/IEC 42001, its global adaptability, and its potential to bring structure to the “wild west” of AI. She also reflects on the shifts in the global AI landscape since December 2023, including major policy moves in the US, China, Europe, and the UK - and offers insights into what's next for AI and standards development.Find out more about the issues raised in this episodeISO/IEC 42001 AI and standardsGet involved with standardsGet in touch with The Standards Showeducation@bsigroup.comsend a voice messageFind and follow on social mediaX @StandardsShowInstagram @thestandardsshowLinkedIn | The Standards Show

Metrology Today Podcast
Metrology Today Podcast S4E1: Patrick Jester

Metrology Today Podcast

Play Episode Listen Later Feb 13, 2025 83:41


Patrick Jester is the visionary behind Blackthorn Consulting Group, Inc. in Baton Rouge, LA, where he delivers transformative quality management system and training solutions that convert knowledge into measurable success. As a Lead Assessor for ISO/IEC 17025 Calibration Laboratories and an ASQ Certified Quality Auditor, Patrick plays a pivotal role helping companies reach their strategic objectives. His leadership credentials include previously serving as Vice President of Quality & Corporate Compliance for a large, multiple location calibration laboratory, and as a Divisional NCSLI Vice President and contributing to various NCSLI Committees.  Patrick is the current NCSLI Board of Directors Secretary and ASQ Measurement Quality Division Chair.

Adafruit Industries
Fruit Jam RP2350B credit-card mini computer with all the fixin's

Adafruit Industries

Play Episode Listen Later Feb 3, 2025 0:19


Coming soon! We were catching up on a recent Hackaday hackchat with Eben Upton (https://hackaday.io/event/202122-raspberry-pi-hack-chat-with-eben-upton) and learned some fun facts: such as the DVI hack for the RP2040 was inspired by a device called the IchigoJam (https://www.hackster.io/news/ichigojam-combines-strawberry-and-raspberry-to-deliver-a-raspberry-pi-pico-powered-educational-micro-66aa5d2f6eec). We remember reading about this back when it was an LPC1114, now it uses an RP2040. Well, we're wrapping up the Metro RP2350 (https://www.adafruit.com/product/6003), and lately, we've been joking around that with DVI output and USB Host support via bit-banged PIO, you could sorta build a little stand-alone computer. Well, one pear-green-tea-fueled-afternoon later we tried our hand at designing a 'credit card sized' computer - that's 3.375" x 2.125", about the same size as a business card (https://hackaday.com/2024/05/07/the-2024-business-card-challenge-starts-now/) and turns out there's even a standard named for it: ISO/IEC 7810 ID-1 (https://www.iso.org/standard/70483.html). Anyhow, with the extra pins of the QFN-80 RP2350B, we're able to jam a ridonkulous amount of hardware into this shape: RP2350B dual 150MHz Cortex M33 w/ PicoProbe debug port, 16 MB Flash + 8 MB PSRAM, USB type C for bootloading/USB client, Micro SD card with SPI or SDIO, DVI output on the HSTX port, I2S stereo headphone + mono speaker via the TLV320DAC3100 (https://www.digikey.com/en/products/detail/texas-instruments/tlv320dac3100irhbt/2353656), 2-port USB type A hub for both keyboard and mouse or game controllers, chunky on-off switch, Stemma QT I2C + Stemma classic JST 3-pin, EYESPI for TFT displays, 5x NeoPixels, 3x tactile switches, and a 16-pin socket header with 10 A/D GPIO + 5V/3V/GND power pins. The PSRAM will help when we want to do things like run emulations that we need to store in fast RAM access, and it will also let us use the main SRAM as the DVI video buffer. When we get the PCBs back and assembled, what should we try running on this hardware? We're pretty sure it can run DOOM. Should that be first? :) We also need a name. Right now, we're just calling it Fruit Jam since it's inspired by the IchigoJam project.

字谈字畅
#241: 三榜定案修改单

字谈字畅

Play Episode Listen Later Oct 22, 2024 85:12


GB 18030—2022 两年三次征求意见后,于 9 月 30 日公布了《第 1 号修改单》。本期节目,我们将结合公开资料解读修改单的相关内容,管窥标准化工作幕后的曲折。 参考链接 “The Monotype Collection”,英国科学博物馆在线上展出馆藏 FontCreator 于今年 9 月首次推出 macOS 版 字谈字畅 184:十七年等一回 GB 18030—2022《信息技术 中文编码字符集》 《中华人民共和国国家标准公告 2024 年第 23 号》公告了 GB 18030—2022《第 1 号修改单》 「中文信息技术标准化」微信公众号发布 GB 18030—2022《第 1 号修改单》的内容解读 国际标准 ISO/IEC 10646:2020 《信息技术 通用编码字符集(UCS)》也于 2023 年发布了《第一号修改单》 表意文字研究组(IRG) (ISO/IEC JTC 1/SC 2/WG 2/IRG) Unicode 平面(plane) CJK 统一汉字扩充 I;Unicode 16.0 内附有该区段的字符集合及码位表 2022年《国家市场监督管理总局令第 59 号》公布了《国家标准管理办法》 Windows 11 Insider Preview Build 22635.4300 新增了 Simsun-ExtG 字体,可支持位于 Unicode 扩充 G、H、I 的 9753 个汉字 主播 Eric:字体排印研究者,译者,The Type 执行编辑 蒸鱼:设计师,The Type 编辑 欢迎与我们交流或反馈,来信请致 podcast@thetype.com​。如果你喜爱本期节目,也欢迎用支付宝向我们捐赠:hello@thetype.com​。

The Industrial Talk Podcast with Scott MacKenzie
Bill Curtis with Consortium for Information and Software Quality

The Industrial Talk Podcast with Scott MacKenzie

Play Episode Listen Later Jun 26, 2024 21:21 Transcription Available


Industrial Talk is onsite at OMG, Q1 Meeting and talking to Bill Curtis, Executive Director with the Consortium for Information and Software Quality about "ISO 5055 - Software quality standards to positively impacting industry". The conversation centered around the importance of prioritizing software quality to improve productivity and reduce costs. The speakers highlighted the significant financial costs associated with software quality issues and emphasized the need for implementing and applying software security standards in the industry. They also discussed automated source code quality measures and the importance of software quality standards and certification, with one speaker expressing a preference for free and open-source software and the other emphasizing the need for a certification exam to test developers' knowledge of ISO 5055. Action Items [ ] Update ISO/IEC 5055 to include new measures around data protection and resource sustainability. [ ] Submit annexes to ISO/IEC 5055 covering the new measures. [ ] Develop a certification exam on ISO/IEC 5055 through OMG for developers and quality assurance professionals. [ ] Connect with Bill Curtis via ACM.org or LinkedIn for more information on software quality standards and initiatives. Outline Software quality, technical debt, and cost of poor quality software. Dr. Bill Curtis, leading expert on capability maturity model, discusses software bombs and cybersecurity. Bill discusses the high cost of poor quality software, citing a report that estimates $1.5 trillion in annual costs. Bill emphasizes the importance of executive management in protecting the development team from unnecessary requirements and technical debt. Software quality issues and their costs in the billions. Bill: Technical debt costs in the 9-10 digits, with estimates reaching $175 million pounds. Bill: Quantifying technical debt is challenging, but public sources provide reasonably based estimates. Expert panel identified 75 serious weaknesses in software systems. Software security weaknesses and how to address them using static analysis technology. OMG developed a standard for software security, ISO approved it in 2021. Bill: Setting thresholds for software weaknesses in contracts with suppliers. Bill: Static analysis technology helps evaluate existing systems for security vulnerabilities. Bill: System-level weaknesses require prioritization, not just code-level fixes. Companies work with partners for security weakness identification and remediation. Software quality standards and ISO 5055. Bill discusses the importance of keeping ISO standards up-to-date, citing examples of expanded weaknesses and sustainability issues. OMG team is responsible for updating the ISO standard, relying on submitters to keep it current, and adding new annexes for data protection and resource sustainability. Bill discusses submitting additional measures to improve software quality, while Scott promotes connecting with Bill Curtis for expertise on software quality standards. If interested in being on the Industrial Talk show, simply contact us and let's have a quick conversation. Finally, get your exclusive free access to the