GRC Academy Jacob Hill

In this episode, Jacob speaks with ISO 27001 expert Aron Lange!
Aron is the founder of the GRC Lab, and a Udemy instructor with more than 11,000 students! He is an experienced auditor for management systems based on ISO 27001, ISO 9001, ISO 27018 and ISO 22301.
In this episode they discuss the essentials of ISO 27001 including the history of the standard and the changes in the latest revision, but also the significance of the organizations involved and the danger of ISO “certification paper mills.”
Here are some highlights from the episode:
The history of ISO 27001Changes in ISO 27001:2022Who are the IAF, accreditation bodies, and certification bodies?The importance of hiring an IAF affiliated certification bodyISO scopingMaintaining an ISO certificationBest practices for internal auditsFollow Aron on LinkedIn: https://www.linkedin.com/in/aronlange/
Aron’s Udemy courses: https://www.udemy.com/user/aron-lange/
Aron’s Website: https://www.aronlange.com/
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e23&utm_campaign=courses
Need a FedRAMP authorized Password Manager?
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with cybersecurity researcher Patrick Garrity!
Patrick Garrity is a seasoned security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors.
In this episode they discuss the importance of integrating threat intelligence into vulnerability management using the Exploit Prediction Scoring System (EPSS), CISA Known Exploited Vulnerabilities Catalog, and the changes in CVSS 4.0!
Here are some highlights from the episode:
How Exploit Prediction Scoring System (EPSS) can predict exploitationHow vulnerability scanners integrate EPSSCISA's Known Exploited Vulnerabilities (KEV) CatalogThe national security implications of vulnerability managementFollow Patrick on LinkedIn: https://www.linkedin.com/in/patrickmgarrity/
VulnCheck Website: https://vulncheck.com/
Thanks to our sponsor Keeper Security!
Need a FedRAMP authorized Password Manager? See how Keeper can help you comply with CMMC: https://www.keepersecurity.com/cmmc/?utm_source=grcacademy&utm_medium=display&utm_campaign=cmmc_video
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e22&utm_campaign=courses

In this episode, Jacob speaks with attorney Julie Bracker!
Julie is the whistleblower attorney for both the Penn State University and Georgia Tech University FCA complaints. These complaints essentially allege the defendants misrepresented their compliance with NIST 800-171!
They discuss the False Claims Act and the DOJ's Civil Cyber Fraud Initiative, and what federal contractors can do to avoid being the subject of a whistleblower complaint!
Here are some highlights from the episode:
What is the False Claims Act?What is the DoJ's Civil Cyber Fraud Initiative?What are the risks and rewards for whistleblowers?Who are the targets of the initiative?Can companies blindly rely on their MSP and be safe?How to quantify damages of cyber noncompliance fraudDoJ Civil Cyber Fraud settled lawsuits so farGeorgia Tech and Penn State FCA casesFollow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/
Bracker & Marcus LLP Website: https://www.fcacounsel.com/
Penn State FCA Complaint: https://cdn.grcacademy.io/web/20240325204912/penn-state-university-false-claims-act-complaint.pdf
Georgia Tech FCA Complaint: https://cdn.grcacademy.io/web/20240325204909/georgia-tech-university-false-claims-act-complaint.pdf
2023 DoJ Report of FCA settlements (more than $2.68 billion): https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e21&utm_campaign=courses
Need a FedRAMP authorized Password Manager?
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with a panel of information security experts from universities about CMMC and their experience preparing for it!
They discuss security and compliance challenges at universities, the Penn State NIST 800-171 False Claims Act lawsuit, and much more!
Here are some highlights from the episode:
How universities are different from other types of organizationsDifferent compliance requirements for universitiesWho is involved in the execution of a government contract?The drivers of cybersecurity compliance at universitiesThoughts on the Penn State False Claims Act lawsuitHow to drive positive cybersecurity change at a universityCUI enclaves at universitiesAreas of CMMC that need clarificationHere are the panelists:
Jay Gallman - Duke University (https://www.linkedin.com/in/jay-gallman/)Kolin Hodgson - Notre Dame (https://www.linkedin.com/in/kolin-hodgson-cisa-cissp-4bbb9a/)Melissa Kimble - University of Maine (https://www.linkedin.com/in/melissa-kimble/)Wendy Epley - University of Arizona (https://www.linkedin.com/in/wendyepley/)Thanks to our sponsor Keeper Security!
Need a secure file sharing solution? Register for a webinar showing how Defense Contractors can share sensitive information using Keeper: https://grcacademy.io/ref/keeper/webinar-cmmc-file-sharing-april-2024/
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e20&utm_campaign=courses
Need a FedRAMP authorized Password Manager?
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Dr. Raghuram Srinivas from MetricStream!
They discuss the beginnings of AI, how it has evolved over time, and the risks and opportunities it presents to companies around the world!
Raghuram is the Senior Vice President of Product Management at MetricStream. He is an AI expert and has worked in AI-focused roles at JPM Chase, KPMG, as well as the Watson Group at IBM.
Here are some highlights from the episode:
The history of AIHow do large language models (LLMs) work?AI for GRC & GRC for AIUsing AI in cyber operationsThe future of cyber riskFollow Ragu on LinkedIn: https://www.linkedin.com/in/raghuramsrinivas/
MetricStream website: https://www.metricstream.com/
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online cyber GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e19&utm_campaign=courses
Need a FedRAMP authorized Password Manager?
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Patrick Perry from Zscaler. They discuss Zscaler's experiences navigating the FedRAMP and DoD Impact Level processes as well as Zero Trust!
Pat is a cybersecurity expert with over 20 years of experience. He currently works at Zscaler as Field CTO and is responsible for the alignment of Zscaler capabilities to the DoD and IC mission sets in order to provide dynamic, mission-focused, innovative approaches to enable transformation and zero trust to warfighter organizations.
Zscaler U.S. Government Solutions enables the U.S government and their strategic partners to securely transform their networks and applications for a mobile and cloud-first world. Zscaler's FedRAMP Moderate/High/DoD IL5-authorized solutions ensure fast, secure connections between users and applications, regardless of device, location, or network.
Here are some highlights from the episode:
Zscaler's Approach to FedRAMP, DoD Impact Levels, and CMMCShared Responsibility Between Cloud Service Providers and UsersWhat Zero Trust is and how it relates to CMMCZero Trust PillarsThoughts on Federal Approach to Zero TrustFollow Patrick on LinkedIn: https://www.linkedin.com/in/perrypn2019/
Zscaler website: https://www.zscaler.com/
-----------
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!
Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e18&utm_campaign=courses
Need a FedRAMP authorized Password Manager?
Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/
See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/