Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More
StateRAMP takes several of its requirements from FedRAMP, and perhaps one of the most important requirements is continuous monitoring. Continuous monitoring ensures that systems that earned StateRAMP Authorization remain in compliance year after year, avoiding gaps in security and protecting the interest of state and local governments.
StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. In this article, we’ll talk about the basics of… Read More
As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data. The maintenance of audit logs is about more than automatically recording data about system events. Your system… Read More
The federal government leans more heavily on technology providers, including cloud computing platforms that support data storage, processing, and office application solutions. Accordingly, the question of data security is live, and the government’s response is to implement the FedRAMP authorization requirement. Like many other government programs, FedRAMP can threaten to bury the under prepared provider… Read More
In the financial industry, fraud is a natural and ever-present challenge. Digital banking and international finance have only compounded this problem, and anti-money laundering and fraud laws in the U.S. have evolved to address these issues. In modern times, the overlap of identity management, authentication, and identity assurance has led to more comprehensive forms of… Read More
In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More
The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have… Read More
The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. Learn more about PCI DSS encryption and how it’s shifting in… Read More
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
If you’re plugged into the world of cybersecurity, then you’ve most likely come across breathless reports of new “zero-day” vulnerabilities hitting the wild. And, on the surface, these sound terrible… but do you understand what that means? A zero-day exploit is a significant, but not world-ending, security flaw affecting systems without anyone having noticed them… Read More
Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More
Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs. The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More
Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure. However, understanding that HIPAA is a requirement for operation doesn’t… Read More
Over the past few weeks, we’ve discussed what it means to consider risk as part of an overall compliance strategy. We’ve emphasized throughout that risk doesn’t have to be an abstract pursuit–it can be a comprehensive part of compliance and security that uses the realities of regulations and frameworks to drive decision-making (and vice-versa). One… Read More
We’ve discussed risk management and its complexity–what goes into it, what frameworks you can use, and how different forms of analysis and visualization can help you assess it effectively. But let’s pump the brakes a little. Have you thought about what to do about your risk profile? Do you know how to approach risk as… Read More
In the increasingly interconnected and complex world of business technology, many organizations are grappling with the challenges related to insecure integrations and agreements. The rise of technology service models, managed service providers (MSPs) and SaaS apps introduce compliance and risk management issues almost faster than businesses can keep up. Thus, a new discipline has evolved:… Read More
Risk management is quickly becoming the foundation for most security and compliance standards. And this is for good reason–complex security threats based on modern technology and the interoperability of extensive cloud-based infrastructure aren’t going to be held at bay through ad hoc implementation of technology. Risk doesn’t have to be an amorphous and ill-defined process,… Read More
SSAE 18 is a statement that sets standards for reporting on the controls and processes related to financial reporting. It comes from the American Institute of Certified Public Accountants, outlining the framework for reporting on internal controls. The SSAE 18 is designed to provide assurances that the reporting of service organizations is secure, thorough, and… Read More
Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild. The CVE program recently joined… Read More
Discussions about security and compliance disproportionately focus on businesses and enterprises, precisely because these organizations serve as central repositories for critical industrial or consumer information. Accordingly, regulations and best practices are often tied to securing this infrastructure, with consumers getting little to no attention. However, the reality of modern cybersecurity threats is that almost all… Read More
The federal government has strict and comprehensive regulations on how agencies handle constituents’ personal information. This is just as true for tax information. The IRS leans on established guidelines associated with federal security to dictate regulations for agencies that handle tax information and, by and large, treats that information as a sensitive and critical part… Read More
Following the continuous rage of the COVID-19 pandemic, organizations face a difficult task to secure the workload and devices of the employees scattered around the world. As a home has become the new office, it unveiled serious organizational cybersecurity gaps. Experts say that simply installing antivirus software or encrypting traffic on a company-issued MacBook is… Read More