The FedRAMP OMB has recently released a memorandum on modernizing the standard to address new realities in digital technology. This shift reflects the increasing reliance on Software-as-a-Service (SaaS) and the strategic roles of Managed Service Providers (MSPs) in the federal, as well as the impact of new technologies like artificial intelligence. This article aims to… Read More
The California Delete Act and CCPA Privacy Law
Companies and data brokers, armed with sophisticated data collection techniques, amass vast amounts of personal data, often without the explicit consent or awareness of the individuals concerned. The urgency of the matter has propelled jurisdictions worldwide to enact stringent data protection laws. This article explores a new development in privacy law: the Data Delete Act.… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
CMMC 2.0 and Level 2 Maturity
CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). … Read More
Advanced Threat Techniques: Living off the Land
In an era where cybersecurity threats continuously evolve, organizations face many challenges to secure digital assets. Among these threats, a sophisticated and stealthy approach known as Living Off the Land (LotL) attacks has emerged, leaving a minimal footprint and often evading traditional security measures. This article discusses Living Off the Land attacks, highlighting real-world case… Read More
Secure Data Sharing and Compliance Frameworks
Several prominent security frameworks and regulations have been established to guide organizations through this intricate landscape. These range from international standards like ISO/IEC 27001 to more sector-specific regulations such as HIPAA for healthcare and PCI DSS for payment data. This article delves into these pivotal frameworks and how they speak to secure data sharing between… Read More
CMMC 2.0 and Level 1 Maturity
The defense sector, responsible for safeguarding national security, is particularly vulnerable to cyber threats. As cyber-attacks become more sophisticated, there’s an urgent need for a comprehensive framework to ensure the security of sensitive data. The Cybersecurity Maturity Model Certification (CMMC) is a strategic initiative by the Department of Defense (DoD) to enhance the cybersecurity posture… Read More
What is a Data Processing Agreement in GDPR?
Central to data protection in the EU is the GDPR and its data processing regulation. One of the most challenging aspects of GDPR is adjudicating the relationships between different parties handling data for various purposes–namely, relationships between managed service providers and the various, nebulous groups of organizations that use data for their daily operations. In… Read More
What’s New in CSF 2.0?
The National Institute of Standards and Technology (NIST) has always been at the forefront of cybersecurity guidance. With the Cybersecurity Framework (CSF) 2.0 release, NIST has addressed the evolving challenges of modern cybersecurity. This article discusses some of the bigger changes in the recently released CSF 2.0, spotlighting governance and supply chain security while emphasizing… Read More
Promoting a Culture of Cybersecurity Awareness in Your Organization
The cybersecurity landscape isn’t getting any easier for any business, large or small. With high-profile cyber attacks making headlines, from ransomware attacks crippling global infrastructure to data breaches compromising millions of users’ personal information, the stakes for major corporations have never been higher. While offering unprecedented opportunities, the digital realm also presents a minefield of… Read More
What Is ISO 9001
ISO 9001 is a universally recognized standard that provides a framework for organizations to establish, implement, and refine their quality management systems. Rooted in principles that prioritize customer satisfaction, leadership involvement, and a continuous improvement ethos, ISO 9001 offers a structured approach to achieving excellence in operational processes. This article delves into the intricacies of… Read More
Security Operations Centers, MSSPs, and Outsourced Security
The Security Operations Center (SOC) is central to this defense strategy – a dedicated hub for monitoring, detecting, and responding to security incidents. But as businesses grapple with establishing their in-house SOCs or outsourcing to specialized Managed Security Service Providers (MSSPs), many considerations come into play. In this article, we discuss the complexities of these… Read More
What Role Is AI Playing in Cybersecurity in 2023?
The development of AI has been a game-changer for nearly everyone, and that fact is no different in the world of cybersecurity. New threats powered by AI are reshaping traditional attack vectors, including cryptography, prevention, and social engineering. In this article, we’re discussing how, in the so-called AI Boom of 2023, cybersecurity is being shaped… Read More
CCPA and CPRA Attestations and Audits
The California Consumer Privacy Act (CCPA) is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy. Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas. As concerns about data privacy… Read More
What Is ISO 17021 and Certification of Management Systems?
The ISO/IEC 17021-1:2015 is a global guideline designed to shape how organizations that perform audits and certifications for management systems should operate. Released by the International Organization for Standardization and the International Electrotechnical Commission, this standard aims to improve the reliability and uniformity of these audits and certifications by outlining the essential requirements these organizations… Read More
What Is Proactive Cybersecurity? Preparing for Threats Before They Strike
Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More
What Is Passwordless Authentication?
Passwords are our oldest form of digital security… and, in most cases, one of the weakest links in identity management and authentication. Phishing, database breaches, and poor digital hygiene have made authentication challenging for security and compliance. They have become the quintessential keys to our online kingdoms. As cyberattacks grow more sophisticated, there’s a mounting… Read More
An Introduction to PCI DSS’s Secure Software Life Cycle
Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More
How to Determine Cybersecurity Impact Level Using FIPS 199
The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately. This article will take you through an overview of FIPS 199 and how… Read More
The Necessity and Challenges of Cybersecurity Program Maturity
The U.S. Department of Defense launched the Cybersecurity Maturity Model Certification (CMMC) in response to the escalating cyber threats. This initiative underscores the increasing emphasis on the maturity of cybersecurity programs as a benchmark for assessment and standardization within the Defense Industrial Base and its extensive supply chain. Yet, a surprising revelation from Infosecurity Magazine… Read More
Understanding the Difference Between HIPAA and HITRUST
Within the world of healthcare compliance and information security, there’s been increasing confusion around some terms and organizations. We’ve heard a bit about some of this confusion, specifically around HITRUST and HIPAA. Both are connected to the preservation of health information, yet they fulfill separate functions and are founded on differing principles. This article clarifies… Read More
HIPAA and the Use of Online Tracking for Marketing Purposes
Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites. While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More
What Are the Evaluation Criteria for JAB Prioritization?
The Federal Risk and Authorization Management Program (FedRAMP) plays a pivotal role in safeguarding the security of cloud services within the U.S. federal government. An essential element of this program is the Joint Authorization Board (JAB), which is responsible for prioritizing and authorizing cloud offerings offered by cloud providers. The JAB prioritization process is a… Read More
CPAs and CISAs: Choosing the Right SOC 2 Auditor
In today’s ever-evolving digital landscape, our central concern revolves around safeguarding data security and privacy. As businesses increasingly depend on cloud services and third-party vendors to manage their data, it becomes crucial to ensure these service providers adhere to stringent security standards. A prominent standard in this domain is the Service Organization Control 2, or… Read More