Why Would a Managed Service Provider Need Managed Security?

A Managed Service Provider (MSP) provides their clients with a wide range of IT services, including network management, software support, and hardware maintenance. However, as cyber threats evolve, MSPs are increasingly expected to provide comprehensive security solutions to their clients. This can be a significant challenge, as they may need more specialized expertise, tools, and… Read More

Post-Quantum Cryptography and the Quantum Computing Cybersecurity Preparedness Act

Quantum computing has long been a theoretical idea with limited practical application. The only usable quantum computers were only available to cutting-edge researchers supported by massive corporations or government-funded universities.  As time has passed, however, these researchers have begun to make massive strides in making quantum computing realizable in a way that could impact modern… Read More

What Are NIST Principles for Trustworthy Secure Design?

In today’s interconnected world, IT system trustworthiness has become an essential cornerstone for critical infrastructure’s seamless and secure functioning. As governments, enterprises, and industrial organizations rely on complex digital systems, the trustworthiness of these systems must be measured and maintained.  The need for trust in IT systems has been magnified by the rapid adoption of… Read More

What Are Federal Information Processing Standards (FIPS)?

Federal Information Processing Standards (FIPS) are essential for federal agencies and contractors to ensure the security of sensitive information, such as classified data, personally identifiable information, and financial data.  This article will describe some of the most common FIPS security standards, their importance, and how federal agencies and contractors use them. We will also discuss… Read More

What Is the Lifecycle of an Advanced Persistent Threat? 

Advanced Persistent Threats (APTs) are some of the most dangerous and persistent cyberattacks that organizations face today. Understanding the APT lifecycle is crucial for organizations looking to protect their sensitive data and networks against these attacks.  The APT lifecycle consists of several stages: reconnaissance, initial compromise, establishing persistence, escalation of privileges, lateral movement, data exfiltration,… Read More

How Can Businesses Approach Cybersecurity in Multi-Cloud Environments?

Multi-cloud environments are becoming increasingly common. Multi-clouds leverage the flexibility of public cloud connectivity across several providers to help organizations remain scalable and flexible.  While multi-cloud offers numerous benefits, it also presents unique security challenges that must be addressed to ensure the security of applications and data hosted in the cloud.  In this article, we… Read More

ISO 31010 and Implementing Risk Assessment Techniques

We’ve previously discussed the role of risk assessment as defined by the International Organization of Standardization (ISO) 31000, and generally speaking, we’ve found that risk management is a key practice to supporting security and compliance. To better support organizations approaching risk assessment, ISO published the supplementary document, ISO/IEC 31010, “Risk assessment technique.” In this article,… Read More

Maintaining HIPAA Compliance with IoT Devices

In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these… Read More

What are ISO 30141 and the General Characteristics of Internet of Things (IoT) Systems?

The Internet of Things (IoT) was seen as the next big thing for the consumer market. While the impact of IoT technology is still unfolding, there is no doubt that IoT devices have made a much bigger impact in the commercial space. IoT networks are changing how we handle major industrial processes, from healthcare to… Read More

What is the Structure of a SOC 2 Report?

Understanding the structure of a SOC 2 report is essential for both businesses and service providers who are thinking ahead to their audit and attestation. It will serve as the “story” of an organization’s SOC 2 journey, covering the evaluation of their adherence to the Trust Services Criteria (TSC)–security, availability, processing integrity, confidentiality, and privacy. … Read More

ISO 27701 and Conformance with Privacy Information Management (Part 4)

As previously discussed, ISO/IEC 27701 is a comprehensive international standard that provides specific privacy guidelines for organizations attempting to meet additional standards for handling PII in line with jurisdictions like GDPR. This document aligns ISO-compliant organizations with PII-focused standards by implementing Privacy Information Management Systems (PIMS). So far, we’ve covered how ISO 27701 refines ISO… Read More

What Information Is Included in a FedRAMP System Assessment Report (SAR)?

The Federal Risk and Authorization Management Program (FedRAMP) is a security assessment and authorization program for cloud services used by the federal government. It is designed to ensure that cloud services meet the federal government’s security requirements, and that sensitive government data remains protected. A critical component of the FedRAMP security authorization process is the… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 3)

We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR.  Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting… Read More

StateRAMP, Subnetworks, and Boundary Security

StateRAMP guidelines include network security standards from NIST 800-53, with specific requirements for implementing those guidelines based on the application and data processing. Implementing boundary controls is one of the more relevant and sometimes challenging aspects of compliance network security. Here, we will dig into how StateRAMP (and FedRAMP, to some extent) approach subnetworks and… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 2)

The International Organization for Standardization wrote ISO 27701 to align the standards of the ISO 27001 series with privacy-based standards like GDPR and CCPA. As such, it addresses the core requirements of that standard and refines them so that organizations don’t have to fumble in the dark about adapting their existing ISO certifications to larger… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 1)

Private security standards like those from the International Organization for Standardization (ISO) generally seek some alignment with major regulations so that certified organizations can effectively adapt to new and rigorous standards. Accordingly, the ISO 27701 standard seeks to refine the standard ISO cybersecurity certifications to match evolving security laws in jurisdictions like the EU.  In… Read More

StateRAMP and Personnel Security

As the old saying goes, the weakest link in any security system is the user. This isn’t an insult but rather a commentary on the impossibility of eliminating every vulnerability in a system that humans have to use daily. In terms of actually mitigating direct security threats associated with users, however, there can be no… Read More

What Is ISO 27018 and How Does it Apply to Cloud Providers?

ISO/IEC 27018 establishes commonly accepted control objectives to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for cloud providers offering public infrastructure and services. It is a critical document for these providers seeking to instill the trustworthiness of their systems in their customers and clients. Learn more about ISO… Read More

What Is StateRAMP Fast Track?

Much hay has been made about how cloud providers can take advantage of the new StateRAMP program. Only a few years into operations, there are already questions about how governments and cloud providers can leverage the requirements to bring top-tier cybersecurity to a local level. One of these questions involves the adoption of StateRAMP standards… Read More

What Is the Information Security Risk Management Process of ISO 27005?

Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices.   

What Is the Threat-Based Risk Profiling Methodology in FedRAMP?

In February 2022, the FedRAMP Program Management Office updated the rules for their threat-based profiling methodology. This little-known approach to FedRAMP risk profiling and the rating security controls serves as the program’s effort to streamline authorization and program management with industry knowledge and agile development methodologies.