What Is NIST 800-172 and Advanced Security Structures

The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.   

What Is A Data Privacy Impact Assessment (DPIA)?

New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More

What Does the HIPAA Security Rule Say About Mobile Computing?

With modern computing increasingly moving into a mobile paradigm of remote workers, laptops, and smart devices, the threat to security in various industries is only increasing. This is no more true than in healthcare, where HIPAA breaches related to mobile devices are becoming more common.  This article will discuss the HIPAA security rule, how it… Read More

What Is Compliance-as-a-Service and Does It Fit Your Business?

The rapidly evolving regulatory landscape has become increasingly complex and challenging for organizations to navigate. To address these complexities, the Compliance-as-a-Service (CaaS) business model has emerged as a valuable solution for organizations seeking to maintain regulatory compliance while minimizing risk.  This blog delves into the CaaS business model, exploring its key features, benefits, and limitations.… Read More

What Is Access Control?

Security frameworks and regulations will inevitably dictate that organizations have the capabilities to deny access from unauthorized users. This facet of cybersecurity is so fundamental to compliance more broadly that it’s essentially impossible to engage in proper security without considering access control. This article will discuss access controls and authorization as part of a larger… Read More

Approaching Web Application Security

One of the cornerstones of cybersecurity has been the protection of software. These applications have been installed on local machines or workstations for most of the computing history. Hackers would use different approaches to gain access to these machines using corrupted software or other means.  In modern times, the proliferation of web applications and Software-as-a-Service… Read More

Cybersecurity and Malicious Software: A History of Malware

In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More

Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them

The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have… Read More

What is NIST 800-66?

Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs.  The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More

The HIPAA Security Rule and Risk Management

The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law.  What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches.  Here, we… Read More

What is IRS 1075?

The federal government has strict and comprehensive regulations on how agencies handle constituents’ personal information. This is just as true for tax information. The IRS leans on established guidelines associated with federal security to dictate regulations for agencies that handle tax information and, by and large, treats that information as a sensitive and critical part… Read More

What is SOX 404 Compliance?

Corporate compliance is a major undertaking for a few reasons–IT systems become complex, work forces grow to hundreds of individuals with different levels of access to information and public corporations must file difficult financial and security attestations annually to prevent fraud.  One of the essential forms of financial and IT compliance for publicly-traded companies in… Read More

What Does a PCI DSS Audit Look Like?

PCI compliance is a hot topic these days. While payment processing seemed like the domain of large enterprises and retailers, the expansion of cloud-based processing and online storefronts have blurred the lines between processors, merchants and secure, compliant systems.  Many organizations seek their PCI compliance certification to cover their bases with payment processing and data… Read More

What Are SOC 3 Reports?

The Service Organization Control (SOC) standard is a well-known, but often misunderstood, approach to cybersecurity. It’s not mandatory, it has several methods, and some attestations involve different types of reports and assessments.  Sometimes, the most difficult challenge is understanding the breakdown between reports. While SOC 2 is the most well-known and deployed assessment on the… Read More

Continuum Clarifies What SSAE 16 Compliance Means

When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified.… Read More