With modern computing increasingly moving into a mobile paradigm of remote workers, laptops, and smart devices, the threat to security in various industries is only increasing. This is no more true than in healthcare, where HIPAA breaches related to mobile devices are becoming more common. This article will discuss the HIPAA security rule, how it… Read More
What Is Compliance-as-a-Service and Does It Fit Your Business?
The rapidly evolving regulatory landscape has become increasingly complex and challenging for organizations to navigate. To address these complexities, the Compliance-as-a-Service (CaaS) business model has emerged as a valuable solution for organizations seeking to maintain regulatory compliance while minimizing risk. This blog delves into the CaaS business model, exploring its key features, benefits, and limitations.… Read More
What Is Access Control?
Security frameworks and regulations will inevitably dictate that organizations have the capabilities to deny access from unauthorized users. This facet of cybersecurity is so fundamental to compliance more broadly that it’s essentially impossible to engage in proper security without considering access control. This article will discuss access controls and authorization as part of a larger… Read More
Approaching Web Application Security
One of the cornerstones of cybersecurity has been the protection of software. These applications have been installed on local machines or workstations for most of the computing history. Hackers would use different approaches to gain access to these machines using corrupted software or other means. In modern times, the proliferation of web applications and Software-as-a-Service… Read More
Cybersecurity and Malicious Software: A History of Malware
In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More
Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them
The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have… Read More
Encryption and NIST FIPS 140 (FIPS 140-2)
In April 2022, NIST stopped accepting applications for validation certificates for the FIPS 140-2 standard of security in lieu of the updated FIPS 140-3. While many companies are still waiting for their FIPS 140-2 certification (if they got their application in before the April deadline), many are now considering adopting the new 140-3 standard. But,… Read More
What is NIST 800-66?
Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs. The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More
The HIPAA Security Rule and Risk Management
The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law. What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches. Here, we… Read More
NIST and Digital Identity Verification
We often take digital identity for granted… We create accounts all over the Internet for various services, but rarely think about the information that sits in a server for every company we interact with. Furthermore, we rarely think about the potential for fraud related to those identities and how that potential threat impacts finance or… Read More
What is IRS 1075?
The federal government has strict and comprehensive regulations on how agencies handle constituents’ personal information. This is just as true for tax information. The IRS leans on established guidelines associated with federal security to dictate regulations for agencies that handle tax information and, by and large, treats that information as a sensitive and critical part… Read More
What is SOX 404 Compliance?
Corporate compliance is a major undertaking for a few reasons–IT systems become complex, work forces grow to hundreds of individuals with different levels of access to information and public corporations must file difficult financial and security attestations annually to prevent fraud. One of the essential forms of financial and IT compliance for publicly-traded companies in… Read More
What Does a PCI DSS Audit Look Like?
PCI compliance is a hot topic these days. While payment processing seemed like the domain of large enterprises and retailers, the expansion of cloud-based processing and online storefronts have blurred the lines between processors, merchants and secure, compliant systems. Many organizations seek their PCI compliance certification to cover their bases with payment processing and data… Read More
What Are SOC 3 Reports?
The Service Organization Control (SOC) standard is a well-known, but often misunderstood, approach to cybersecurity. It’s not mandatory, it has several methods, and some attestations involve different types of reports and assessments. Sometimes, the most difficult challenge is understanding the breakdown between reports. While SOC 2 is the most well-known and deployed assessment on the… Read More
Continuum Clarifies What SSAE 16 Compliance Means
When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified.… Read More