What is a Data Processing Agreement in GDPR?

Central to data protection in the EU is the GDPR and its data processing regulation. One of the most challenging aspects of GDPR is adjudicating the relationships between different parties handling data for various purposes–namely, relationships between managed service providers and the various, nebulous groups of organizations that use data for their daily operations.  In… Read More

What’s New in CSF 2.0?

The National Institute of Standards and Technology (NIST) has always been at the forefront of cybersecurity guidance. With the Cybersecurity Framework (CSF) 2.0 release, NIST has addressed the evolving challenges of modern cybersecurity. This article discusses some of the bigger changes in the recently released CSF 2.0, spotlighting governance and supply chain security while emphasizing… Read More

Promoting a Culture of Cybersecurity Awareness in Your Organization

The cybersecurity landscape isn’t getting any easier for any business, large or small. With high-profile cyber attacks making headlines, from ransomware attacks crippling global infrastructure to data breaches compromising millions of users’ personal information, the stakes for major corporations have never been higher. While offering unprecedented opportunities, the digital realm also presents a minefield of… Read More

What Is ISO 9001

ISO 9001 is a universally recognized standard that provides a framework for organizations to establish, implement, and refine their quality management systems. Rooted in principles that prioritize customer satisfaction, leadership involvement, and a continuous improvement ethos, ISO 9001 offers a structured approach to achieving excellence in operational processes.  This article delves into the intricacies of… Read More

Security Operations Centers, MSSPs, and Outsourced Security

The Security Operations Center (SOC) is central to this defense strategy – a dedicated hub for monitoring, detecting, and responding to security incidents. But as businesses grapple with establishing their in-house SOCs or outsourcing to specialized Managed Security Service Providers (MSSPs), many considerations come into play.  In this article, we discuss the complexities of these… Read More

What Role Is AI Playing in Cybersecurity in 2023?

The development of AI has been a game-changer for nearly everyone, and that fact is no different in the world of cybersecurity. New threats powered by AI are reshaping traditional attack vectors, including cryptography, prevention, and social engineering. In this article, we’re discussing how, in the so-called AI Boom of 2023, cybersecurity is being shaped… Read More

CCPA and CPRA Attestations and Audits

The California Consumer Privacy Act (CCPA)  is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy. Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas. As concerns about data privacy… Read More

What Is ISO 17021 and Certification of Management Systems?

The ISO/IEC 17021-1:2015 is a global guideline designed to shape how organizations that perform audits and certifications for management systems should operate. Released by the International Organization for Standardization and the International Electrotechnical Commission, this standard aims to improve the reliability and uniformity of these audits and certifications by outlining the essential requirements these organizations… Read More

What Is Proactive Cybersecurity? Preparing for Threats Before They Strike

Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More

What Is Passwordless Authentication?

Passwords are our oldest form of digital security… and, in most cases, one of the weakest links in identity management and authentication. Phishing, database breaches, and poor digital hygiene have made authentication challenging for security and compliance. They have become the quintessential keys to our online kingdoms. As cyberattacks grow more sophisticated, there’s a mounting… Read More

An Introduction to PCI DSS’s Secure Software Life Cycle

Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More

How to Determine Cybersecurity Impact Level Using FIPS 199

The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately.  This article will take you through an overview of FIPS 199 and how… Read More

The Necessity and Challenges of Cybersecurity Program Maturity

The U.S. Department of Defense launched the Cybersecurity Maturity Model Certification (CMMC) in response to the escalating cyber threats. This initiative underscores the increasing emphasis on the maturity of cybersecurity programs as a benchmark for assessment and standardization within the Defense Industrial Base and its extensive supply chain. Yet, a surprising revelation from Infosecurity Magazine… Read More

Understanding the Difference Between HIPAA and HITRUST

Within the world of healthcare compliance and information security, there’s been increasing confusion around some terms and organizations. We’ve heard a bit about some of this confusion, specifically around HITRUST and HIPAA.  Both are connected to the preservation of health information, yet they fulfill separate functions and are founded on differing principles. This article clarifies… Read More

HIPAA and the Use of Online Tracking for Marketing Purposes

Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites.  While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More

What Are the Evaluation Criteria for JAB Prioritization?

The Federal Risk and Authorization Management Program (FedRAMP) plays a pivotal role in safeguarding the security of cloud services within the U.S. federal government. An essential element of this program is the Joint Authorization Board (JAB), which is responsible for prioritizing and authorizing cloud offerings offered by cloud providers.  The JAB prioritization process is a… Read More

CPAs and CISAs: Choosing the Right SOC 2 Auditor

In today’s ever-evolving digital landscape, our central concern revolves around safeguarding data security and privacy. As businesses increasingly depend on cloud services and third-party vendors to manage their data, it becomes crucial to ensure these service providers adhere to stringent security standards.  A prominent standard in this domain is the Service Organization Control 2, or… Read More

What Is Advanced Encryption Standard (AES), and How Is it Related to NIST?

Our digital age is rooted in the exchange of data, and therefore security of that data. Obfuscation, or encryption, has served as the backbone of that security for decades. As threats have evolved and attackers have found new and more sophisticated ways to break encryptions, it has been up to experts to provide solutions. In… Read More

What Are Digital Signatures and How Do They Work?

In traditional document management, we have several ways to authenticate the legitimacy of information–a signature, a watermark, etc. In digital spaces, we don’t readily have these tools to use. That fact, along with the reality that any piece of information can be copied ad infinitum, made authentication a challenge that security experts needed to solve. … Read More

The Impact of Executive Order 14028 on FedRAMP

Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains.  To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust… Read More

What is an Authorization Boundary for FedRAMP and StateRAMP?

Assessments for both StateRAMP and FedRAMP rely on the 3PAO’s understanding of the systems and people that will interact with a specific government agency. With this knowledge, it’s easier to determine where particular requirements begin and where they end. Across both of these frameworks, this concept is known as the “authorization boundary.”  The authorization boundary… Read More

The New FedRAMP Marketplace

On February 20th, the FedRAMP PMO announced the release of the newest design for the FedRAMP Marketplace. While this news doesn’t necessarily shake the foundations of government compliance, the Marketplace it is an essential resource for agencies looking for a trustworthy source of information regarding cloud providers. In this article, we’ll break down what kind… Read More

Ultimate Security: Data Breach Prevention in 2023

According to a recent report by IT Governance, there were over 70 data breaches in June 2023 alone–accounting for compromising over 14 million data records. Once these records are out in the open, they are often sold on the dark web. Following that, it’s just a matter of time before hackers can use this data… Read More

HIPAA and Internal Security Controls

In June 2023, the US. The Department of Health and Human Services (HHS) reached an agreement with Yakima Valley Memorial Hospital over a significant breach of privacy and security rules. Specifically, HHS found that several security guards had inappropriately accessed the private records of up to 419 patients.  This settlement demonstrated administrative and internal security… Read More