What Is CJIS Compliance?

We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors.  Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More

What Are ISO 22301 and Business Continuity?

Modern security and risk frameworks often focus on a limited set of concerns–security controls, external threats, insider threats, upgrading or updating systems, etc. But, as the relationships between security, business continuity, and system reliability become more complex in our data-saturated environment, organizations must have equally robust system support in place to ensure that information remains… Read More

What Are GDPR Penalties?

Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More

What Is a Zero-Day Exploit?

If you’re plugged into the world of cybersecurity, then you’ve most likely come across breathless reports of new “zero-day” vulnerabilities hitting the wild. And, on the surface, these sound terrible… but do you understand what that means? A zero-day exploit is a significant, but not world-ending, security flaw affecting systems without anyone having noticed them… Read More

Protected Health Information, File Sharing and Email

Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are.  However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More

OMG USB! Physical Media and Protecting PHI

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system.  Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More

What is NIST 800-66?

Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs.  The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More

What Are Health Industry Cybersecurity Practices (HICP)?

Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure.  However, understanding that HIPAA is a requirement for operation doesn’t… Read More

What Is NIST 800-161?

With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More

Risk Maturity and the Continuum GRC IRM Platform

Over the past few weeks, we’ve discussed what it means to consider risk as part of an overall compliance strategy. We’ve emphasized throughout that risk doesn’t have to be an abstract pursuit–it can be a comprehensive part of compliance and security that uses the realities of regulations and frameworks to drive decision-making (and vice-versa).  One… Read More

What is Third-Party Risk Management?

In the increasingly interconnected and complex world of business technology, many organizations are grappling with the challenges related to insecure integrations and agreements. The rise of technology service models, managed service providers (MSPs) and SaaS apps introduce compliance and risk management issues almost faster than businesses can keep up.  Thus, a new discipline has evolved:… Read More

Why Consider Standards-Based Risk Management?

We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments.  Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.  

What Is Risk Management Software, and What Should You Look For?

Risk management is quickly becoming the foundation for most security and compliance standards. And this is for good reason–complex security threats based on modern technology and the interoperability of extensive cloud-based infrastructure aren’t going to be held at bay through ad hoc implementation of technology.  Risk doesn’t have to be an amorphous and ill-defined process,… Read More

What Are the Problems with Risk Management? 

In our previous article, we discussed the concept of risk management–what it is and why it’s important.  However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts.  While this move is a good one, we also find that many organizations will… Read More

CMMC 2.0 Updates: More Contractors Expected to Require Full CMMC Certification

With the Department of Defense unveiling CMMC version 2.0 last November, many contractors breathed a sigh of relief. The relaxed assessment requirements and streamlined structure signaled a willingness from the DoD to work with assessors and contractors to find a way to promote security over Controlled Unclassified Information (CUI) without making the process harder than… Read More

The HIPAA Security Rule and Risk Management

The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law.  What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches.  Here, we… Read More

Managed Service Providers: How Secure Are Your Services?

The increasing use of cloud vendors and third-party providers has made advanced IT infrastructure and expertise available even to smaller organizations. It has also created an interconnected ecosystem of businesses, government agencies, utility firms and managed service providers (MSPs) that can potentially compromise security across multiple systems.  If you’re a managed service provider, it’s your… Read More

What is the Difference Between DFARS and CMMC?

Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page.  As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and… Read More

FedRAMP and CISA: What Is Binding Operational Directive 22-01

Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild.  The CVE program recently joined… Read More