The good news? PCI DSS 4.0 is out, but the adoption schedule for the new standard is quite generous. The better news? The PCI Security Council has decided to implement a tiered approach to adoption. The first will finalize when the previous version (3.2.1) is officially retired in 2024. The second, known as the “future… Read More
Ransomware is one of the most significant security threats and perhaps one of the most recognizable threats in modern cybersecurity. These attacks cost businesses millions of dollars and can result in the loss of massive volumes of mission-critical information that supports business operations, national infrastructure, or government agencies. As part of the Cybersecurity Framework, the National… Read More
Blockchain, blockchain, blockchain. It seems like you can’t throw a rock without hitting someone discussing the potential for blockchain technology. And, for the most part, this is driven by consumer interest in technologies and the potential for innovation in the web 3.0 world we live in. While the consumer market is having a so-so engagement… Read More
A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. The nature of these assessments may vary depending on the company and are beyond the scope… Read More
With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More
The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. Learn more about PCI DSS encryption and how it’s shifting in… Read More
On March 31, 2022, the Payment Card Industry (PCI) Security Standards Council released version 4.0 of the Data Security Standard (DSS), updating what has been a long-running standard that needed some refreshing based on the newest technologies on the market. The increased focus on eCommerce and reliance on mobile devices has introduced several major security… Read More
Companies attempting to navigate the complex world of private and public cybersecurity might get confused about what they should focus on. The truth is that you can’t adopt them all… but you can focus on the regulations that directly impact how you do business. Here, we’ll discuss two of the most prevalent security frameworks–FedRAMP and… Read More
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
Modern security and risk frameworks often focus on a limited set of concerns–security controls, external threats, insider threats, upgrading or updating systems, etc. But, as the relationships between security, business continuity, and system reliability become more complex in our data-saturated environment, organizations must have equally robust system support in place to ensure that information remains… Read More
Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More
If you’re plugged into the world of cybersecurity, then you’ve most likely come across breathless reports of new “zero-day” vulnerabilities hitting the wild. And, on the surface, these sound terrible… but do you understand what that means? A zero-day exploit is a significant, but not world-ending, security flaw affecting systems without anyone having noticed them… Read More
Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More
In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact… Read More
Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More
Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs. The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More
Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure. However, understanding that HIPAA is a requirement for operation doesn’t… Read More
With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More
Over the past few weeks, we’ve discussed what it means to consider risk as part of an overall compliance strategy. We’ve emphasized throughout that risk doesn’t have to be an abstract pursuit–it can be a comprehensive part of compliance and security that uses the realities of regulations and frameworks to drive decision-making (and vice-versa). One… Read More
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap… Read More
We’ve discussed risk management and its complexity–what goes into it, what frameworks you can use, and how different forms of analysis and visualization can help you assess it effectively. But let’s pump the brakes a little. Have you thought about what to do about your risk profile? Do you know how to approach risk as… Read More
We started our series on risk management a few weeks ago by introducing the concept of risk. One of the general stereotypes about risk is that it lacks some discreteness of security compliance–it doesn’t lend itself to checklists or paint-by-numbers approaches. This is, overall, a good thing, but can prove challenging for enterprises not ready… Read More
In the increasingly interconnected and complex world of business technology, many organizations are grappling with the challenges related to insecure integrations and agreements. The rise of technology service models, managed service providers (MSPs) and SaaS apps introduce compliance and risk management issues almost faster than businesses can keep up. Thus, a new discipline has evolved:… Read More