What Is Proactive Cybersecurity? Preparing for Threats Before They Strike

Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More

An Introduction to PCI DSS’s Secure Software Life Cycle

Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More

HIPAA and the Use of Online Tracking for Marketing Purposes

Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites.  While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More

The Impact of Executive Order 14028 on FedRAMP

Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains.  To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust… Read More

The New FedRAMP Marketplace

On February 20th, the FedRAMP PMO announced the release of the newest design for the FedRAMP Marketplace. While this news doesn’t necessarily shake the foundations of government compliance, the Marketplace it is an essential resource for agencies looking for a trustworthy source of information regarding cloud providers. In this article, we’ll break down what kind… Read More

Are Man-in-the-Middle Attacks Still a Threat?

Man-in-the-Middle attacks, where a malicious actor secretly intercepts and possibly alters the communication between two unsuspecting parties, have significantly escalated with digital connectivity and remote work surge. While the attack method is not new, its implications have grown in magnitude in the era of widespread digital transformation. Modern businesses, from multinational corporations to small and… Read More

Common Criteria and NIST Evaluation

The Common Criteria, recognized worldwide, provides a standardized framework for evaluating the security attributes of IT products and systems. From defining security requirements to testing and verifying products against these requirements, the Common Criteria assure that the evaluation process is rigorous, repeatable, and thorough. To ensure the success of the program on a national basis,… Read More

FedRAMP High Impact Level and Unique NIST Controls

In the era of digitization, the security of cloud services, particularly those engaged with federal agencies, is paramount. The government uses the Federal Risk and Authorization Management Program (FedRAMP)–to ensure cloud services meet stringent security standards to protect federal data.  This article will dig into the intricacies of the FedRAMP High Impact Level and its… Read More

HIPAA, Security Incidents, and Reportable Events

In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents. Among these, the concepts of security… Read More

What Are the Proposed Rule Changes to HIPAA Coming in 2023?

In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information.  This article will discuss this rule change and why it… Read More

What Is ISO 27017 and How Does it Inform Cloud Security?

As cloud computing continues gaining popularity, organizations increasingly turn to cloud services to store and process their data. However, with this increased reliance on cloud services comes a heightened risk of data breaches and cyber attacks, making cloud security a critical concern for businesses of all sizes. To address these concerns, the International Organization for… Read More

What Is NIST Special Publication 800-115 and What Does it Say About Penetration Testing?

As technology advances, the need for effective cybersecurity measures becomes increasingly important. The necessity for regular testing, including penetration testing, has raised awareness of best practices and standards for such assessments. The National Institute of Standards and Technology (NIST) has developed comprehensive guidelines and standards to help organizations safeguard their information systems from cyber threats.… Read More

ISO 31010 and Implementing Risk Assessment Techniques

We’ve previously discussed the role of risk assessment as defined by the International Organization of Standardization (ISO) 31000, and generally speaking, we’ve found that risk management is a key practice to supporting security and compliance. To better support organizations approaching risk assessment, ISO published the supplementary document, ISO/IEC 31010, “Risk assessment technique.” In this article,… Read More

What are ISO 30141 and the General Characteristics of Internet of Things (IoT) Systems?

The Internet of Things (IoT) was seen as the next big thing for the consumer market. While the impact of IoT technology is still unfolding, there is no doubt that IoT devices have made a much bigger impact in the commercial space. IoT networks are changing how we handle major industrial processes, from healthcare to… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 4)

As previously discussed, ISO/IEC 27701 is a comprehensive international standard that provides specific privacy guidelines for organizations attempting to meet additional standards for handling PII in line with jurisdictions like GDPR. This document aligns ISO-compliant organizations with PII-focused standards by implementing Privacy Information Management Systems (PIMS). So far, we’ve covered how ISO 27701 refines ISO… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 3)

We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR.  Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 1)

Private security standards like those from the International Organization for Standardization (ISO) generally seek some alignment with major regulations so that certified organizations can effectively adapt to new and rigorous standards. Accordingly, the ISO 27701 standard seeks to refine the standard ISO cybersecurity certifications to match evolving security laws in jurisdictions like the EU.  In… Read More

What Is ISO 27018 and How Does it Apply to Cloud Providers?

ISO/IEC 27018 establishes commonly accepted control objectives to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for cloud providers offering public infrastructure and services. It is a critical document for these providers seeking to instill the trustworthiness of their systems in their customers and clients. Learn more about ISO… Read More

What Is the Europrivacy Hybrid Certification Model?

GDPR has needed a centralized assessment and certification model for some time now. Still, with the plethora of certifications and standards covering different business contexts, there has yet to be a single approach that has risen to the top of the heap. However, the governing bodies of GDPR have authorized the new Europrivacy standard to… Read More

What Is the StateRAMP Security Snapshot?

Regarding cybersecurity and compliance, there is a massive benefit in having a deep field of providers and offerings that can serve large federal customers alongside smaller offerings that can serve the state, local, and municipal customers. It’s essential, however, to ensure that maintaining a competitive marketplace doesn’t compromise security. This means helping small or young… Read More

What Is the Authorization Boundary in FedRAMP?

When it comes to managing FedRAMP-compliant systems, it helps to understand the entirety of the system that will fall under this jurisdiction. Unfortunately, with the complexity of cloud systems being what they are, mapping out IT systems with the right granularity can provide a challenge. This is why FedRAMP guides determining an organization’s authorization boundary.