We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR. Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting… Read More
ISO 27701 and Conformance with Privacy Information Management (Part 1)
Private security standards like those from the International Organization for Standardization (ISO) generally seek some alignment with major regulations so that certified organizations can effectively adapt to new and rigorous standards. Accordingly, the ISO 27701 standard seeks to refine the standard ISO cybersecurity certifications to match evolving security laws in jurisdictions like the EU. In… Read More
What Is ISO 27018 and How Does it Apply to Cloud Providers?
ISO/IEC 27018 establishes commonly accepted control objectives to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for cloud providers offering public infrastructure and services. It is a critical document for these providers seeking to instill the trustworthiness of their systems in their customers and clients. Learn more about ISO… Read More
What Is the Information Security Risk Management Process of ISO 27005?
Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices.
What Is the Europrivacy Hybrid Certification Model?
GDPR has needed a centralized assessment and certification model for some time now. Still, with the plethora of certifications and standards covering different business contexts, there has yet to be a single approach that has risen to the top of the heap. However, the governing bodies of GDPR have authorized the new Europrivacy standard to… Read More
GDPR Requirements for Data Disclosure and Rights of Access
There’s no doubt GDPR is shaking up the business landscape. Companies that spent time handling personal data relatively laxly are now faced with strict and comprehensive laws governing digital marketing and data use in the EU. Nowhere is this more apparent than in business disclosure and data access laws.
What is Europrivacy?
Companies inside and outside the European Union are feeling the impact of GDPR–and if you’ve noticed the glut of complex and long-winded cookie notifications, you can see why. Businesses looking to operate data processing infrastructure or collect data in the EU must comply with GDPR. To streamline the process, the EU recently approved a central… Read More
What Is the StateRAMP Security Snapshot?
Regarding cybersecurity and compliance, there is a massive benefit in having a deep field of providers and offerings that can serve large federal customers alongside smaller offerings that can serve the state, local, and municipal customers. It’s essential, however, to ensure that maintaining a competitive marketplace doesn’t compromise security. This means helping small or young… Read More
What Is the Authorization Boundary in FedRAMP?
When it comes to managing FedRAMP-compliant systems, it helps to understand the entirety of the system that will fall under this jurisdiction. Unfortunately, with the complexity of cloud systems being what they are, mapping out IT systems with the right granularity can provide a challenge. This is why FedRAMP guides determining an organization’s authorization boundary.
Cloud Architecture and FedRAMP Authorization Boundaries
Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the… Read More
What Is A Vulnerability Deviation Request in StateRAMP Authorization?
When we talk about scans, tests, and authorization in the context of StateRAMP assessment, we tend to think that the process (and all its moving parts) are relatively stable and predictable. And, for the most part, this thinking is correct. However, it’s normal, and in some ways expected, to run into issues where scans and… Read More
Timeline for PCI DSS 4.0: The Twelfth Requirement, Policies, and Programs
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
PCI DSS 4.0 Timeline: The Eleventh Requirement and System Testing
System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components. What does that process look like for companies in the payment… Read More
Timeline for PCI DSS 4.0: The Ninth Requirement and Physical Access Security
When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More
Timeline for PCI DSS 4.0: The Eighth Requirement and Strong Authentication
Moving through the requirements of PCI DSS 4.0, we’re well over halfway through. During this journey, we’ve touched on cryptography, security and perimeter management, network security, authorization, and other critical security considerations. Now, we come up against the authentication and identity management problem with the eighth requirement. Authentication isn’t simply about passwords and CAPTCHAs, however.… Read More
Timeline for PCI DSS 4.0: The Seventh Requirement and System Access
As we work through the requirements of PCI DSS, we’ve run into several calls for securing data against “unauthorized users.” Operationally, this makes sense–cardholder data should be protected against use or viewing by people that don’t have a reason to do so. However, any effective IT security system must have a method to ensure that… Read More
Timeline for PCI DSS 4.0: The Sixth Requirement and Maintaining Secure Systems
Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI… Read More
Timeline for PCI DSS 4.0: The Fifth Requirement and Malicious Software
Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn,… Read More
Timeline for PCI DSS 4.0: The Fourth Requirement and In-Transit Encryption
As we move through the requirements of PCI DSS 4.0, we’ve reached the point where the standard specifies what it means to protect data as it moves through and outside of private and public networks. Encryption seems like a no-brainer, but in many cases, organizations have no idea how to manage their encryption approach properly.… Read More
Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls
PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. The best… Read More
Timeline for PCI DSS 4.0 Compliance – First Steps
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0. This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your… Read More
PCI DSS and Customized Approach Validation
With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More
What’s New in PCI DSS 4.0?
On March 31, 2022, the Payment Card Industry (PCI) Security Standards Council released version 4.0 of the Data Security Standard (DSS), updating what has been a long-running standard that needed some refreshing based on the newest technologies on the market. The increased focus on eCommerce and reliance on mobile devices has introduced several major security… Read More
FedRAMP vs. ISO 27001: Pursuing the Right Security
Companies attempting to navigate the complex world of private and public cybersecurity might get confused about what they should focus on. The truth is that you can’t adopt them all… but you can focus on the regulations that directly impact how you do business. Here, we’ll discuss two of the most prevalent security frameworks–FedRAMP and… Read More