Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls

PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices.  The best… Read More

PCI DSS and Customized Approach Validation

With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More

What Is CJIS Compliance?

We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors.  Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More

What Is CJIS Compliance?

We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors.  Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More

What Are GDPR Penalties?

Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More

What Is NIST 800-161?

With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More

Why Consider Standards-Based Risk Management?

We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments.  Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.  

What Are the Problems with Risk Management? 

In our previous article, we discussed the concept of risk management–what it is and why it’s important.  However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts.  While this move is a good one, we also find that many organizations will… Read More

What Is Risk?

Part 1: Risk and Security in Modern Systems “Risk “is a term gaining real traction in any industry where cybersecurity regulations impact businesses. Many frameworks and regulations are turning to risk management as a proactive and comprehensive approach to security management. This shift can mean big changes for enterprises that aren’t generally considering risk as… Read More

What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?

SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. … Read More

What is the Difference Between DFARS and CMMC?

Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page.  As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and… Read More

IRS 1075 and NIST | How Do NIST Guidelines Affect IRS 1075 Regulations?

The Internal Revenue Service is one of the largest and most essential federal government agencies… which means that there is a lot of opportunity for third-party contractors and managed service providers to offer products to support its mission. It also means that these contractors will be expected to adhere to security standards, specifically those outlined… Read More

What is ISO 31000?

Many enterprises are looking for ways to increase their security and to protect their interests. As the world of cybersecurity, legal risk and operational challenges become more and more complex, checklist compliance regulations just aren’t going to cut it. That’s why governments and private organizations are increasingly turning to risk management as a tool for… Read More

NIST SP 800-171 vs. 800-172: What’s the Difference?

The unveiling of CMMC 2.0 last November raised a lot of questions, but also brought a lot of relief. The streamlining of security around Controlled Unclassified Information (CUI) will help defense agencies and contractors better secure their systems without burdening them with operational overhead. This is crucial for organizations who want to support these agencies… Read More