Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the… Read More
When we talk about scans, tests, and authorization in the context of StateRAMP assessment, we tend to think that the process (and all its moving parts) are relatively stable and predictable. And, for the most part, this thinking is correct. However, it’s normal, and in some ways expected, to run into issues where scans and… Read More
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components. What does that process look like for companies in the payment… Read More
When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More
Moving through the requirements of PCI DSS 4.0, we’re well over halfway through. During this journey, we’ve touched on cryptography, security and perimeter management, network security, authorization, and other critical security considerations. Now, we come up against the authentication and identity management problem with the eighth requirement. Authentication isn’t simply about passwords and CAPTCHAs, however.… Read More
As we work through the requirements of PCI DSS, we’ve run into several calls for securing data against “unauthorized users.” Operationally, this makes sense–cardholder data should be protected against use or viewing by people that don’t have a reason to do so. However, any effective IT security system must have a method to ensure that… Read More
Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI… Read More
Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn,… Read More
As we move through the requirements of PCI DSS 4.0, we’ve reached the point where the standard specifies what it means to protect data as it moves through and outside of private and public networks. Encryption seems like a no-brainer, but in many cases, organizations have no idea how to manage their encryption approach properly.… Read More
PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. The best… Read More
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0. This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your… Read More
With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More
On March 31, 2022, the Payment Card Industry (PCI) Security Standards Council released version 4.0 of the Data Security Standard (DSS), updating what has been a long-running standard that needed some refreshing based on the newest technologies on the market. The increased focus on eCommerce and reliance on mobile devices has introduced several major security… Read More
Companies attempting to navigate the complex world of private and public cybersecurity might get confused about what they should focus on. The truth is that you can’t adopt them all… but you can focus on the regulations that directly impact how you do business. Here, we’ll discuss two of the most prevalent security frameworks–FedRAMP and… Read More
Working with government agencies always involves some form of security, which is extremely important for handling federal data, no matter the reason. So, when enterprises want to access information from the SSA Limited Access Death Master File (LADMF), there are certain expectations for these businesses.
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More
With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap… Read More
We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments. Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.
In our previous article, we discussed the concept of risk management–what it is and why it’s important. However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts. While this move is a good one, we also find that many organizations will… Read More
Part 1: Risk and Security in Modern Systems “Risk “is a term gaining real traction in any industry where cybersecurity regulations impact businesses. Many frameworks and regulations are turning to risk management as a proactive and comprehensive approach to security management. This shift can mean big changes for enterprises that aren’t generally considering risk as… Read More