PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. The best… Read More
Timeline for PCI DSS 4.0 Compliance – First Steps
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0. This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your… Read More
PCI DSS and Customized Approach Validation
With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More
What’s New in PCI DSS 4.0?
On March 31, 2022, the Payment Card Industry (PCI) Security Standards Council released version 4.0 of the Data Security Standard (DSS), updating what has been a long-running standard that needed some refreshing based on the newest technologies on the market. The increased focus on eCommerce and reliance on mobile devices has introduced several major security… Read More
FedRAMP vs. ISO 27001: Pursuing the Right Security
Companies attempting to navigate the complex world of private and public cybersecurity might get confused about what they should focus on. The truth is that you can’t adopt them all… but you can focus on the regulations that directly impact how you do business. Here, we’ll discuss two of the most prevalent security frameworks–FedRAMP and… Read More
What Is LADMF Compliance?
Working with government agencies always involves some form of security, which is extremely important for handling federal data, no matter the reason. So, when enterprises want to access information from the SSA Limited Access Death Master File (LADMF), there are certain expectations for these businesses.
What Is CJIS Compliance?
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
What Is CJIS Compliance?
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More
What Are GDPR Penalties?
Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More
What Is NIST 800-161?
With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More
What Is a Risk Appetite Statement?
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap… Read More
Why Consider Standards-Based Risk Management?
We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments. Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.
What Are the Problems with Risk Management?
In our previous article, we discussed the concept of risk management–what it is and why it’s important. However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts. While this move is a good one, we also find that many organizations will… Read More
What Is Risk?
Part 1: Risk and Security in Modern Systems “Risk “is a term gaining real traction in any industry where cybersecurity regulations impact businesses. Many frameworks and regulations are turning to risk management as a proactive and comprehensive approach to security management. This shift can mean big changes for enterprises that aren’t generally considering risk as… Read More
PCI DSS 4.0 Is Coming… What Should Businesses Expect?
After several delays and timeline shifts to accommodate vendor and auditor feedback, the Payment Card Industry Security Standards Council will release the newest version of the framework, PCI DSS 4.0. This standard, expected to launch at the end of March 2022, will fundamentally alter some key components of the framework to help support payment acceptance… Read More
What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?
SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. … Read More
What is the Difference Between DFARS and CMMC?
Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page. As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and… Read More
IRS 1075 and NIST | How Do NIST Guidelines Affect IRS 1075 Regulations?
The Internal Revenue Service is one of the largest and most essential federal government agencies… which means that there is a lot of opportunity for third-party contractors and managed service providers to offer products to support its mission. It also means that these contractors will be expected to adhere to security standards, specifically those outlined… Read More
What is SOC 1 Compliance?
Audits and compliance are just part of doing business for financial organizations. Clients and partners must know that they can trust you to manage their critical information, keep it secure, and maintain its confidentiality. Frameworks like Systems and Organization Controls, or SOC, help organizations meet these expectations in a standardized way. While SOC 2 is… Read More
What is ISO 31000?
Many enterprises are looking for ways to increase their security and to protect their interests. As the world of cybersecurity, legal risk and operational challenges become more and more complex, checklist compliance regulations just aren’t going to cut it. That’s why governments and private organizations are increasingly turning to risk management as a tool for… Read More
What Are SOC 2 Type 1 and Type 2 Reports?
SOC 2 is one of the most well-known and well-respected compliance frameworks for businesses wanting to show partners and clients that they take security seriously. With the help of expert auditors and supportive security professionals, SOC 2 can quickly become a standard part of doing business in nearly any industry. Organizations attempting to meet SOC… Read More
NIST SP 800-171 vs. 800-172: What’s the Difference?
The unveiling of CMMC 2.0 last November raised a lot of questions, but also brought a lot of relief. The streamlining of security around Controlled Unclassified Information (CUI) will help defense agencies and contractors better secure their systems without burdening them with operational overhead. This is crucial for organizations who want to support these agencies… Read More