When we talk about scans, tests, and authorization in the context of StateRAMP assessment, we tend to think that the process (and all its moving parts) are relatively stable and predictable. And, for the most part, this thinking is correct. However, it’s normal, and in some ways expected, to run into issues where scans and… Read More
Plagiarism isn’t new, and the proliferation of shady websites and questionable decisions from search engine giant Google has led to sinister and sometimes silly evolutions in what fraudsters can do with the theft of someone’s intellectual property. According to Plagiarism Daily, we’re seeing a new outgrowth of plagiarism creep up on us. Gone are the… Read More
Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components. What does that process look like for companies in the payment… Read More
StateRAMP takes several of its requirements from FedRAMP, and perhaps one of the most important requirements is continuous monitoring. Continuous monitoring ensures that systems that earned StateRAMP Authorization remain in compliance year after year, avoiding gaps in security and protecting the interest of state and local governments.
StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. In this article, we’ll talk about the basics of… Read More
As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data. The maintenance of audit logs is about more than automatically recording data about system events. Your system… Read More
When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More
The federal government leans more heavily on technology providers, including cloud computing platforms that support data storage, processing, and office application solutions. Accordingly, the question of data security is live, and the government’s response is to implement the FedRAMP authorization requirement. Like many other government programs, FedRAMP can threaten to bury the under prepared provider… Read More
Moving through the requirements of PCI DSS 4.0, we’re well over halfway through. During this journey, we’ve touched on cryptography, security and perimeter management, network security, authorization, and other critical security considerations. Now, we come up against the authentication and identity management problem with the eighth requirement. Authentication isn’t simply about passwords and CAPTCHAs, however.… Read More
In the financial industry, fraud is a natural and ever-present challenge. Digital banking and international finance have only compounded this problem, and anti-money laundering and fraud laws in the U.S. have evolved to address these issues. In modern times, the overlap of identity management, authentication, and identity assurance has led to more comprehensive forms of… Read More
As we work through the requirements of PCI DSS, we’ve run into several calls for securing data against “unauthorized users.” Operationally, this makes sense–cardholder data should be protected against use or viewing by people that don’t have a reason to do so. However, any effective IT security system must have a method to ensure that… Read More
Security frameworks and regulations will inevitably dictate that organizations have the capabilities to deny access from unauthorized users. This facet of cybersecurity is so fundamental to compliance more broadly that it’s essentially impossible to engage in proper security without considering access control. This article will discuss access controls and authorization as part of a larger… Read More
Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI… Read More
One of the cornerstones of cybersecurity has been the protection of software. These applications have been installed on local machines or workstations for most of the computing history. Hackers would use different approaches to gain access to these machines using corrupted software or other means. In modern times, the proliferation of web applications and Software-as-a-Service… Read More
Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn,… Read More
In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More
Data encryption is a crucial part of cybersecurity. The standard data states (at rest, in transit, and use) all present unique and challenging vulnerabilities that can expose that data to unauthorized parties. No vulnerability is more apparent than having that data stolen and viewed by people who shouldn’t be looking. That’s where in-transit encryption comes… Read More
As we move through the requirements of PCI DSS 4.0, we’ve reached the point where the standard specifies what it means to protect data as it moves through and outside of private and public networks. Encryption seems like a no-brainer, but in many cases, organizations have no idea how to manage their encryption approach properly.… Read More
While having only 12 requirements might make PCI DSS seem like a simple standard, each requirement is incredibly important and, if you aren’t paying attention, can specify practices you aren’t implementing. In the case of the third requirement, this could mean that you’re not actually protecting the most critical data that is in your possession–that… Read More
It’s crucial that any company handling consumer cardholder information, including card numbers, protect that information from any and every unauthorized user. The PCI Security Standards Council has determined that to promote security and usability, it’s not enough to secure a system perimeter and encrypt data. Instead, companies have to approach data obfuscation through a series… Read More
Part of managing system compliance is ensuring that each system meets a minimum standard. Beyond this relatively straightforward component of the process, almost every compliance process includes other ongoing tasks, including risk assessment and configuration management. What is configuration management, exactly? These compliance frameworks will often refer to it, but implementing a management policy is… Read More