While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
What Are Security Control Assessor-Validator (SCA-V) Services?
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
What Is the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
Endpoint Security and Modern Compliance
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
Understanding API Security
One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks. We’re… Read More
Understanding GDPR in the Financial Sector
When considering security and finance, we typically consider regulations like PCI DSS, SOX, or FINRA. But if you’re a company doing business in Europe, there’s another framework you need to consider–GDPR. This set of regulations not only governs the exchange of consumer data but also has a massive impact on how financial organizations navigate commerce… Read More
Security, Compliance, and the Decline of Third-Party Cookies
The issue of cookies and user tracking has long been an issue, but the importance of these marketing and development tools has kept them a vital part of our web experiences. However, Google announced that its popular Chrome browser would no longer support third-party cookies, and in January 2024, they began rolling out anti-cookie technology. … Read More
What Is Isolated Identity Management, and Do You Need It For Federal Compliance?
Identity management is one of the more essential aspects of cybersecurity. Attackers will regularly target Identity and Access Management (IAM) systems to find ways to secure them, and security experts must implement new countermeasures to protect against these incursions. One of these is isolated identity management. In this article, we’ll cover the practice of isolated… Read More
What Are Core Documents for StateRAMP Authorization?
StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements. Here, we summarize the documents… Read More
Shadow IT and the Foundational Threat to Cybersecurity
Companies can only monitor some of the pieces of software that their employees use. It’s inevitable, then, that those employees will start to kludge together their solutions through personal software or freeware from the Internet. This is such a problem that Splunk recently rated shadow IT as one of the top 50 threats to cybersecurity… Read More
VPNs and Cybersecurity
It’s a fact of contemporary professional life that data, people, and secure systems are all remote, interconnected, and vulnerable to evolving security threats. The challenge is that it isn’t enough to lock everything down in areas like federal security, healthcare IT infrastructure, or other sensitive areas. The solution for the past few decades has been… Read More
What Is the Open Security Controls Assessment Language (OSCAL)?
There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies. Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL. Here, we will discuss OSCAL,… Read More
What Is IRS 4812?
Understanding IRS Publication 4812 is not just about compliance; it’s about upholding a standard of trust and integrity crucial to the IRS’s operations and the taxpayers’ confidence. This relatively new standard addresses how contractors in the federal supply chain handle data specific to the Internal Revenue Service (IRS) and its mission of maintaining the privacy… Read More
Biometric Encryption and Protecting Personal Data
With traditional passwords becoming increasingly vulnerable to breaches, the focus has shifted towards more secure and unique identifiers – our biometric data. Biometric encryption stands at the forefront of this evolution, merging individual biological traits’ uniqueness with cryptographic techniques’ robustness. This article will discuss how biometric encryption works, its applications, and challenges in the rapidly… Read More
The Role of IT Decision Makers in StateRAMP Compliance
The journey towards StateRAMP compliance is complex, with IT decision-makers at the strategic forefront. ITDMs are responsible for an organization’s infrastructure, including security and regulations, guiding their organizations through the nuances of the compliance process. While working with a framework like StateRAMP, these decision-makers will inevitably have to take leading roles in guiding company culture… Read More
Evaluating Vendors for SOC 2 Compliance
Modern enterprise relies increasingly on a complex network of vendors and service providers to handle their infrastructure. From security and cloud computing to applications and logistics, these providers will often take the most important data that the enterprise generates or processes. That’s why organizations must look at their vendors with more scrutiny. For example, getting… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
Secure Data Sharing and Compliance Frameworks
Several prominent security frameworks and regulations have been established to guide organizations through this intricate landscape. These range from international standards like ISO/IEC 27001 to more sector-specific regulations such as HIPAA for healthcare and PCI DSS for payment data. This article delves into these pivotal frameworks and how they speak to secure data sharing between… Read More
What is a Data Processing Agreement in GDPR?
Central to data protection in the EU is the GDPR and its data processing regulation. One of the most challenging aspects of GDPR is adjudicating the relationships between different parties handling data for various purposes–namely, relationships between managed service providers and the various, nebulous groups of organizations that use data for their daily operations. In… Read More
What’s New in CSF 2.0?
The National Institute of Standards and Technology (NIST) has always been at the forefront of cybersecurity guidance. With the Cybersecurity Framework (CSF) 2.0 release, NIST has addressed the evolving challenges of modern cybersecurity. This article discusses some of the bigger changes in the recently released CSF 2.0, spotlighting governance and supply chain security while emphasizing… Read More
Security Operations Centers, MSSPs, and Outsourced Security
The Security Operations Center (SOC) is central to this defense strategy – a dedicated hub for monitoring, detecting, and responding to security incidents. But as businesses grapple with establishing their in-house SOCs or outsourcing to specialized Managed Security Service Providers (MSSPs), many considerations come into play. In this article, we discuss the complexities of these… Read More
CCPA and CPRA Attestations and Audits
The California Consumer Privacy Act (CCPA) is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy. Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas. As concerns about data privacy… Read More
What Is Proactive Cybersecurity? Preparing for Threats Before They Strike
Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More
What Is Passwordless Authentication?
Passwords are our oldest form of digital security… and, in most cases, one of the weakest links in identity management and authentication. Phishing, database breaches, and poor digital hygiene have made authentication challenging for security and compliance. They have become the quintessential keys to our online kingdoms. As cyberattacks grow more sophisticated, there’s a mounting… Read More