Over the past few weeks, we’ve discussed what it means to consider risk as part of an overall compliance strategy. We’ve emphasized throughout that risk doesn’t have to be an abstract pursuit–it can be a comprehensive part of compliance and security that uses the realities of regulations and frameworks to drive decision-making (and vice-versa). One… Read More
What Is a Risk Appetite Statement?
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap… Read More
What Is Risk?
Part 1: Risk and Security in Modern Systems “Risk “is a term gaining real traction in any industry where cybersecurity regulations impact businesses. Many frameworks and regulations are turning to risk management as a proactive and comprehensive approach to security management. This shift can mean big changes for enterprises that aren’t generally considering risk as… Read More
Michael Peters, Continuum GRC: “close proximity between working and personal computing spaces has put both at risk”
Following the continuous rage of the COVID-19 pandemic, organizations face a difficult task to secure the workload and devices of the employees scattered around the world. As a home has become the new office, it unveiled serious organizational cybersecurity gaps. Experts say that simply installing antivirus software or encrypting traffic on a company-issued MacBook is… Read More
How E-Commerce Apps Are Putting Your Site at Risk
Article Reprint: http://www.ecommercetimes.com/story/How-E-Commerce-Apps-Are-Putting-Your-Site-at-Risk-70964.html?wlc=1286281687&wlc=1286300892 Many developers do not overlook security on purpose; it’s just that the focus is usually on feature and functionality, not the nuts and bolts of building a secure software application. These technical oversights can leave a relatively easy opening for attackers to leverage. Cross-site scripting or data source injection are the most… Read More
Certified in Risk and Information Systems Control (CRISC)
I’ve received a Certified in Risk and Information Systems Control (CRISC) certification number of 1000201. I personally believe that the CRISC will be the industry standard for risk management just as the CISSP has been for information security practitioners. I certainly recommend pursuing this certification.
The Kaiser Data Breach and the Importance of HIPAA for Vendor Relationships
Unfortunately, HIPAA data breaches are increasingly common. Kaiser Permanente, one of the largest healthcare insurance providers in the U.S., recently reported a massive exposure of millions of patient records (Protected Health Information, or PHI). This unfortunate event also serves as a learning moment for companies who may not understand how to avoid such unintended consequences.… Read More
Streamline Compliance and Documentation with Continuum GRC AI
Streamline Compliance and Documentation with Continuum GRC AI Automate reporting with machine learning and AI. The Necessity of Accurate Reporting in Compliance Documentation and reports are the end product and backbone of your compliance efforts. They are how your organization demonstrates compliance with relevant regulatory and governing bodies.
CMMC and Level 2 Assessment Guidelines
Our previous articles on CMMC Level 1 certification focused on what organizations need to know when conducting self-assessments. These documents relied primarily on the fact that the contractor would do their assessments and reporting. With Level 2 certification, the game changes. Not only are nearly all assessments performed by C3PAOs, but their requirements expand nearly… Read More
Performing Level 1 Self-Assessments Under CMMC Requirements
Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system. Here, we take the next step and cover CIO guidelines for performing your self-assessment. … Read More
CMMC and Scoping Level 1 Self-Assessments
One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance. Here, we’re covering the CIO’s guidance… Read More
CVE-2024-3094 Utils and Vulnerabilities in Federal Linux Systems
Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly… Read More
The New Roadmap for FedRAMP
Recently, FedRAMP announced that, per stakeholder feedback, the federal market’s needs for cloud SaaS products are not being met. A significant part of this is the program’s bottleneck. To address this issue, the Office of Management and Budget (OMB) has released a draft memo offering significant program changes, including updates to infrastructure, leadership, and authorization. … Read More
When Should You Work with a CMMC RPO vs. a C3PAO?
CMMC is a complex undertaking. Depending on where you are in your certification journey, you could require consulting, assessment, or both. Fortunately, the CMMC program includes training and authorization for two distinct types of organizations: Registered Provider Organizations (RPOs) and Certified Third-Party Assessment Organizations (C3PAOs), each offering different services. We’re discussing these organizations and which… Read More
The OCR HIPAA Report and Proper Breach Requirements
HIPAA is a core cybersecurity framework for patients and healthcare providers in the U.S. Unfortunately, a new report from the OCR shows an increase in significant events and a lack of resources to follow up on critical compliance issues. We’re covering some of this report and the underlying HIPAA requirements reflected in it.
The 2023 Revisions to SOC 2 Compliance
In 2023, the American Institute of CPAs (AICPA) launched a revision of its SOC 2 standard. This revision focused specifically on security issues and emphasized “points of focus” to boost SOC 2 audits’ ability to address modern security threats.
An In-Depth Guide to SOC 2 Security Common Criteria
While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
What Is NIST 800-172 and Advanced Security Structures
The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.
CMMC, NIST 800-172, and Advanced Persistent Threats
As organizations move up the CMMC maturity model, they do so for one reason: to prepare themselves better to protect against Advanced Persistent Threats (APTs). These threats are a significant problem in the defense supply chain, and as such, CMMC leans heavily on NIST 800-171 and 800-172 to address them. This article introduces how these… Read More
Third-Party Vendor Security and PCI DSS
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
What Is Post-Quantum Cryptography and Apple’s PQ3?
The existence of quantum computers on the horizon has shaken the cryptography world, and researchers and scientists have received a massive response to build feasible Post-Quantum Cryptography (PCQ). Recently, Apple has taken an enormous step forward by announcing their own PCQ systems, PQ3, in Apple devices. Learn more about PCQ and Apple’s announcement and the… Read More
Incident Response and the Responsibility of Your Organization for Protecting Data
As the recent Ivanti security breaches indicate, the existence of a strong and effective incident response isn’t an option but a necessity. An incident response plan (IRP) is essential to prepare an organization to respond to any security incident effectively and on time. This plan spells out processes that an organization should undergo in case… Read More
What Is A Data Privacy Impact Assessment (DPIA)?
New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More
What Are Security Control Assessor-Validator (SCA-V) Services?
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More