It has become increasingly important for financial institutions to adopt robust security measures to safeguard their client’s assets and personal data. To address this challenge, FINDA has established a comprehensive set of rules to enhance its member firms’ cybersecurity posture. However, there isn’t a set-in-stone framework for specific security measures. Instead, FINRA consists of obligations… Read More
What Are NIST Principles for Trustworthy Secure Design?
In today’s interconnected world, IT system trustworthiness has become an essential cornerstone for critical infrastructure’s seamless and secure functioning. As governments, enterprises, and industrial organizations rely on complex digital systems, the trustworthiness of these systems must be measured and maintained. The need for trust in IT systems has been magnified by the rapid adoption of… Read More
Cybersecurity and Malicious Software: A History of Malware
In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More
Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls
PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. The best… Read More
Timeline for PCI DSS 4.0 Compliance – First Steps
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0. This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your… Read More
What Are PCI DSS Future-Dated Requirements?
The good news? PCI DSS 4.0 is out, but the adoption schedule for the new standard is quite generous. The better news? The PCI Security Council has decided to implement a tiered approach to adoption. The first will finalize when the previous version (3.2.1) is officially retired in 2024. The second, known as the “future… Read More
Is Blockchain Technology Viable for Security?
Blockchain, blockchain, blockchain. It seems like you can’t throw a rock without hitting someone discussing the potential for blockchain technology. And, for the most part, this is driven by consumer interest in technologies and the potential for innovation in the web 3.0 world we live in. While the consumer market is having a so-so engagement… Read More
What Is LADMF Compliance?
Working with government agencies always involves some form of security, which is extremely important for handling federal data, no matter the reason. So, when enterprises want to access information from the SSA Limited Access Death Master File (LADMF), there are certain expectations for these businesses.
What Is CJIS Compliance?
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
What Is CJIS Compliance?
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More
What Are GDPR Penalties?
Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More
Protected Health Information, File Sharing and Email
Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More
What Are the Penalties for HIPAA Violations?
In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact… Read More
OMG USB! Physical Media and Protecting PHI
Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More
What Are the Four Types of Risk Management?
We’ve discussed risk management and its complexity–what goes into it, what frameworks you can use, and how different forms of analysis and visualization can help you assess it effectively. But let’s pump the brakes a little. Have you thought about what to do about your risk profile? Do you know how to approach risk as… Read More
Managed Service Providers: How Secure Are Your Services?
The increasing use of cloud vendors and third-party providers has made advanced IT infrastructure and expertise available even to smaller organizations. It has also created an interconnected ecosystem of businesses, government agencies, utility firms and managed service providers (MSPs) that can potentially compromise security across multiple systems. If you’re a managed service provider, it’s your… Read More
What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?
SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. … Read More
FedRAMP and CISA: What Is Binding Operational Directive 22-01
Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild. The CVE program recently joined… Read More
What Does a PCI DSS Audit Look Like?
PCI compliance is a hot topic these days. While payment processing seemed like the domain of large enterprises and retailers, the expansion of cloud-based processing and online storefronts have blurred the lines between processors, merchants and secure, compliant systems. Many organizations seek their PCI compliance certification to cover their bases with payment processing and data… Read More
What Are SOC 3 Reports?
The Service Organization Control (SOC) standard is a well-known, but often misunderstood, approach to cybersecurity. It’s not mandatory, it has several methods, and some attestations involve different types of reports and assessments. Sometimes, the most difficult challenge is understanding the breakdown between reports. While SOC 2 is the most well-known and deployed assessment on the… Read More