Cybersecurity and Malicious Software: A History of Malware

In the earliest days of what could be considered cybersecurity, the primary threats were malicious programs that would operate against the wishes of the machine and its operator. These programs, referred to as viruses, served as the progenitors of what we generally refer to in modern parlance as malicious software or “malware.” Because the long… Read More

Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls

PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices.  The best… Read More

What Is CJIS Compliance?

We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors.  Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle… Read More

What Are GDPR Penalties?

Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and… Read More

Protected Health Information, File Sharing and Email

Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are.  However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More

OMG USB! Physical Media and Protecting PHI

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system.  Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More

Managed Service Providers: How Secure Are Your Services?

The increasing use of cloud vendors and third-party providers has made advanced IT infrastructure and expertise available even to smaller organizations. It has also created an interconnected ecosystem of businesses, government agencies, utility firms and managed service providers (MSPs) that can potentially compromise security across multiple systems.  If you’re a managed service provider, it’s your… Read More

What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?

SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. … Read More

FedRAMP and CISA: What Is Binding Operational Directive 22-01

Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild.  The CVE program recently joined… Read More

What Does a PCI DSS Audit Look Like?

PCI compliance is a hot topic these days. While payment processing seemed like the domain of large enterprises and retailers, the expansion of cloud-based processing and online storefronts have blurred the lines between processors, merchants and secure, compliant systems.  Many organizations seek their PCI compliance certification to cover their bases with payment processing and data… Read More

What Are SOC 3 Reports?

The Service Organization Control (SOC) standard is a well-known, but often misunderstood, approach to cybersecurity. It’s not mandatory, it has several methods, and some attestations involve different types of reports and assessments.  Sometimes, the most difficult challenge is understanding the breakdown between reports. While SOC 2 is the most well-known and deployed assessment on the… Read More