Risk Assessment Requirements for GDPR Compliance

Cybersecurity trends are moving from checklist compliance to comprehensive, risk-driven security. This is just as true in the European Union, where data subject privacy and security requirements are strict.  Fortunately, GDPR provides significant guidance on general risk management and specific risk assessment requirements. We’ll cover those requirements here.   

What Are Risk Assessment Methodologies?

With the ever-increasing complexities of the IT and business environments, risk management has become crucially important for cybersecurity. Accordingly, risk management methodologies provide the blueprint for this anticipatory and strategic approach. They guide businesses in identifying potential threats, assessing their impact, devising effective responses, and monitoring progress.  This article will introduce some basics of risk… Read More

What Is NIST 800-161?

With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk… Read More

Risk Maturity and the Continuum GRC IRM Platform

Over the past few weeks, we’ve discussed what it means to consider risk as part of an overall compliance strategy. We’ve emphasized throughout that risk doesn’t have to be an abstract pursuit–it can be a comprehensive part of compliance and security that uses the realities of regulations and frameworks to drive decision-making (and vice-versa).  One… Read More

What Are the Problems with Risk Management? 

In our previous article, we discussed the concept of risk management–what it is and why it’s important.  However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts.  While this move is a good one, we also find that many organizations will… Read More

Social Engineering and Enterprise Security

Discussions about security and compliance disproportionately focus on businesses and enterprises, precisely because these organizations serve as central repositories for critical industrial or consumer information. Accordingly, regulations and best practices are often tied to securing this infrastructure, with consumers getting little to no attention.  However, the reality of modern cybersecurity threats is that almost all… Read More

What is ISO 31000?

Many enterprises are looking for ways to increase their security and to protect their interests. As the world of cybersecurity, legal risk and operational challenges become more and more complex, checklist compliance regulations just aren’t going to cut it. That’s why governments and private organizations are increasingly turning to risk management as a tool for… Read More

Modern Risk Management and Compliance in 2021

Risk management and assessment is the practice of assessing an organization’s security systems against possible vulnerabilities and gaps to determine how much “risk” is acceptable as part of doing business. Factors like compliance, emerging threats and changes in technology and business operations all play an immense role in how security experts manage the risk their… Read More

What is NIST Framework for Improving Critical Infrastructure Cybersecurity?

With the more recent threats and attacks we’ve seen in both the Colonial Pipeline and SolarWinds hacks, the question of infrastructure security is firmly in the collective consciousness. With President Biden’s Executive Order focusing executive resources to beef up cybersecurity, the efforts of the government are turning towards addressing some of the gaps that have… Read More

Deploying Mobile Devices Securely For The SMB

Secure Mobile Device Deployments As we all know, mobile devices have become not an integral part of the workplace, but even in society. Therefore, the safe deployment of these devices is of paramount importance not just for individuals, but businesses and corporations, government agencies, as well as other entities. For example: Mobile devices have indeed… Read More

Preliminary Draft of NIST Privacy Framework Released

The NIST Privacy Framework will complement the popular NIST CSF Data privacy and cyber security have a symbiotic and sometimes conflicting relationship. Without robust cyber security, it is impossible to ensure data privacy, as evidenced by the Equifax hack. However, it’s fully possible for an organization to seriously violate users’ data privacy despite practicing robust… Read More

5 Tips for an Effective Cyber Incident Response Plan

A robust cyber incident response plan will minimize both damages and recovery time and ensure business continuity. Proactive measures to defend against data breaches, malware, social engineering, and other cyberattacks are crucial to enterprise cybersecurity, but there’s no such thing as a completely impenetrable system. Despite your best efforts, your company could still be hacked;… Read More

Growing Number of States Passing Insurance Data Security Laws

Insurers operating in multiple states must comply with a patchwork of state-level legislation patterned after the NAIC’s Insurance Data Security Model Law In 2017, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in response to a growing number of cyber incidents within the insurance industry. Similar to the NIST… Read More

Are You Ready for the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act represents a significant milestone for consumer data privacy in the U.S. Tired of the federal government dragging its feet on consumer data privacy legislation, states have started to take matters into their own hands. The biggest example is the California Consumer Privacy Act (CCPA), which takes effect on January 1,… Read More

What DoD Contractors Need to Know About the CMMC

The DoD unveiled its proposed Cybersecurity Maturity Model Certification (CMMC) to prevent supply chain attacks Cyberattacks on the U.S. government’s vast network of contractors and subcontractors pose a serious threat to national security, and the DoD is taking action. The agency tasked NIST with developing a set of guidelines addressing advanced persistent threats against contractors… Read More

How Are IT Compliance and Cyber Security Different?

IT Compliance and Cyber Security: Understanding the Differences IT compliance and cyber security are often used interchangeably, even within the cyber security and compliance fields. This is the basis for the completely incorrect and dangerous notion that achieving compliance automatically equals being secure. While there is some overlap, and the two fields complement each other,… Read More

Which FedRAMP Security Impact Level Is Right for You?

Understanding FedRAMP security impact levels and baselines You would never pay $1,000 upfront and $30/month for a security system to protect a shed containing $100 worth of lawn equipment. However, you wouldn’t hesitate to spend that much or more to protect your home and family. The same concept applies in information security. Different kinds of… Read More

Understanding the Updated SOC 2 Trust Services Criteria

Your guide to the SOC 2 Trust Services Criteria (formerly the Trust Services Principles) Outsourcing IT services to service organizations has become a normal part of doing business, even for small companies. However, there are risks to using service providers, and these continue to evolve and change. In this dynamic environment, the American Institute of… Read More

The FedRAMP Assessment Process: Tips for Writing a FedRAMP SSP

Advice for writing a successful FedRAMP SSP A FedRAMP SSP (System Security Plan) is the bedrock of a FedRAMP assessment and the primary document of the security package in which a cloud service provider (CSP) details their system architecture, data flows and authorization boundaries, and all security controls and their implementation. Keep in mind that… Read More

Docker Hub Hack Compromises Sensitive Data from 190,000 Accounts

Is Docker Hub hack a harbinger of increasing cyber attacks on cloud containers? According to an official email sent to users, hackers gained access to Docker Hub, the official repository for Docker container images, “for a brief period.” However, during that “brief period,” approximately 190,000 user accounts were compromised, containing data such as usernames, hashed… Read More

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

Hackers Can Use DICOM Bug to Hide Malware in Medical Images  DICOM bug enables hackers to insert fully functioning executable code into medical images A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera… Read More

Arizona Beverages Ransomware Attack Halts Sales for Days

Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack. What appears to have been a targeted ransomware attack knocked over 200 networked computers and servers offline at Arizona Beverages, one of the largest beverage suppliers in the U.S., TechCrunch reports. The attack, which the company was still struggling to recover from two weeks… Read More