Risk in general is the likelihood and the possible impact of something bad happening in the near future. A risk assessment is an introspective ...
Security Program PCI DSS vCISO CISO Privacy Penetration Testing SOC2 Risk Assessment CIS Controls CCPA HIPAA Threat Intelligence Red Teaming CPRA GDPR ISO27001 Red Team HITRUST Ransomware
Security Program, Risk Assessment
Risk in general is the likelihood and the possible impact of something bad happening in the near future. A risk assessment is an introspective ...
What's new with State Privacy Laws? There are now ten comprehensive privacy laws enacted in the United States. The new 2023 laws include those ...
In this interview with Truvantis CEO Andy Cottrell, Aaron Wheeler discusses conducting tabletop exercises and how his clients derive value. What ...
In this interview with Truvantis CEO Andy Cottrell, Jenny Hill discusses the challenges and evolution of security programs she sees across ...
The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...
The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...
Penetration Testing, Security Program, Risk Assessment, Red Team
William gets to the point of what a pen test should do for your business and how to avoid costly mistakes.
The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...
As technology advances and the reliance on digital systems grows, the risk of data breaches in the health-tech sector has increased ...
What's new with State Privacy Laws? There are now ten comprehensive privacy laws enacted in the United States. The new 2023 laws include those ...
CIS Controls, Security Program
Ok, so you had a data breach. What do you do next? Some experts warn that it's not a matter of 'if' but 'when' your information management ...
NOTE: PCI DSS compliance with it is mandated by the contracts merchants sign with the card brands (Visa, MasterCard, etc.) and the banks that ...
PCI DSS, CIS Controls, Security Program
We interviewed Rick Folkerts, Principle Security Analyst at Truvantis.Rick is a specialist in governance risk and compliance, including data ...
Penetration Testing, Security Program, Threat Intelligence, Ransomware
In today's digital age, businesses increasingly rely on technology, making them more vulnerable to cyber-attacks. One of the most dangerous ...
PCI DSS, SOC2, CISO, vCISO, CIS Controls, Security Program, Privacy, Red Teaming
Cybersecurity and privacy risks remain among the top threats facing business organizations today. Increasingly, boards are leaning on the CISO ...
"I think this is a colossal failure in asset-liability risk management,"-Mark T. Williams, a former bank examiner for the Federal Reserve, ...
SOC2, Penetration Testing, Security Program, Privacy
HealthTech is among the most well-funded and rapidly growing industries. However, the medical sector is one of the most challenging areas for ...
SOC2, Penetration Testing, Security Program, Privacy
When it comes to cybersecurity, privacy & compliance, the road forward is often unclear. The recently amendedFTC Safeguards Rule (Title 16 ...
When it comes to cybersecurity, privacy & compliance, the road forward is often unclear. A proper risk assessment is a fundamental start to ...
PCI DSS, SOC2, CIS Controls, Security Program, Privacy
Many Organizations are Finding Value in Continuous Compliance In 2023, many organizations are considering cybersecurity and privacy as business ...
CIS Controls, Security Program
How your defense-in-depth strategy protected you from the LastPass data breach Most of us like using password managers for the security and user ...
When it comes to a security risk assessment, it's often unclear what you'll receive. Providers use meaningless and misused buzzwords, and there ...
Penetration Testing, Security Program, Risk Assessment, Privacy, Threat Intelligence
Nowadays, the perpetrators of ransomware have gotten more clever in their methods, using complex strategies such as double extortion, in which ...
Along with the benefits of capabilities and growth, mergers and acquisitions add new risks to your attack surface. Managing M&A risk should ...
The concept of 'Zero Trust, ' which essentially presumes conventional perimeter protections don't exist, has been in cybersecurity for many ...
Congratulations, product development was successful, and you have the utmost confidence in the capabilities of your new product or service. ...
Many find the holidays season exciting because they can relax, spend time with family and friends, and celebrate traditions. Additionally, most ...
In today's data-driven economy, an organization's data is its most valuable asset. The landscape of privacy regulations is vast and continuously ...
The ISO 27001 standard provides requirements for establishing, implementing, maintaining and continually improving your Information Security ...
Without a doubt, the increased frequency and intensified scale of ransomware attacks are becoming a significant issue for tens of thousands of ...
Most industry-recognized security frameworks, including HITRUST, CIS Controls and PCI DSS, stipulate penetration testing requirements as part of ...
In a corporation, the board is ultimately accountable to the shareholders for managing risks, including cybersecurity and privacy risk. ...
Everyone is aware Cybersecurity is a necessity. And regardless of how mature or lacking your current cybersecurity program is, the constantly ...
Privacy regulations boil down to protecting information. In other words, privacy is about the security of data. The various privacy rights can ...
According to the Anti-Phishing Working Group (APWG), an international coalition of counter-cybercrime responders, phishing attacks climbed to a ...
Given the complexity and cost of security, privacy and compliance efforts, a comprehensive risk management program is the best overall approach. ...
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a widely recognized security framework that HITRUST developed ...
Penetration Testing, Security Program
According to the hacker news October 2022, researchers reported that organizations using Office 365 Message Encryption (OME),considered obsolete ...
Privacy regulations boil down to protecting information. In other words, privacy is about the security of data. In today’s data-driven economy, ...
Internet of things (IoT) devices are prevalent in our home and business lives. Embedded devices have revolutionized manufacturing, industrial, ...
SOC2, CISO, vCISO, Security Program
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a widely recognized security framework that HITRUST developed ...
The California Privacy Protection Agency (CPPA) Board held a public meeting on August 24-25 at the Elihu M. Harris State Office 1515 Clay St. ...
Headlines: Experts agree remote workers and BYOD have permanently changed the threat landscape. Quantum computing is emerging as an ...
SOC2, CISO, vCISO, Security Program
Topic: The Compliance Equals Security Disconnect “Use the tools at your disposal correctly, stay current on threats, monitor your security ...
SOC2, CISO, vCISO, Security Program
You likely need a risk assessment for compliance. PCI DSS 4.0, SOC2, ISO 27001, NIST, HIPAA, and other standards require a risk assessment as a ...
In the news recently, more hijinks from our infamous foes, North Korean state-sponsored attackers; The evolving gang of thugs who brought us ...
The Payment Card Industry Data Security Standard (PCI DSS) compliance can be expensive for financial institutions and transaction processors ...
Privacy and security were historically two separate disciplines. However, over the years, the two have grown closer together. Moreover, as the ...
CISO, vCISO, Security Program, Risk Assessment, ISO27001
ISO27001 is the certifiable ISO standard that describes how to manage an Information Security Management System (ISMS) securely. 27001 is ...
SOC2, CISO, vCISO, Security Program
All organizations face the challenges of new cybersecurity and privacy laws, a sharp increase in cybersecurity litigation, and the ceaseless ...
SOC2, CISO, vCISO, Security Program
"Compliance is NOT Security" You hear this common lament from security professionals, "Compliance is not security." This remark has always ...
Penetration Testing, CIS Controls, Security Program
Independent penetration testing provides critical objective insights about vulnerabilities in organizational defenses and mitigating controls. ...
Penetration testing uses creative, blended attacks like real-world adversaries to find weaknesses in tested systems. By simulating real-world ...
Out of the box, most operating systems are configured insecurely. OS hardening minimizes an operating system's exposure to threats by properly ...
CISO, vCISO, Security Program, Privacy
The fact that each state in the U.S. seems to have specific privacy laws with no central comprehensive federal law makes it difficult to know ...
The California Privacy Protection Agency Board held a public meeting on June 8 in Oakland, CA to further the CPRA rulemaking process. The agenda ...
SOC2, HIPAA, CIS Controls, Security Program
You can achieve Information security by complying with an adequate set of security policies, standards, and procedures. Of course, there is no ...
The complex legal landscape surrounding privacy, including biometrics, continues to evolve at the state level. Arduous legislation has led to ...
CISO, vCISO, Security Program, Risk Assessment, ISO27001
One of the best ways to demonstrate the suitability of your Information Security Management System (ISMS) to your organization, customers, and ...
PCI DSS, SOC2, CISO, vCISO, CIS Controls, Security Program, Privacy, Red Teaming
The Data Protection Officer (DPO) is a role required by the EU General Data Protection Regulation (GDPR). If your organization is subject to ...
Penetration Testing, Security Program, Risk Assessment
In today's interconnected world, application programming interfaces (APIs) have rapidly become predominant tools for sharing data and providing ...
Penetration Testing, Security Program, Red Team, Red Teaming
Red Teams are often confused with penetration testers due to their overlap in practices and skills, but we believe they are not the same. ...
The California Privacy Rights Act (CPRA) evolution continues with lively public debate in May, where much of the focus is on data collection and ...
CISO, vCISO, Security Program, Risk Assessment, ISO27001
One of the best ways to demonstrate the suitability of your Information Security Management System (ISMS) to your organization, customers, and ...
The California Privacy Protection Agency (CPPA) is holding pre-rulemaking stakeholder sessions via zoom this week Wed May 4 –6. The sessions are ...
Achieving SOC 2 compliance is a competitive advantage, and many times, it is critical to make a sale. SOC 2 reports are often used throughout ...
The PCI Data Security Standard (PCI DSS) is a global standard of technical and operational requirements for merchants and service providers who ...
PCI DSS, SOC2, CISO, vCISO, CIS Controls, Security Program, Privacy, Red Teaming
Not every business can internally support the staffing and resources necessary to independently develop robust cybersecurity and privacy ...
Penetration Testing, Security Program
Purple teams are a controversial topic among cybersecurity professionals. There seems to be industry confusion regarding the definitions of ...
Penetration Testing, Security Program
Sometimes the best defense is a good offense. In cybersecurity, you need to think like real-world attackers. Security practitioners do this ...
Penetration Testing, Security Program
As the world grows more interconnected through social media and digital communications, relevant information available to attackers grows ...
Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) published the official PCI DSS version 4.0. Over the next few ...
Penetration Testing, Security Program
Wireless access points can be easy targets for a cybercriminal to breach your system. Whether installed by stealth or just innocently by shadow ...
Truvantis Forms Strategic Partnership to Address Expanding Cybersecurity Risks Guidepost Solutions LLC, a global leader in domestic and ...
Maybe you've been asked to provide a SOC 2 report as part of the sales cycle, or you anticipate you will need SOC 2 compliance at some point. ...
According to the IBM Cost of a Data Breach Report 2021: Average data breach costs rose 10% between 2020 and 2021, from $3.86 million to $4.24 ...
During a public board meeting on February 17, 2022, the California Privacy Protection Agency (CPPA) indicated it would likely miss the July 1, ...
PCI DSS, SOC2, CISO, vCISO, CIS Controls, Security Program
Businesses must comply with a mixture of international, industry-specific and state-mandated cybersecurity regulations and require their vendors ...
Penetration Testing, Security Program
Cloud technologies enable companies to build and run scalable applications in dynamic public, private, and hybrid environments. Containers, ...
Penetration Testing, Security Program, Red Teaming
Pen testing has traditionally focused on realistic simulated attacks on your network, operating systems and applications. In today's ...
When it comes to handling payment cardholder data, PCI DSS has many rules about what you must and must not do when it comes to handling payment ...
The PCI Security Standards Council's redefined truncation rules are a mess.
If your company stores, processes, or transmits cardholder data, you need PCI DSS compliance. According to the Verizon 2020 Payment Security ...
Penetration Testing, Security Program, Red Teaming
Red Team vs. Penetration Test vs. Vulnerability Assessment - Seven characteristics that set these services apart and why it matters to you.
Most experts agree that the Chief Information Security Officer (CISO) role is a business necessity in today's cyber - risky environment . ...
Privacy, cybersecurity, and Compliance are distinct practices with distinct goals. The three disciplines work together to build trust and ...
A System and Organization Controls 2 (SOC 2) compliant report is an industry-recognized standard for demonstrating the efficacy of information ...
In today's cyber-risky environment, most experts agree that the role of a Chief Information Security Officer (CISO) is a business necessity. ...
Responsibility vs. Accountability for Oversight of Cybersecurity The need to manage cybersecurity and privacy risk is generally accepted. In ...
What does SOC mean and why does it matter? How did a CPA organization come to audit information systems for cybersecurity and privacy controls? ...
Penetration Testing, Security Program, Risk Assessment, Red Teaming
Everyone knows there are threats out there hell-bent on destroying our organizations. Innovative businesses everywhere are taking a risk-based ...
The Type 2 audit measures your organizations’ ability to maintain security, availability, processing integrity, privacy, and confidentiality ...
SOC2, CISO, vCISO, Security Program
Disasters, heroics, funny stories, and impacts to business success Nate Hartman describes a six-month stint as an acting CISO or virtual CISO ...
SOC2, CISO, vCISO, Security Program
The SOC 2 Trust Services Criteria (TSCs) for information technology, is a framework for designing, implementing and evaluating information ...
Apache Log4j Vulnerabilities vs. GRC On December 10, Apache released details about a Log4j-core vulnerability nicknamed "Log4Shell". It is ...
Discussions about PCI DSS v4 became all the rage with the release of the first Request for Comments (RFC) back in 2019, and those discussions ...
SOC2, CISO, vCISO, Security Program
System and Organizational Controls 2 (SOC 2) is sometimes known as Service Organization Controls. Maintained by the American Institute of ...
PCI DSS, Security Program, Privacy
In 2021 cybersecurity professionals faced the same vulnerabilities and attacks as decades before, just more nefarious, persistent, and ...
SOC2, CISO, vCISO, Security Program, Risk Assessment
Facing the challenges of new cybersecurity and privacy laws, a sharp increase in cybersecurity litigation, and the ceaseless evolution of ...
What's new with State Privacy Laws? CPRA applies to all data collected as of Jan 1, 2022. In 2018 California became the first US state to give ...
Penetration Testing, Security Program, Risk Assessment
Ransomware is still a major threat. In fact, the Tactics, Techniques and Procedures (TTP's) of ransomware gangs have evolved so much that it has ...
Many new data privacy laws are emerging. Businesses must continually prove privacy compliance. Review current data privacy laws and get advice ...
CISO, vCISO, Penetration Testing, HIPAA, Security Program, Risk Assessment
At the heart of your disaster recovery plan, organizations often disregard data backup and recovery systems when it comes to pen testing and ...
PCI DSS, CISO, vCISO, Penetration Testing, HIPAA, Security Program, Risk Assessment, Red Teaming
Scope is an important shaping tool that, when leveraged properly, can help enhance engagement outcomes during penetration testing, red team and ...
The first quarter of the year 2022 should be an exciting time for everyone working with PCI DSS. The PCI Security Standards Council is scheduled ...
The PCI DSS compliance model depends on risk assessment and mitigation. The testing instructions for PCI DSS published by the PCI Security ...
I often come across clients whose documentation is missing a policy or a procedure that PCI DSS requires. “That will never happen here” or “We ...
As a company interested or required to become PCI DSS compliant, there is a list of key controls you must have in place, and appropriate ...
Penetration Testing, Security Program, CCPA, ISO27001
Application Program Interfaces (APIs) have changed in nature in recent years and are increasingly (and sometimes inadvertently) being made ...
PCI DSS, vCISO, Security Program
You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the ...
Tired of filling out vendor security assessment questionnaires or shared assessment SIG templates? A vCISO service could be just the right thing ...
PCI DSS, Security Program, Privacy
In the days of Solid-State Disks (SSD), RAID10 disk drive arrays, databases taking snapshots of data, automated backups, and active-active data ...
SOC2, CISO, vCISO, Security Program
CSO Online, which knows plenty about what goes into ensuring security, makes a strong case for hiring a virtual Chief Information Security ...
Modern organizations must collect and store sensitive personal and payment data to process payments, compile analytics, and enable users to get ...
PCI is a strong security Framework. If you are a business owner, you have probably heard about the PCI DSS (Payment Card Industry Data Security ...
A number of years ago I was trying to renew my subscription to a well-known antivirus tool and found that there were 37 different URLs invoked ...
Whether or not you are a tinfoil-hat wearing paranoid, you need a strong cybersecurity posture to support sales! These days most of your ...
The PCI DSS standard ostensibly only has a few training requirements which, in my experience, most organizations do a good job of keeping up ...
CISO, vCISO, Security Program, Privacy
Small businesses, including start-ups, need a cybersecurity and privacy program, period. It is a matter of driving sales, client trust, as well ...
SOC2, HIPAA, CIS Controls, Security Program
Reasons to choose CIS Controls for your cyber security program It started with a few select people in a room. It was called “Project Insight” by ...
HIPAA, Security Program, Privacy, CCPA
EU data protection and privacy requirements, currently established primarily in the General Data Protection Regulation (GDPR), generally ...
January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced ...
SOC2, CISO, vCISO, Security Program
Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps. ...
PCI DSS, vCISO, Penetration Testing, Security Program
Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In ...
PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”
At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when ...
PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, ...
Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment ...
Security Program, Risk Assessment
If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the ...
CIS Controls, Security Program
The CIS controls are a body of best practice for information security, curated by the Center for Internet Security, regarding how organizations ...
Penetration Testing, Security Program, Risk Assessment
The case of the Marriott hack is, at once, an alarming prospect for the chain’s previous guests and an invaluable case study for any ...
The journey towards payment card industry data security standard (PCI DSS) compliance can seem daunting. While there are only a handful of ...
Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people ...
Becoming compliant with payment card industry data security standard (PCI DSS) protocols can be a time-consuming process — but it’s a ...
The California Consumer Privacy Act (CCPA) is a California state law protecting the personal information (PI) of California residents ...
For businesses that store, process, and transmit cardholder data, you know that you must comply with the Payment Card Industry Data Security ...
The GDPR mantra of security and privacy “by design and by default” reminds us that in every respect of a new product program security and ...
The PCI Security Standards compliance rules have been around since 2006. Despite more than a decade and a half of payment security protection, ...
We hope you are all safely sequestered in your homes (whether your Governor has issued an order or not), and that you’ve successfully navigated ...
PCI DSS requirement 6.4.5.1 says that change documentation must include an assessment of the impact of the change “so that all affected parties ...
Penetration Testing, CIS Controls, Security Program, Risk Assessment
In these difficult times, as many of us adapt to the disruptive new-normal of distance working, a robust information security program becomes ...
The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup ...
Many companies are required to perform a security risk assessment to check off a compliance box. While this mandatory analysis can seem like a ...
Though the use of security risk assessments is widespread, often because they are mandated by compliance standards, there are a number of false ...
It’s finally time for the security risk assessment you’ve been pushing off… You may have been delaying because you believe risk assessments ...
Whether you have to perform a security risk assessment to meet compliance requirements or to improve a specific aspect of your security, such an ...
You just received the results from your security risk assessment, but now what? It’s not uncommon for companies to perform this analysis only to ...
When it comes to conducting security risk assessments, it can be difficult knowing where to get started. Even after identifying your scope and ...
You could hire a Chief Information Security Officer (CISO) to help oversee your day-to-day security activities. Or, you take the stress and ...
You’ve realized that hiring a CISO as a Service is probably your best bet for managing a better cybersecurity program. Maybe you experienced a ...
You need someone to manage your business’ security program, and while this is a necessity, you have options for how you choose to protect your ...
We’ve found that some companies resist utilizing a CISO as a Service because they ultimately aren’t sure what to expect. They’ve heard that ...
You’re busy at work, focused on meeting daily deadlines and on achieving your overall mission. But while you’re laser-focused on your day-to-day ...
Sales are complicated. You’re not just articulating the facts about your product or service, you are also navigating emotions and perception to ...
You’ve been weighing the advantages of hiring a CISO as a Service or vCISO over hiring an internal team and finally decided that a professional ...
Under mounting pressure to keep up with an ever-changing body of regulations and increased demands for transparency, The American Institute of ...
The retail industry is one of the most crucial pillars propping up the United States’ economy. Without it, approximately 42 million Americans—a ...
Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols ...
Pentesting the People; social engineering is an easy vulnerability When it comes to penetration testing of an enterprise, you instantly think ...
Last month I wrote about the new PCI DSS standard version 3.2.1 and how nothing of significance had changed. Though that remains true, the ...
In May 2018, the PCI Security Standards Council, the authors of the PCI DSS standard, issued a new version of that standard - version 3.2.1. ...
vCISO, HIPAA, CIS Controls, Security Program
Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. ...
As an aspiring penetration tester, it is not always the extensive rootkits or the backdoor metasploit exploits that you need to focus on with ...
PCI DSS, SOC2, CISO, vCISO, HIPAA, CIS Controls, Security Program
A growing trend in the world of Cyber Security is companies outsourcing of some or all of their Information Security teams. This can be just a ...
The art of penetration testing is one that takes a lot of fore-learned knowledge about a specific technology and system in order to really ...
Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is a matter of having a knowledge of their existence and ...
A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing ...
Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure ...
Many companies, especially start ups, need to maintain a SOC2 certification but would rather not hire a full time CISO. So who is going to make ...
QSAs have to validate the scope of a PCI assessment. It is one of the biggest areas of contention, but limiting scope is of paramount importance ...
Some organizations completely ignore important aspects of the backup recovery and validation process. This creates a significant ongoing data ...
I constantly hear that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught ...
PCI DSS v3.2.1, section 10.4 requires all critical assets to be synchronized for time and recommends using one of the authoritative time sources ...
Everybody - Immediately Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place ...
Guidance from the PCI Security Standards Council (PCI SSC) suggests that there are overlooked service providers in many assessments. This begs ...