PCI DSS

What Constitutes a Primary Function for PCI DSS?

PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”

Read More

PCI DSS

Timely update of Risk Assessment and Incident Response for PCI DSS

The PCI DSS compliance model depends on risk assessment and mitigation. Several places in the Report on Compliance (ROC), that a QSA compiles, ...

Read More

PCI DSS

Watch those Vendor Application Change Release Notes like a Hawk!

At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when ...

Read More

SOC2, CISO, vCISO, Security Program, Privacy

Using Cyber Security to Enable Sales

Information security and privacy programs are generally about managing risk, but they can also impact your sales team by either slowing down or ...

Read More

PCI DSS

Due Diligence for PCI DSS Vendor Selection

PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, ...

Read More

PCI DSS

PCI DSS - Are Mobile Applications In-scope?

Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment ...

Read More

Security Program, Risk Assessment

Diminishing Returns in Cybersecurity

If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the ...

Read More

CIS Controls, Security Program

CIS V7: What's New and What to do

The CIS controls are a body of best practice for information security, curated by the Center for Internet Security, regarding how organizations ...

Read More

Penetration Testing, Security Program, Risk Assessment

The Marriott Hack: A Cautionary Tale for Corporate Acquisitions

The case of the Marriott hack is, at once, an alarming prospect for the chain’s previous guests and an invaluable case study for any ...

Read More

PCI DSS

Your 7 Step PCI Compliance Checklist

The journey towards payment card industry data security standard (PCI DSS) compliance can seem daunting. While there are only a handful of ...

Read More

PCI DSS, Security Program

I never touch Cardholder Data. So PCI DSS does not apply to me - Right?

Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people ...

Read More

PCI DSS

The Best Ways to Maintain Your Organization's PCI DSS Documentation

Becoming compliant with payment card industry data security standard (PCI DSS) protocols can be a time-consuming process — but it’s a ...

Read More

Privacy, CCPA

CCPA grants consumers private right of action - What is that?

The California Consumer Privacy Act (CCPA) is a California state law protecting the personal information (PI) of California residents ...

Read More

PCI DSS

5 Reasons a Qualified Security Assessor Should Validate Your PCI DSS

For businesses that store, process, and transmit cardholder data, you know that you must comply with the Payment Card Industry Data Security ...

Read More

PCI DSS

When does PCI Compliance Start?

The GDPR mantra of security and privacy “by design and by default” reminds us that in every respect of a new product program security and ...

Read More

PCI DSS

5 Things You Should Know About PCI DSS Compliance

The PCI Security Standards compliance rules have been around since 2006. Despite more than a decade and a half of payment security protection, ...

Read More

PCI DSS

It’s More Important Than Ever to Maintain Compliance with PCI DSS

We hope you are all safely sequestered in your homes (whether your Governor has issued an order or not), and that you’ve successfully navigated ...

Read More

PCI DSS

Documenting the Impact of System Changes for PCI DSS Compliance

PCI DSS requirement 6.4.5.1 says that change documentation must include an assessment of the impact of the change “so that all affected parties ...

Read More

CISO, vCISO, Privacy, CCPA

No CCPA Enforcement Delay due to COVID-19

CA Attorney General will not delay CCPA enforcement due to COVID-19 An expansive new regulation like the California Consumer Privacy Act is ...

Read More

Penetration Testing, CIS Controls, Security Program, Risk Assessment

Coronavirus Cybersecurity Recommendations

In these difficult times, as many of us adapt to the disruptive new-normal of distance working, a robust information security program becomes ...

Read More

PCI DSS

5 Tips for Becoming PCI DSS Compliant

The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup ...

Read More

Risk Assessment

How to Get the Most Out of a Security Risk Assessment

Many companies are required to perform a security risk assessment to check off a compliance box. While this mandatory analysis can seem like a ...

Read More

Risk Assessment

7 IT Security Risk Assessment Myths Debunked

Though the use of security risk assessments is widespread, often because they are mandated by compliance standards, there are a number of false ...

Read More

Risk Assessment

How to Prepare for an Information Security Risk Assessment

It’s finally time for the security risk assessment you’ve been pushing off…  You may have been delaying because you believe risk assessments ...

Read More

Risk Assessment

Why You Should Invest in a Professional Security Risk Assessment

Whether you have to perform a security risk assessment to meet compliance requirements or to improve a specific aspect of your security, such an ...

Read More

Risk Assessment

How to Actually Use Your Security Risk Assessment Report

You just received the results from your security risk assessment, but now what? It’s not uncommon for companies to perform this analysis only to ...

Read More

Risk Assessment

How to Identify Your Security Risks & Develop a Plan You Can Afford

When it comes to conducting security risk assessments, it can be difficult knowing where to get started. Even after identifying your scope and ...

Read More

CISO, vCISO

The Top Benefits of Using CISO as a Service

You could hire a Chief Information Security Officer (CISO) to help oversee your day-to-day security activities. Or, you take the stress and ...

Read More

CISO, vCISO

How to Avoid Pitfalls When Hiring a CISO as a Service

You’ve realized that hiring a CISO as a Service is probably your best bet for managing a better cybersecurity program. Maybe you experienced a ...

Read More

CISO, vCISO

The Advantages of Hiring a vCISO Vendor vs. an In-House CISO

You need someone to manage your business’ security program, and while this is a necessity, you have options for how you choose to protect your ...

Read More

CISO, vCISO

What to Expect When Using a CISO as a Service

We’ve found that some companies resist utilizing a CISO as a Service because they ultimately aren’t sure what to expect. They’ve heard that ...

Read More

CISO, vCISO

5 Signs It's Time to Start Using a CISO as a Service

You’re busy at work, focused on meeting daily deadlines and on achieving your overall mission. But while you’re laser-focused on your day-to-day ...

Read More

CISO, vCISO

5 Ways vCISO Can Turbocharge Your Sales Team

Sales are complicated. You’re not just articulating the facts about your product or service, you are also navigating emotions and perception to ...

Read More

CISO, vCISO

How to Get the Most Out of a CISO as a Service

You’ve been weighing the advantages of hiring a CISO as a Service or vCISO over hiring an internal team and finally decided that a professional ...

Read More

Risk Assessment

What is a Security Risk Assessment & Why is it Important?

When it comes to security risk assessments, it’s often unclear what you’ll really receive. Providers use meaningless and misused buzzwords, and ...

Read More

SOC2, vCISO

The New SOC 2 and You: How You Should Proceed

Under mounting pressure to keep up with an ever-changing body of regulations and increased demands for transparency, The American Institute of ...

Read More

CISO, Security Program

Social Engineering in the Retail Industry

The retail industry is one of the most crucial pillars propping up the United States’ economy. Without it, approximately 42 million Americans—a ...

Read More

Security Program

WPA3 for WiFi is here! Almost.

Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols ...

Read More

Penetration Testing

Social Engineering Within Pentesting

Pentesting the People; social engineering is an easy vulnerability When it comes to penetration testing of an enterprise, you instantly think ...

Read More

PCI DSS

Changes to SAQs for PCI DSS v3.2.1

Last month I wrote about the new PCI DSS standard version 3.2.1 and how nothing of significance had changed. Though that remains true, the ...

Read More

PCI DSS

What's new in PCI DSS 3.2.1

In May 2018, the PCI Security Standards Council, the authors of the PCI DSS standard, issued a new version of that standard - version 3.2.1. ...

Read More

PCI DSS, SOC2, vCISO, HIPAA, CIS Controls, Security Program

How much of your Information Security function can you safely outsource?

Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. ...

Read More

Penetration Testing

Just Walk in the Front Door

As an aspiring penetration tester, it is not always the extensive rootkits or the backdoor metasploit exploits that you need to focus on with ...

Read More

PCI DSS, SOC2, CISO, vCISO, HIPAA, CIS Controls, Security Program

7 Advantages of using a "virtual CISO" (vCISO)

A growing trend in the world of Cyber Security is companies outsourcing of some or all of their Information Security teams. This can be just a ...

Read More

PCI DSS

Common Key Controls Tested in PCI DSS Assessments

As a company interested or required to become PCI DSS compliant, you have a list of key controls you must have in place with proper auditing ...

Read More

Penetration Testing

The Secret Behind VI edit permissions

The art of penetration testing is one that takes a lot of fore-learned knowledge about a specific technology and system in order to really ...

Read More

Penetration Testing

Hiding in plain sight: 3 Quick Checks for Low Hanging Fruit

Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is a matter of having a knowledge of their existence and ...

Read More

Penetration Testing

Nmap sees all things

A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing ...

Read More

Penetration Testing

Top 5 free pentesting tools for quick results

Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure ...

Read More

SOC2

Establishing and Maintaining SOC2 Compliance

Many companies, especially start ups, need to maintain a SOC2 certification but would rather not hire a full time CISO. So who is going to make ...

Read More

PCI DSS

Preventing Scope Creep in PCI Compliance

QSAs have to validate the scope of a PCI assessment. It is one of the biggest areas of contention, but limiting scope is of paramount importance ...

Read More

Security Program

How Do I Reset the Master Password?

During my time in enterprise-level support, I was often asked how to reset the master password on various devices after the existing password ...

Read More

Security Program

Controls are Needed on Recoveries from Backup

Some organizations completely ignore important aspects of the backup recovery and validation process. This creates a significant ongoing data ...

Read More

PCI DSS, Security Program

Secure Coding 201: Does it Exist?

I constantly hear that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught ...

Read More

Security Program

What Time is It?

PCI DSS v3.2.1, section 10.4 requires all critical assets to be synchronized for time and recommends using one of the authoritative time sources ...

Read More

PCI DSS

A Summary of Deadlines in PCI 3.2

Everybody - Immediately Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place ...

Read More

PCI DSS

Hidden Service Providers in your PCI DSS Assessment

New guidance (1/31/17) from the PCI SSC suggests that there are overlooked service providers in many assessments. This begs the question as to ...

Read More