You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the ...
PCI DSS Security Program vCISO CISO Risk Assessment Penetration Testing Privacy SOC2 CIS Controls CCPA HIPAA
PCI DSS, vCISO, Security Program
You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the ...
Tired of filling out vendor security assessment questionnaires or shared assessment SIG templates? A vCISO service could be just the right thing ...
PCI DSS, Security Program, Privacy
In the days of Solid-State Disks (SSD), RAID10 disk drive arrays, databases taking snapshots of data, automated backups, and active-active data ...
SOC2, CISO, vCISO, Security Program
CSO Online, which knows plenty about what goes into ensuring security, makes a strong case for hiring a virtual Chief Information Security ...
Modern organizations must collect and store sensitive personal and payment data to process payments, compile analytics, and enable users to get ...
PCI is a strong security Framework. If you are a business owner, you have probably heard about the PCI DSS (Payment Card Industry Data Security ...
A number of years ago I was trying to renew my subscription to a well-known antivirus tool and found that there were 37 different URLs invoked ...
Whether or not you are a tinfoil-hat wearing paranoid, you need a strong cybersecurity posture to support sales! These days most of your ...
The PCI DSS standard ostensibly only has a few training requirements which, in my experience, most organizations do a good job of keeping up ...
CISO, vCISO, Security Program, Privacy
Small businesses, including start-ups, need a cybersecurity and privacy program, period. It is a matter of driving sales, client trust, as well ...
SOC2, HIPAA, CIS Controls, Security Program
Reasons to choose CIS Controls for your cyber security program It started with a few select people in a room. It was called “Project Insight” ...
HIPAA, Security Program, Privacy, CCPA
EU data protection and privacy requirements, currently established primarily in the General Data Protection Regulation (GDPR), generally ...
January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced ...
SOC2, CISO, vCISO, Security Program
Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps. ...
PCI DSS, vCISO, Penetration Testing, Security Program
Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In ...
PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”
The PCI DSS compliance model depends on risk assessment and mitigation. Several places in the Report on Compliance (ROC), that a QSA compiles, ...
At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when ...
PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, ...
Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment ...
Security Program, Risk Assessment
If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the ...
CIS Controls, Security Program
The CIS controls are a body of best practice for information security, curated by the Center for Internet Security, regarding how organizations ...
Penetration Testing, Security Program, Risk Assessment
The case of the Marriott hack is, at once, an alarming prospect for the chain’s previous guests and an invaluable case study for any ...
The journey towards payment card industry data security standard (PCI DSS) compliance can seem daunting. While there are only a handful of ...
Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people ...
Becoming compliant with payment card industry data security standard (PCI DSS) protocols can be a time-consuming process — but it’s a ...
The California Consumer Privacy Act (CCPA) is a California state law protecting the personal information (PI) of California residents ...
For businesses that store, process, and transmit cardholder data, you know that you must comply with the Payment Card Industry Data Security ...
The GDPR mantra of security and privacy “by design and by default” reminds us that in every respect of a new product program security and ...
The PCI Security Standards compliance rules have been around since 2006. Despite more than a decade and a half of payment security protection, ...
We hope you are all safely sequestered in your homes (whether your Governor has issued an order or not), and that you’ve successfully navigated ...
PCI DSS requirement 6.4.5.1 says that change documentation must include an assessment of the impact of the change “so that all affected parties ...
Penetration Testing, CIS Controls, Security Program, Risk Assessment
In these difficult times, as many of us adapt to the disruptive new-normal of distance working, a robust information security program becomes ...
The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup ...
Many companies are required to perform a security risk assessment to check off a compliance box. While this mandatory analysis can seem like a ...
Though the use of security risk assessments is widespread, often because they are mandated by compliance standards, there are a number of false ...
It’s finally time for the security risk assessment you’ve been pushing off… You may have been delaying because you believe risk assessments ...
Whether you have to perform a security risk assessment to meet compliance requirements or to improve a specific aspect of your security, such an ...
You just received the results from your security risk assessment, but now what? It’s not uncommon for companies to perform this analysis only to ...
When it comes to conducting security risk assessments, it can be difficult knowing where to get started. Even after identifying your scope and ...
You could hire a Chief Information Security Officer (CISO) to help oversee your day-to-day security activities. Or, you take the stress and ...
You’ve realized that hiring a CISO as a Service is probably your best bet for managing a better cybersecurity program. Maybe you experienced a ...
You need someone to manage your business’ security program, and while this is a necessity, you have options for how you choose to protect your ...
We’ve found that some companies resist utilizing a CISO as a Service because they ultimately aren’t sure what to expect. They’ve heard that ...
You’re busy at work, focused on meeting daily deadlines and on achieving your overall mission. But while you’re laser-focused on your day-to-day ...
Sales are complicated. You’re not just articulating the facts about your product or service, you are also navigating emotions and perception to ...
You’ve been weighing the advantages of hiring a CISO as a Service or vCISO over hiring an internal team and finally decided that a professional ...
When it comes to security risk assessments, it’s often unclear what you’ll really receive. Providers use meaningless and misused buzzwords, and ...
Under mounting pressure to keep up with an ever-changing body of regulations and increased demands for transparency, The American Institute of ...
The retail industry is one of the most crucial pillars propping up the United States’ economy. Without it, approximately 42 million Americans—a ...
Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols ...
Pentesting the People; social engineering is an easy vulnerability When it comes to penetration testing of an enterprise, you instantly think ...
Last month I wrote about the new PCI DSS standard version 3.2.1 and how nothing of significance had changed. Though that remains true, the ...
In May 2018, the PCI Security Standards Council, the authors of the PCI DSS standard, issued a new version of that standard - version 3.2.1. ...
vCISO, HIPAA, CIS Controls, Security Program
Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. ...
As an aspiring penetration tester, it is not always the extensive rootkits or the backdoor metasploit exploits that you need to focus on with ...
PCI DSS, SOC2, CISO, vCISO, HIPAA, CIS Controls, Security Program
A growing trend in the world of Cyber Security is companies outsourcing of some or all of their Information Security teams. This can be just a ...
As a company interested or required to become PCI DSS compliant, you have a list of key controls you must have in place with proper assessments ...
The art of penetration testing is one that takes a lot of fore-learned knowledge about a specific technology and system in order to really ...
Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is a matter of having a knowledge of their existence and ...
A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing ...
Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure ...
Many companies, especially start ups, need to maintain a SOC2 certification but would rather not hire a full time CISO. So who is going to make ...
QSAs have to validate the scope of a PCI assessment. It is one of the biggest areas of contention, but limiting scope is of paramount importance ...
During my time in enterprise-level support, I was often asked how to reset the master password on various devices after the existing password ...
Some organizations completely ignore important aspects of the backup recovery and validation process. This creates a significant ongoing data ...
I constantly hear that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught ...
PCI DSS v3.2.1, section 10.4 requires all critical assets to be synchronized for time and recommends using one of the authoritative time sources ...
Everybody - Immediately Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place ...
Guidance from the PCI Security Standards Council (PCI SSC) suggests that there are overlooked service providers in many assessments. This begs ...