Privacy, CCPA

Changes to CCPA for 2021

January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced into existence through privacy activism and the threat of a state ballot initiative, it remains the first comprehensive statute in the US

Read More

SOC2, CISO, vCISO, Security Program

11 Steps to Achieve SOC 2 Compliance

11 Steps to Getting Through Your First SOC 2 Audit Your customers have probably asked for your SOC 2 report, or it may be required to seal the deal on a new customer or contract. If you spend a lot of time answering security related questionnaires,

Read More

PCI DSS, vCISO, Penetration Testing, Security Program

What is “Internal Penetration testing” for PCI DSS requirement 11.3

Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In fact, “internal” is used elsewhere in the standard (for example internal vulnerability scanning) where it

Read More

PCI DSS

What Constitutes a Primary Function for PCI DSS?

PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”

Read More

PCI DSS

Timely update of Risk Assessment and Incident Response for PCI DSS

The PCI DSS compliance model depends on risk assessment and mitigation. Several places in the Report on Compliance (ROC), that a QSA compiles, ...

Read More

PCI DSS

Watch those Vendor Application Change Release Notes like a Hawk!

At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when ...

Read More

SOC2, CISO, vCISO, Security Program, Privacy

Using Cyber Security to Enable Sales

Information security and privacy programs are generally about managing risk, but they can also impact your sales team by either slowing down or ...

Read More

PCI DSS

Due Diligence for PCI DSS Vendor Selection

PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, ...

Read More

PCI DSS

PCI DSS - Are Mobile Applications In-scope?

Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment ...

Read More

Security Program, Risk Assessment

Diminishing Returns in Cybersecurity

If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the ...

Read More