SOC2, vCISO

SOC 2 and Other Security Compliance Merit Badges

Whether or not you are a tinfoil-hat wearing paranoid, you need a strong cybersecurity posture to support sales! These days most of your customers will ask you to demonstrate your security profile in one form or another. The fact is that most, if not all your customers now want

Read More

PCI DSS

PCI DSS Training Requirements

The PCI DSS standard ostensibly only has a few training requirements which, in my experience, most organizations do a good job of keeping up with. However, there are some not-so-obvious teams which get regularly overlooked with regard to training.

Read More

CISO, vCISO, Security Program, Privacy

How to Achieve Cyber Security Peace of Mind for your Small Business

Small businesses, including start-ups, need a cybersecurity and privacy program, period. It is a matter of driving sales, client trust, as well as ensuring financial, employee, and other data integrity over the whole business, to manage risk. The

Read More

SOC2, HIPAA, CIS Controls, Security Program

Reasons to choose CIS Controls for Cyber Security

Reasons to choose CIS Controls for your cyber security program  It started with a few select people in a room. It was called “Project Insight” by the NSA and DOD and its mission was simple, get some of the best cybersecurity minds into a room, and

Read More

HIPAA, Security Program, Privacy, CCPA

Does Privacy Shield's downfall signal the end of US-EU data transfers?

EU data protection and privacy requirements, currently established primarily in the General Data Protection Regulation (GDPR), generally restrict personal data transfers to a third country except where “where the [European] Commission has decided

Read More

Privacy, CCPA

Changes to CCPA for 2021

January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced into existence through privacy activism and the threat of a state ballot initiative, it remains the first

Read More

SOC2, CISO, vCISO, Security Program

(Video) 11 Steps to Achieve SOC 2 Compliance

Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps.  Overview Your customers have probably asked for your SOC 2 report, or it may be required to seal the deal on

Read More

PCI DSS, vCISO, Penetration Testing, Security Program

What is “Internal Penetration testing” for PCI DSS requirement 11.3

Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In fact, “internal” is used elsewhere in the standard (for example internal vulnerability scanning) where it

Read More

PCI DSS

What Constitutes a Primary Function for PCI DSS?

PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”

Read More

PCI DSS

Timely update of Risk Assessment and Incident Response for PCI DSS

The PCI DSS compliance model depends on risk assessment and mitigation. Several places in the Report on Compliance (ROC), that a QSA compiles, have questions about when the Risk Assessment, and its corollary, the Incident Response Plan, were last

Read More