FedRAMP Low, Moderate, High: Understanding Security Baseline Levels

Written by
FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services.  FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs). FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high.  These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized. Here’s a quick summary of each level, with detailed sections below: Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation. Moderate impact risk: Mainly includes…

Sox Management Review Controls

Written by

The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).  Examples of these SOX management reviews include:      Review of reconciliations     Review of journal entries     Trigger events     The work supporting an estimate     Budget to actual variances  Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on…

Tags: ,
Categorized in:

Introducing ZenGRC + ZenConnect

Written by
ZenConnect

A Connected Information Security Ecosystem  At Reciprocity, our mission has always been to simplify the way your organization manages risk and compliance, and to encourage transparency and trusted relationships with your key stakeholders.  With ZenGRC, we delivered the industry’s best GRC solution and simplified a traditionally complicated tool to make it easy for CISOs, CROs and CCOs to manage their organization’s information security.  Today, we are excited to announce our next massive milestone: ZenConnect.  ZenGRC + ZenConnect is the first and only integrated GRC solution that fosters a continuous flow of information between the systems, applications and people that are core to your business. It enables out-of-the-box connections to the tools you have in your tech stack to empower a…

ZenGage #AMA Series with Dr. Maxine Henry on the CCPA

Written by

The nation’s most stringent data protection law (so far), the California Consumer Privacy Act of 2018 takes effect Jan. 1, 2020— and it’s generating a lot of buzz. Businesses from coast to coast are girding themselves for sweeping changes in how they collect, share, and protect California residents’ personal information. With the deadline for compliance right around the corner, GRC professionals have a lot of work to do.   ZenGage, the new Slack community for information security and GRC professionals, recently hosted CCPA expert Dr. Maxine Henry, in its first #AMA (Ask Me Anything) live Slack chat series. In this candid discussion, Dr. Henry answers a broad range of questions, starting with the rights that the CCPA grants to California residents,…

Preparing for an ISO 27001 and 27002 Audit

Written by
Preparing for an ISO 27001 and 27002 Audit

Preparing for an ISO 27001 and 27002 Audit Getting your certification for ISO 27001 is a complex and time-consuming endeavor. But for many organizations, it’s worth the effort. That’s because ISO 27001 is the international standard for Information Security Management System (ISMS). Being able to say you’re “ISO 27001 certified” tells stakeholders that your organization is serious about protecting the security and privacy of their information. Stakeholders include your current and future clients, business partners, suppliers, and customers. In this day and age, that’s no small claim. And in fact, ISO 27001 certification is a must for many enterprises that do business with you. Mere ISO 27001 compliance isn’t always enough. To become certified as ISO compliant, you must pass…

Tags: , , ,
Categorized in:

Which PCI SAQ Do I Need?

Written by

Which PCI SAQ Do I Need? Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?     What type of payment processing machine or terminal you use for credit and debit card transactions.     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.   What is an SAQ, and what is it for?  PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC)…

How to Become PCI DSS Certified

Written by

How to Become PCI DSS Certified The short answer to the question of achieving PCI DSS certification is: you can’t. There is no certificate attesting to Payment Card Industry Data Security Standard (PCI DSS) compliance. There is, however, a way your organization can stand apart as being especially committed to credit card security. Instead of submitting the self-assessment questionnaire (SAQ) and Attestation of Compliance to your acquiring bank, you may choose to pass an on-site audit by a PCI Security Standards Council-certified Qualified Security Assessor (QSA) or your own Internal Security Assessor, and have them file a Report on Compliance (ROC). The difference between these two alternatives is vast. With an SAQ and AOC, your enterprise is assessing itself. An…

PCI DSS: Testing Controls and Gathering Evidence

Written by

PCI DSS: Testing Controls and Gathering Evidence Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not easy to achieve. Quite the opposite, in fact: A 2017 Verizon report stated that 80 percent of companies fail their PCI DSS assessments, and only 29 percent of those that pass are still compliant after one year. PCI DSS compliance, like information security as a whole, is not a one-and-done process but ongoing. To succeed, your enterprise must be vigilant. And comply you must, if your organization wants to do business. Penalties for non-compliance can be high—even crippling— but never fear. With planning and preparation, you can obtain that coveted Report on Compliance (ROC) or Attestation of Compliance (AOC) with relative…

Understanding the PCI Levels of Compliance

Written by

Understanding the PCI Levels of Compliance While every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), not all must travel the same path to PCI compliance. The amount of risk an organization faces depends on a variety of factors. Recognizing these differences, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers. The level an enterprise belongs depends upon:     How many credit card transactions it processes in a year, and      Whether it has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data. The entities with the most stringent and…

Tags: , ,
Categorized in:

What Is a PCI Audit?

Written by

What is a PCI Audit? A PCI audit examines the security of your organization’s credit-card processing system from beginning to end.  During this process, a Qualified Security Assessor (QSA) or your own Internal Security Assessor will determine the effectiveness of your organization’s information security controls. To pass the test, your payment network must meet as many as 281 criteria spelled out in the Payment Card Industry Data Security Standard, or PCI DSS, with which all merchants and their service providers must comply. To demonstrate PCI compliance, your organization must do one of two things:     Have an on-site audit by a Qualified Security Assessor (QSA) or Internal Security Assessor, or     Fill out a PCI DSS self-assessment questionnaire,…

Tags: , ,
Categorized in: