Top 5 Predictions for InfoSec GRC in 2020

Written by
Published 01/08/2020

January 1 ushers in a new year, a new decade, and new challenges—as well as new dimensions and re-ordering of existing challenges.  Reciprocity’s Team of GRC Experts share likely developments, trends to watch out for, and how your organization can navigate Information Security Risk, & Compliance in 2020.  With foresight, an organization can proactively take steps to address the challenges of the future. Our expert panel explores what’s coming: 1. Risk-based, Layered Approaches Eclipse One-dimensional Efforts “Risk Management and Risk Assurance will overshadow other approaches to GRC as organizations satisfy operational needs”  – Gerard Scheitlin, Founder of RISQ Management “While the requirements on information security, privacy, and compliance will only continue to expand and tighten, organizations are realizing that it…

Business Continuity Checklist for Planning and Implementation

Written by
Published 12/31/2019

Having a comprehensive business continuity plan (BCP) in place will help ensure that your business doesn’t suffer any downtime in the event of a disaster, which may include natural disasters, such as floods, fire, weather-related events, and cyberattacks. If you’re not prepared, these disasters can have catastrophic consequences on your business, including loss of productivity, loss of revenue, as well as damage to your reputation and your relationships with your customers. A business continuity plan describes all the risks that can affect normal operations. Business continuity planning is important because it helps ensure that your employees and your assets are protected and your company can continue operating no matter what disasters you may face. However, a BCP is different than a disaster recovery plan, which centers around the recovery of your IT…

Tags: ,
Categorized in:

How Much Does It Cost to Become PCI Compliant?

Written by
Published 12/26/2019

How much does it cost to become compliant with the Payment Card Industry Data Security Standard (PCI DSS)? It is challenging to put a number or an actual figure of becoming PCI compliant. The reason exact dollar amounts become a problem to predict is it depends on the size of the organization, whether they are eligible for the PCI Self Assessment Questionnaire (PCI SAQ), and the way they handle and store customer information.  The good news is that an organization can look at the typical requirements around becoming PCI compliant and reverse engineer what costs might look like. PCI uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the…

Tags: , ,
Categorized in:

Top Risk Management Issues Facing Higher Education

Written by
Published 12/24/2019

Institutions of higher education (IHEs) are besieged by risk, especially cybersecurity and information security risk. Risk management for these institutions is critical but also extremely challenging, like trying to juggle balls and lighted torches all at once. Colleges and universities are worlds in themselves, providing not only classroom learning but health care, living quarters, meals, athletics, entertainment, research opportunities, and more to students, faculty, and staff. To pull it off, higher education institutions must collect a lot of personal data such as health records, financial information, scholastic records, and insurance information. These are the details that enable colleges to meet the needs of so many people every day. But possessing all this data makes every college and state university an…

Cybersecurity Audit Checklist

Written by
Published 12/19/2019

Today’s network and data security environments are complex and diverse. There are hundreds of pieces to a security system and all of those pieces need to be looked at individually and as a whole to make sure they are not only working properly for your organization, but also safe and not posing a security threat to your company and your data or the data of your customers. Risk management and risk assessments are important parts of this process. Data loss and data breaches are detrimental to your organization and can make or break a company, especially if a breach causes other organizations to lose confidence in your ability to keep yours and their data secure. For this reason, it is absolutely critical for you to…

HIPAA and Social Media: What You Need to Know

Written by
Published 12/17/2019

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law before the rollout of major social media sites such as Facebook, Twitter, and Instagram. And as such, there are no specific HIPAA rules for social media.  However, some HIPAA laws and standards apply to the use of social media by health care organizations and their workers. Because of that, each health care organization must implement a HIPAA social media policy to decrease the risk of HIPAA violations. The HIPAA Privacy Rule forbids the use of protected health information on social media networks. Protected health information includes text, videos, and images about specific patients that can enable others to identify them. Health care providers can only use…

Tags: , ,
Categorized in:

PCI Certification vs. Compliance: What Is the Difference?

Written by
Published 12/12/2019

Organizations are often left wondering what is the difference between a certification granted by representatives of the Payment Card Industry (PCI) and that of obtaining compliance.  The Payment Card Industry Data Security Standard (PCI DSS) defines a framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enabled organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits. The PCI Security Standards Council enables organizations to become PCI DSS compliant. Accepting payment cards like Visa, Mastercard, American Express, Discover, and JCB are critical to a merchant’s ability to transact business. Cash and checks are becoming rarer in bricks and mortar companies and all…

Key Takeaways from the CCPA Audit Webinar with Dr. Maxine Henry

Written by
Published 12/06/2019

Dr. Maxine Henry, one of Reciprocity’s renowned GRC experts, led a webinar on the California Consumer Protection Act (CCPA). This sweeping legislation creates data privacy rights for covered consumers—which means it also imposes obligations on businesses to safeguard  personal information. Before implementation on January 1, 2020, Dr. Henry discusses how to prepare. Who Will CCPA Impact? CCPA protects California residents, recognizing all natural persons in the state as consumers.  Even companies not headquartered in California, perhaps without physical presence in California, will be subject to CCPA, because California residents are among their customers. CCPA imposes obligations on for-profit enterprises meeting any of these criteria:     Annual gross revenues over $25 million;     Handles, buys, shares, or sells personal…

Categorized in: ,

The Differences Between SOX 302 and 404 Requirements

Written by
Published 12/05/2019

The Sarbanes-Oxley Act of 2002 (SOX) is a law that implements regulations on publicly traded companies and accounting firms. SOX was created to improve the accuracy and reliability of corporate disclosures in financial statements and to protect investors from fraudulent accounting practices.  While the act consists of eleven titles, a significant amount of SOX requirements live within Section 302 and Section 404. These SOX compliance activities include the identification and testing of internal controls over the financial reporting process. Plus, they require the submission of specific financial certifications in quarterly and annual reports to the United States Securities and Exchange Commission (SEC).  Although these Sarbanes-Oxley sections are interrelated, there are differences between their specific requirements as well.  SOX Section 302…

Tags: ,
Categorized in:

How to Map PCI DSS to the NIST Cybersecurity Framework

Written by
Published 12/03/2019

Organizations face an increasing number of compliance metrics. Risk management is of paramount importance and is feeding the need for governance. Terms like PCI DSS and NIST CSF are two frameworks that help enhance data security and manage risk.  Often, it is the confusion on where businesses need to start that prevents them from taking action at all. It is important first to understand what PCI and NIST do, how they are related to each other, and how they are different to prevent analysis paralysis. What Is PCI DSS? The Payment Card Industry Data Security Standards (PCI DSS) were created to standardize the way all organizations that accept, process, transmit, and store credit card information securely. The requirements mandated by…

Tags: , ,
Categorized in: ,