ZenGage #AMA Series with Dr. Maxine Henry on the CCPA

Written by

ZenGage, the new Slack community for information security and GRC professionals, recently hosted CCPA expert Dr. Maxine Henry, in its first #AMA (Ask Me Anything) live Slack chat series. The nation’s most stringent data protection law (so far), the California Consumer Privacy Act of 2018 takes effect Jan. 1, 2020— and it’s generating a lot of buzz. Businesses from coast to coast are girding themselves for sweeping changes in how they collect, share, and protect California residents’ personal information. With the deadline for compliance right around the corner, GRC professionals have a lot of work to do.   In this candid discussion, Dr. Henry answers a broad range of questions, starting with the rights that the CCPA grants to California residents,…

Preparing for an ISO 27001 and 27002 Audit

Written by
Preparing for an ISO 27001 and 27002 Audit

Preparing for an ISO 27001 and 27002 Audit Getting your certification for ISO 27001 is a complex and time-consuming endeavor. But for many organizations, it’s worth the effort. That’s because ISO 27001 is the international standard for Information Security Management System (ISMS). Being able to say you’re “ISO 27001 certified” tells stakeholders that your organization is serious about protecting the security and privacy of their information. Stakeholders include your current and future clients, business partners, suppliers, and customers. In this day and age, that’s no small claim. And in fact, ISO 27001 certification is a must for many enterprises that do business with you. Mere ISO 27001 compliance isn’t always enough. To become certified as ISO compliant, you must pass…

Tags: , , ,
Categorized in:

Which PCI SAQ Do I Need?

Written by

Which PCI SAQ Do I Need? Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?     What type of payment processing machine or terminal you use for credit and debit card transactions.     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.   What is an SAQ, and what is it for?  PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC)…

How to Become PCI DSS Certified

Written by

How to Become PCI DSS Certified The short answer to the question of achieving PCI DSS certification is: you can’t. There is no certificate attesting to Payment Card Industry Data Security Standard (PCI DSS) compliance. There is, however, a way your organization can stand apart as being especially committed to credit card security. Instead of submitting the self-assessment questionnaire (SAQ) and Attestation of Compliance to your acquiring bank, you may choose to pass an on-site audit by a PCI Security Standards Council-certified Qualified Security Assessor (QSA) or your own Internal Security Assessor, and have them file a Report on Compliance (ROC). The difference between these two alternatives is vast. With an SAQ and AOC, your enterprise is assessing itself. An…

PCI DSS: Testing Controls and Gathering Evidence

Written by

PCI DSS: Testing Controls and Gathering Evidence Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not easy to achieve. Quite the opposite, in fact: A 2017 Verizon report stated that 80 percent of companies fail their PCI DSS assessments, and only 29 percent of those that pass are still compliant after one year. PCI DSS compliance, like information security as a whole, is not a one-and-done process but ongoing. To succeed, your enterprise must be vigilant. And comply you must, if your organization wants to do business. Penalties for non-compliance can be high—even crippling— but never fear. With planning and preparation, you can obtain that coveted Report on Compliance (ROC) or Attestation of Compliance (AOC) with relative…

Understanding the PCI Levels of Compliance

Written by

Understanding the PCI Levels of Compliance While every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), not all must travel the same path to PCI compliance. The amount of risk an organization faces depends on a variety of factors. Recognizing these differences, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers. The level an enterprise belongs depends upon:     How many credit card transactions it processes in a year, and      Whether it has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data. The entities with the most stringent and…

Tags: , ,
Categorized in:

What Is a PCI Audit?

Written by

What is a PCI Audit? A PCI audit examines the security of your organization’s credit-card processing system from beginning to end.  During this process, a Qualified Security Assessor (QSA) or your own Internal Security Assessor will determine the effectiveness of your organization’s information security controls. To pass the test, your payment network must meet as many as 281 criteria spelled out in the Payment Card Industry Data Security Standard, or PCI DSS, with which all merchants and their service providers must comply. To demonstrate PCI compliance, your organization must do one of two things:     Have an on-site audit by a Qualified Security Assessor (QSA) or Internal Security Assessor, or     Fill out a PCI DSS self-assessment questionnaire,…

Tags: , ,
Categorized in:

How To Minimize The Scope of Your PCI DSS Audit

Written by

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) and its 281 directives can be a time-consuming hassle. Fortunately, there are ways to minimize your PCI DSS scope, saving time and resources for your organization and auditor, and ratcheting down your stress levels. Larger organizations—those processing more than 1 million credit-card transactions annually—may need two years to reach initial PCI DSS compliance. Then, to stay compliant, they often must expend ample resources monitoring their systems and security and keeping it all up to date. For those who fail, the penalties can be crippling. Even smaller merchants and internet service providers (ISP) may require a year’s work to reach PCI compliance. That’s because this data security framework, mandatory for…

Tags: , ,
Categorized in:

Applying Big Data to Risk Management

Written by

The era of Big Data is here. Information now exceeds fantastic proportions, globally measured in zettabytes (each zettabyte is a billion terabytes) and growing at an exponential rate that defies comprehension. According to the IDC, global data is expected to grow from 23 Zettabytes (ZB) in 2017 to 175 ZB by 2025. And depending on your industry and specific organization, you likely have plentiful external and internal data sources readily available for mining, applying predictive analytics and creating viable projections. Leveraging data allows companies the ability to improve income streams, more effectively direct operations and enhance the customer experience. Overall your organizational health improves dramatically when data is accurately assessed. But big data also is a powerful – and vital–tool…

How to Manage Technological Risks?

Written by

In all sectors, technology has become a vital aspect of operations and has transformed the workplace, but that dependence on technologies also poses a threat to organizational wellbeing. Data breaches, system failures, malicious attacks–as well as natural disasters that impact technologies–can wreak havoc on company reputations, regulatory compliance and fiscal health. In some cases, the damage from these events is irreversible or long-term. A proactive strategy to mitigate tech risks are foundational aspects of operations. Your company needs such a plan that prevents, responds and continuously monitors for these risks. Monitoring and Managing Risks in Technology The adage, “An ounce of prevention is worth a pound of cure,” is entirely applicable to monitoring and managing tech risks. A whole-organization system…