Understanding the Consequences of Failing PCI Compliance

Written by
Published 03/10/2020

The Payment Card Industry Data Security Standard (PCI DSS) does a great job of outlining how an organization should go about protecting cardholder data. Most organizations take the best practices from the PCI council and implement a strong information security strategy bent on enforcing PCI standards, compliance requirements, and vulnerability management.  What happens when an organization doesn’t follow the rules as they should or they suffer a data breach because of negligence? The organization loses credibility and suffers a reputational loss, which has an unmeasurable impact on the bottom line. The organization may no longer accept credit cards, significantly impacting its ability to sell products and services. The organization may have to pay fines, strengthen its information security, and have…

Categorized in:

6 Reasons Why You Need SOC 2 Compliance

Written by
Published 03/05/2020

System and Organization Controls for Service Organizations 2 (SOC 2) compliance isn’t mandatory. No industry requires a SOC 2 report. Nor is SOC 2 compliance law or regulation.  But your service organization ought to consider investing in the technical audit required for a SOC 2 report. Not only do many companies expect SOC 2 compliance from their service providers, but having a SOC 2 report attesting to compliance confers added benefits, as well. Having the report benefits your service organization in other ways, too. Here are six reasons to obtain a SOC 2 compliance report: Customer demand. Protecting customer data from unauthorized access and theft is a priority for your clients, so without a SOC 2 attestation (or SOC 3,…

Categorized in:

The Best Ways to Maintain PCI Compliance

Written by
Published 03/03/2020

Congratulations, you have achieved PCI compliance!  Now comes the hard part, staying compliant. Remember, it was a great deal of work to get your environment where it needed to be for the Payment Card Industry Data Security Standard (PCI DSS). Organizations spend a fair amount of money getting systems, networks, and people exactly where they need to be for cardholder data protection.  The PCI Data Security Standard is not something that you complete once and you’re good forever. Instead, maintaining PCI compliance takes an ongoing commitment of people, process and technology. There are three things that organizations can do to stay compliant: dedicate the necessary resources to keep the information security program current, assess/test the information security environment perpetually, and…

Categorized in:

Inherent Risk vs. Control Risk: What’s the Difference?

Written by
Published 02/27/2020

Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit. Inherent risk is the risk of a material misstatement in a company’s financial statements without considering internal controls.  Control risk is the chance of a material misstatement in a company’s financial statements because there aren’t any relevant internal controls to mitigate a particular risk or the internal controls in place malfunctioned.  There is a distinct difference between inherent risk and control risk. The inherent risk stems from the nature of the business transaction or operation without the implementation of internal controls to mitigate the risk. Control risk arises because an organization doesn’t have…

Categorized in:

CCPA Compliance Checklist

Written by
Published 02/25/2020

If your organization has a presence in California or does business with California residents, then it probably needs to comply with the California Consumer Privacy Act (CCPA). CCPA compliance is no easy task but never fear: Using this checklist and our CCPA audit guide can help smooth the way. The first step toward compliance is knowing the law: Know if you qualify. Enacted in 2018, the CCPA takes effect Jan. 1, 2020, and mandates that certain for-profit businesses in California or doing business with Californians meet its requirements. Is yours one of them? Does your enterprise: Have annual gross revenues of more than $25 million; or Buy, receives f, sell, or shares personal information of 50,000 or more California consumers,…

Categorized in:

Proactive vs Reactive Risk Management Strategies

Written by
Published 02/20/2020

For decision making, “reactive” tends to be frowned upon in the business world. “Proactive” is the preferred mode and has been pretty much since the word was coined (in 1933). “Proactivity,” says Wikipedia, refers to “anticipatory, change-oriented and self-initiated behavior in situations.” In risk management and elsewhere, “proactive risk management” entails addressing problems before they start: in case fire fighting becomes necessary, an extinguisher needs to go here. But what if the extinguisher doesn’t work? You have a backup: a contingency plan.  Reactivity, on the other hand, involves action in response to something. A fire breaks out; you grab one of the fire extinguishers called for in the proactive risk management plan.  A “proactive vs. reactive” debate pitting one approach…

Categorized in: ,

Why You Need a Vendor Risk Management Policy

Written by
Published 02/18/2020

A formal, written vendor or third-party risk management policy is the first step in developing your vendor risk management program, and essential to that program’s success.  Vendor risk management encompasses third-party risks as well as that of your vendors’ vendors — fourth-party risks — and is an important component of any cybersecurity program. A vendor risk management policy spells out the identified risks your organization faces in its use of third-party vendors, and the controls in place to minimize those risks. Think of it as a sort of road map to the success of your third-party risk management program.  Having a vendor management program is more important today than ever before. The digital age has brought about a dramatic increase…

Categorized in: ,

ZenGRC at RSAC 2020

Written by
Published 02/13/2020

  Experience ZenGRC Live at RSAC 2020 Feb 24-28 | Moscone Center, San Francisco Booth #3332, South Expo Hall Join Reciprocity’s team of GRC Experts and Product Specialist at the RSA Conference, the largest IT Security and cybersecurity trade show. Join us at our Booth (#3332) to experience ZenGRC, the leading infosec risk and compliance platform.  With ZenGRC you can:  Simplify audit & compliance management Save time & reduce manual effort   Operationalize risk management Boost ROI  See for yourself why ZenGRC is consistently rated an industry leader on G2 and Capterra!  Three ways to engage with us at RSAC Meet us in the Exhibit Hall | Booth # 3332, South Expo Hall      Consult with a GRC Expert | Schedule an…

Categorized in:

CCPA Exemptions: The California Consumer Privacy Act and the Gramm-Leach-Bliley Act

Written by
Published 02/13/2020

A change is coming for privacy protection. Are you ready? For the past twenty years, most financial services businesses fell under the requirements of the Gramm-Leach-Bliley Act (GLB Act or GLBA). This law federally governed the collection and disclosure of customers’ personal financial information. However, on January 1st, 2020, a new privacy rule—the California Consumer Privacy Act (CCPA)—is going into effect. Although a state law, it may significantly enhance data protection requirements in the U.S. Does your business fall under this new Rule? Compliance with the GLBA does not mean your business won’t have to adhere to the CCPA. The CCPA does not exempt financial institutions or companies that provide financial services, but there are limited exemptions for certain types…

Categorized in:

Best Practices in Cyber Supply Chain Risk Management

Written by
Published 02/11/2020

Cyber supply chain risk management touches all aspects of a business. Supply chain risk management (SCRM) is not solely the responsibility of cybersecurity, but instead a partnership between sourcing, vendor management, cybersecurity, and transportation. The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016. The best practices are vital for an organization and offer high-level advice on mitigating malware, performing risk assessments, securing information systems, and leveraging an information security program. Like all management programs, SCRM should be looked at as a lifecycle containing a clear set of security practices focused on the supply chain and supply chain management. Cyber Supply Chain Principles and Supply Chain Risks According…

Categorized in: ,