July Blog Round-Up: P2PE Version 2.0, FedRAMP Developments and The Tainted Legacy of Legacy Systems

Written by

Latest in PCI PCI Update Paves Way For Expanding Point-to-Point Encryption (P2PE) Key Takeaway: Starting this past month, the PCI Security Standards Council introduced P2PE Version 2.0, which is the latest step by the PCI towards expanding point-to-point encryption. By drafting more flexible P2PE implementation standards, the PCI aims to facilitate the adoption of this technology by merchants. P2PE enables merchants to encrypt cardholder data at the point of sale, which is vital for protection against hackers.   FedRAMP Wrap-Up FedRAMP Releases Framework for Cloud Security Assessments Key Takeaway: This past month, FedRAMP released the “FedRAMP Penetration Test Guidance.” This document lays out the rigorous testing that cloud service providers must go through before being approved for government use. A…

Tags: ,
Categorized in:

Changes Are Coming For The Trust Services Principles And Criteria – Are You Ready?

Written by
internal controls and fraud prevention

This post was originally published on BARR Assurance and Advisory, Inc. In late 2014, the American Institute of Certified Public Accountants updated the criteria for the Trust Services Principles related to security, availability, processing integrity, and confidentiality (most commonly reported out using SOC 2 and SOC 3). Soon, there will be even more updates as proposed in the recent exposure draft. The AICPA’s planned revisions will look to further clarify the criteria and eliminate redundancy while reflecting how much change is occurring in the technology and business environments. These changes may initially seem like a lot of added work on your end, but they are necessary improvements that will actually make your life easier once they go into effect in spring 2016. What exactly is changing? The…

Tags: , , ,
Categorized in:

The Changing Risk Management Landscape

Written by
What Is Enterprise Risk Management & It's Importance

This post was originally published on TechSling. Security breaches in every industry are all over the news these days, and companies are becoming more mindful of the need for compliance and risk management. As a result, they’re putting their cloud service providers under a microscope. But the business world is changing. The fixed cost model is fading as subscription-based services thrive. Speed and system availability are necessary to a successful business, and these qualities take precedence over fancy, complex features. Customers are evolving as well. If you don’t know what I’m talking about, shut down a teenager’s Twitter handle for a few minutes. The teenager of the ’90s was OK with waiting an hour for a song to download on…

Tags: ,
Categorized in:

ZenGRC has new audit functionality and redesigned emails!

Written by
ZenGRC version 1.95.1.2 release

In ZenGRC version 1.95.1.2, we’ve re-imagined the audit module with deeper, more practical functionality. Keep track of test plans We now allow you to assess controls based on their test plan, and create both requests and issues based off these investigations. When creating and updating controls, you’ll notice a new stock attribute, called Test Plan. This field is important because it gets pulled into control assessment in Audit module when you are ready to create an Audit. Remediate test plan results If you open the Audit module and LHN (left hand navigation), you’ll notice 2 new objects: Control assessments Issues Control assessments can be generated in an Audit based off in-scope controls that are mapped to any given program. “In-scope controls”…

Tags:
Categorized in:

5 Things to Know as You Prepare for a Compliance Audit

Written by
workflow for your audit management process

5 Things to Know as You Prepare for a Compliance Audit   This post was originally published on SmartDataCollective. For most cloud service providers, a compliance audit is, at best, a necessary evil — the root canal of the business world. Like a root canal, it can be a painful process that you regret about halfway through, even if you know it’s good for you. But just as you can avoid root canals with proper dental hygiene and regular checkups, the pain of compliance audits can be avoided with proper preparation. You need to see compliance audits as an integral part of your company culture that help maintain standards over each internal control, rather than as an annual nuisance that…

Tags: ,
Categorized in:

Sourcing Responsibility to Vendors Could Be Your Biggest Mistake

Written by
Third Party Vendor Management Audit Program

This post was originally published on SCORE. In a recent survey, the Institute of Internal Auditors Research Foundation found that third-party vendors play an important role in about two-thirds of businesses across the country. For small businesses especially, this business practice has become the norm, and for good reason. Vendors can cut costs and increase the efficiency of your company significantly, giving you the freedom to focus on what you do best at the lowest possible cost. Still, this trend comes with its own set of drawbacks. In particular, companies have begun to confuse the outsourcing of business processes with the outsourcing of responsibility. As a result, they’ve created massive security vulnerabilities. In fact, the same IIA survey found that third-party…

Tags: ,
Categorized in:

5 Steps to Build Processes that Safeguard your Most Sensitive Data

Written by
data security

This post was originally posted on SMB CEO. It seems like major corporate data breaches have become all too common. In fact, they’ve become so common that you might have become immune to such news. If you own or run a small business, you might think protecting sensitive data is not something you have to worry about. But you’d be surprised by the amount of information you collect and need to protect. From credit card numbers and addresses to phone numbers and financial and medical information, it starts to add up pretty quickly. That’s why you need to establish processes for handling sensitive information. Of course, creating solid processes for handling data is common in the corporate world, but oftentimes,…

The Rise of GRC is caused by the Rise of the Cloud

Written by
rise of GRC

The new generation of companies (like Twitter and Uber) go from zero dollars to billions in five years, not 50. Enterprise software startups land bigger deals, faster, because they are more agile than 20 years ago, and they deliver their offerings via the cloud.  All of them are getting hit with risk and compliance issues much earlier in the life of their companies.  Why? 20 years ago, when a vendor sold software, they would give the customer a CD, and nobody cared about the vendor’s internal house.  Things were easy, nobody cared much about compliance. But 10-15 years ago the cloud started to rise.  The world shifted to subscription models and logins, and suddenly enterprise customers started to care about…

Tags: ,
Categorized in:

Selecting the Right Service Organization Control Report for Outsourced Operations

Written by
Selecting the Right Service Organization Control Report for Outsourced Operations

This post was originally published on BusinessTips.com. Joe from the marketing department could lose his documents if your outsourced infrastructure isn’t secure. That might not seem like the end of the world (unless you’re Joe), but if a bank’s website goes down, the bank loses money. To help protect you from this situation, the American Institute of CPAs established Service Organization Control reports. While addressing these requirements can be tedious, these reports ensure that service organizations are keeping a close eye on businesses’ information. These reports provide a standardized way to evaluate and report on internal controls at service organizations. But understanding which SOC report is best for your business can be complicated if you’re not fully informed. Increased Outsourcing…

Tags: , , , ,
Categorized in:

ZenGRC has a new dashboard, custom attributes, and more!

Written by
ZenGRC April '15 release- ZenGRC dashboard

ZenGRC’s latest release comes with several new feature updates. New look and feel with the quick start dashboard. New dashboard shows workflow status, my tasks, and my requests. It also allows you to create and search for new objects easily. New left hand navigation – click on the menu button (3 lines) to expand or hide: Custom attributes for any object – Open the Admin dashboard to add custom fields for any objects. To import controls with custom attributes, just add the attribute title as a new column in the import template. Object filter – need to sort through hundreds of objects? Type in a keyword to narrow down the list. Show/hide horizontal navigation menu button (found near top right of screen):…

Tags:
Categorized in: