Category: News

August Standards Updates: FedRAMP Seeks Help, HIPAA Concerns, ISO “Landmark” and NIST Developments

Written by
Published 09/02/2015

FedRAMP Needs Feds to Help Refine High Impact Baseline The standards set forth by the High Impact Baseline will allow commercial cloud service providers to host sensitive information in their systems. Considering the potential that this Baseline has to shape the FedRAMP program going forward, officials are working hard to ensure that they get the standard right. After receiving public comments on their draft of the High Impact Baseline, FedRAMP is looking for help from federal employees to revise the standards set forth. FedRAMP plans to create “The Tiger Team,” which will consist of federal IT managers who can facilitate and oversee the revision process and prepare a final draft of the Baseline, which is scheduled to be finished prior…

Tags: , , ,
Categorized in:

August News Round-Up: The Ashley Madison Breach, Car-Hacking and Industry Updates

Written by
Published 08/26/2015

Get Your Affairs In Order: The Ashley Madison Breach Ashley Madison hackers made good on their initial threat from July this past week, releasing a downloadable database containing the following: 33 million accounts with user information, including names, street addresses and phone numbers 36 million email addresses 9.6 million documented transactions 10 GB of compressed data Regardless of the morality of Ashley Madison’s services, this was an illegal hack of a website whose business depends on the security and confidentiality of user information. The Ashley Madison story is particularly terrifying because it offers a glimpse of how damaging security breaches can be now as more personal user information moves online. Sensitive information, when shared publicly, hits far closer to home…

Tags: , , ,
Categorized in:

Humans: Data Security Strategy’s Worst Enemy

Written by
Published 08/19/2015

This post was originally published on Small Business Computing.  Every organization requires some form of management; otherwise, it would be called a disorganization and business success would be elusive at best. It’s management’s job to establish roles and responsibilities for employees—especially when it comes to information security. Sixty percent of hackers can breach an organization’s system defenses within minutes. Risks and security incidents used to be managed on a case-by-case basis, but that’s no longer a viable option. The number of security incidents increased by 48 percent from 2013 to 2014, and notable companies including Adobe, eBay, Target, and The Home Depot were among the victims. But data breaches don’t affect only big-name brands; small businesses are also at risk. It’s time to wake…

Improve Security and Compliance with SAML

Written by
Published 08/12/2015

If your business operates with cloud-based applications, chances are you have heard of SAML. Despite being around since 2002, SAML is just now becoming a buzzword in the cloud security space. As businesses look to protect their data in the cloud, many are scrambling to understand what security benefits SAML has to offer them. What is SAML and why is it vital for your compliance objectives going forward? Hopefully over the next few paragraphs we can answer these questions for you. What Is SAML? SAML, or Security Assertion Markup Language, is a platform-neutral standard that allows for the secure transfer of information over the cloud through the integration of disparate security systems. One of the most important features offered by…

Tags: , ,
Categorized in:

July Blog Round-Up: P2PE Version 2.0, FedRAMP Developments and The Tainted Legacy of Legacy Systems

Written by
Published 07/27/2015

Latest in PCI PCI Update Paves Way For Expanding Point-to-Point Encryption (P2PE) Key Takeaway: Starting this past month, the PCI Security Standards Council introduced P2PE Version 2.0, which is the latest step by the PCI towards expanding point-to-point encryption. By drafting more flexible P2PE implementation standards, the PCI aims to facilitate the adoption of this technology by merchants. P2PE enables merchants to encrypt cardholder data at the point of sale, which is vital for protection against hackers.   FedRAMP Wrap-Up FedRAMP Releases Framework for Cloud Security Assessments Key Takeaway: This past month, FedRAMP released the “FedRAMP Penetration Test Guidance.” This document lays out the rigorous testing that cloud service providers must go through before being approved for government use. A…

Tags: ,
Categorized in:

Changes Are Coming For The Trust Services Principles And Criteria – Are You Ready?

Written by
Published 07/14/2015

This post was originally published on BARR Assurance and Advisory, Inc. In late 2014, the American Institute of Certified Public Accountants updated the criteria for the Trust Services Principles related to security, availability, processing integrity, and confidentiality (most commonly reported out using SOC 2 and SOC 3). Soon, there will be even more updates as proposed in the recent exposure draft. The AICPA’s planned revisions will look to further clarify the criteria and eliminate redundancy while reflecting how much change is occurring in the technology and business environments. These changes may initially seem like a lot of added work on your end, but they are necessary improvements that will actually make your life easier once they go into effect in spring 2016. What exactly is changing? The…

Tags: , , ,
Categorized in:

The Changing Risk Management Landscape

Written by
Published 07/06/2015

This post was originally published on TechSling. Security breaches in every industry are all over the news these days, and companies are becoming more mindful of the need for compliance and risk management. As a result, they’re putting their cloud service providers under a microscope. But the business world is changing. The fixed cost model is fading as subscription-based services thrive. Speed and system availability are necessary to a successful business, and these qualities take precedence over fancy, complex features. Customers are evolving as well. If you don’t know what I’m talking about, shut down a teenager’s Twitter handle for a few minutes. The teenager of the ’90s was OK with waiting an hour for a song to download on…

Tags: ,
Categorized in:

5 Things to Know as You Prepare for a Compliance Audit

Written by
Published 06/08/2015

5 Things to Know as You Prepare for a Compliance Audit   This post was originally published on SmartDataCollective. For most cloud service providers, a compliance audit is, at best, a necessary evil — the root canal of the business world. Like a root canal, it can be a painful process that you regret about halfway through, even if you know it’s good for you. But just as you can avoid root canals with proper dental hygiene and regular checkups, the pain of compliance audits can be avoided with proper preparation. You need to see compliance audits as an integral part of your company culture that help maintain standards over each internal control, rather than as an annual nuisance that…

Tags: ,
Categorized in:

Sourcing Responsibility to Vendors Could Be Your Biggest Mistake

Written by
Published 05/25/2015

This post was originally published on SCORE. In a recent survey, the Institute of Internal Auditors Research Foundation found that third-party vendors play an important role in about two-thirds of businesses across the country. For small businesses especially, this business practice has become the norm, and for good reason. Vendors can cut costs and increase the efficiency of your company significantly, giving you the freedom to focus on what you do best at the lowest possible cost. Still, this trend comes with its own set of drawbacks. In particular, companies have begun to confuse the outsourcing of business processes with the outsourcing of responsibility. As a result, they’ve created massive security vulnerabilities. In fact, the same IIA survey found that third-party…

Tags: ,
Categorized in:

5 Steps to Build Processes that Safeguard your Most Sensitive Data

Written by
Published 05/18/2015

This post was originally posted on SMB CEO. It seems like major corporate data breaches have become all too common. In fact, they’ve become so common that you might have become immune to such news. If you own or run a small business, you might think protecting sensitive data is not something you have to worry about. But you’d be surprised by the amount of information you collect and need to protect. From credit card numbers and addresses to phone numbers and financial and medical information, it starts to add up pretty quickly. That’s why you need to establish processes for handling sensitive information. Of course, creating solid processes for handling data is common in the corporate world, but oftentimes,…