Home/Regulatory Compliance

Asking Vendors the Right Questions

How is your company managing the security of your vendors? According to the 2018 Ponemon Institute Data Risk in the Third-Party Ecosystem study: 59% of companies have experienced a data breach caused by one of their vendors or third parties. Do you know how much is at stake if one of your vendors or fourth parties is breached? Security questionnaires are opportunities [...]

A Red Teamer’s Trip to the Doctor

The things that go through a security professional’s head during a regular doctor's visit, why they matter to the healthcare industry, and why they should matter to you. Healthcare organizations are the stewards of troves of very private and personal information. This makes them high-value targets of all sorts of attacks from malicious parties. Additionally, national regulations such as HIPAA call [...]

By |2020-04-12T17:49:23+00:00April 13th, 2020|Penetration Testing, Regulatory Compliance|1 Comment

Performing Effective User Access Reviews

Correcting mistakes that arise in the day-to-day management of access control.   Organizations can take many steps to manage access, such as adopting documented registration and de-registration processes, maintaining a list of service accounts, and segmenting networks. While all are effective ways of managing access, they occasionally fail.   For example, a step may be missed in the on-boarding process. A [...]

Craftsmanship in Music and Compliance

If you’ve been on stage for a speech or performing arts, you know stage fright is real. Businesses can get nervous when they hear the word "audit" in the same way musicians can get nervous before a performance. However, there is one great way to alleviate that fear: preparation. If your business prepares well, you will see the fruits of that [...]

Planning, Executing and Learning from Tabletop Exercises

Throughout the process of maturing your governance and compliance environment, you have likely encountered the need for conducting an annual or quarterly preparedness exercise, commonly referred to as a “tabletop exercise”. These exercises are required for compliance with numerous standards, including ISO 27001/22301, GDPR, and SOC 2 just to name a few. While the focus of each tabletop may change, the [...]

ISO 27701 Privacy Framework Could be the GDPR Certification We’ve Been Waiting For

Faced with regulatory penalties, an avalanche of due diligence questionnaires, and stringent contractual clauses, companies of all sizes have been impacted by GDPR. To date, most companies have tackled GDPR with sheer effort, investing billions of dollars toward compliance with little or no assurance their efforts have paid off. As a result, business leaders are left wondering "Are we compliant?" and [...]

SEC Issues New Cybersecurity Guidance: What you need to know

On February 21, 2018, the SEC issued new guidance on cybersecurity disclosures for public companies. As an “interpretive release,” the new guidance interprets existing laws. In this case, the SEC has clarified the statutes that may affect reporting of cybersecurity risks and incidents. The guidance also addresses various costs and consequences of cybersecurity that should be considered when preparing disclosures. The [...]