Compliance
Compliance with corporate, government and industry standards and regulations is critical to meet business goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws, standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more.
Top Stories
-
Feature
11 Apr 2024
7 principles of the GDPR explained
The GDPR's seven data protection principles on the lawful processing of data are directly influencing the way businesses collect, store, erase and monetize personal information. Continue Reading
-
Feature
11 Apr 2024
AI and GDPR: How is AI being regulated?
Amid data privacy issues spawned by proliferating AI and generative AI applications, GDPR provisions need some updating to provide businesses with more specific AI guidelines. Continue Reading
-
Tip
04 Apr 2024
Data protection vs. data backup: How are they different?
They might be viewed as separate functions, but data backup should be part of an overall data protection strategy to thwart ransomware and comply with stringent privacy laws. Continue Reading
-
Tip
03 Apr 2024
How to conduct a data privacy audit, step by step
The vital importance of a data privacy audit can't be underestimated in today's climate of proliferating customer data, more stringent regulations and sophisticated cyber threats. Continue Reading
-
Feature
01 Apr 2024
6 business benefits of data protection and GDPR compliance
Complying with GDPR and avoiding severe fines is a primary goal of businesses, but the data governing principles and security tools to achieve compliance yield systemic benefits. Continue Reading
-
Definition
27 Mar 2024
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). Continue Reading
-
Opinion
26 Mar 2024
Top 6 data security posture management use cases
Data security posture management is a top 10 security issue for 2024, according to research. Check out the top six use cases for DSPM and weigh in on other possibilities. Continue Reading
-
Tip
22 Mar 2024
Data protection impact assessment template and tips
Conducting a data protection impact assessment is key to evaluating potential risk factors that could pose a serious threat to individuals and their personal information. Continue Reading
-
Tip
20 Mar 2024
U.S. data privacy protection laws: 2024 guide
Concerns about how personal data is processed and stored is leading to the passage of new privacy regulations that govern how companies handle consumer data. Continue Reading
-
Feature
11 Mar 2024
Understanding the basics of Windows 365 Government
Windows 365 Government isn't available to all Microsoft customers, but organizations such as governments and privileged contractors can benefit from this specialized offering. Continue Reading
-
Definition
08 Mar 2024
electronic protected health information (ePHI)
Electronic protected health information (ePHI) is protected health information that is produced, saved, transferred or received in an electronic form. Continue Reading
-
Feature
04 Mar 2024
Infosec pros weigh in on proposed ransomware payment bans
Whether for or against a payment ban, security professionals are concerned regulations could negatively affect victims and result in fewer incident disclosures. Continue Reading
-
Definition
04 Mar 2024
cloud audit
A cloud audit is an assessment of a cloud computing environment and its services, based on a specific set of controls and best practices. Continue Reading
-
Tip
21 Feb 2024
AI and compliance: Which rules exist today, and what's next?
The AI regulatory landscape is still racing to catch up with the fast pace of industry and technological developments, but a few key themes are starting to emerge for businesses. Continue Reading
-
Definition
15 Feb 2024
operational risk
Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Continue Reading
-
Definition
13 Feb 2024
risk reporting
Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes. Continue Reading
-
News
06 Feb 2024
Google: Spyware vendors are driving zero-day exploitation
Google's Threat Analysis Group urged further government action against commercial surveillance vendors that let customers abuse spyware products with impunity. Continue Reading
-
Definition
02 Feb 2024
communications security (COMSEC)
Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic or to any written information that is transmitted or transferred. Continue Reading
-
Feature
30 Jan 2024
7 benefits of Microsoft SharePoint
SharePoint offers a central repository where users can store and collaborate on business content. The tool's benefits include improved efficiency, scalability and compliance. Continue Reading
-
News
29 Jan 2024
Citizen Lab details ongoing battle against spyware vendors
At the SANS Cyber Threat Intelligence Summit, Citizen Lab researcher Bill Marczak discusses spyware proliferation from commercial vendors such as NSO Group, Cytrox and Quadream. Continue Reading
-
Tip
29 Jan 2024
Cybersecurity skills gap: Why it exists and how to address it
The cybersecurity skills shortage is putting enterprises at risk. Worse, it shows no sign of abating. Here is why it's happening and what employers can do to mitigate the problem. Continue Reading
-
News
18 Jan 2024
Chainalysis observes decrease in cryptocurrency crime in 2023
During 2023, Chainalysis tracked a decrease in the total value and volume of illicit cryptocurrency transactions. But it is unclear if the downward trend will continue. Continue Reading
-
Definition
18 Jan 2024
information assurance (IA)
Information assurance (IA) is the practice of protecting physical and digital information and the systems that support the information. Continue Reading
-
Feature
17 Jan 2024
CISOs on alert following SEC charges against SolarWinds
The Securities and Exchange Commission announced charges against SolarWinds and its CISO in October, but will it help improve transparency or simply scare infosec executives? Continue Reading
-
News
16 Jan 2024
FCC adopts lead generation rules to protect consumer privacy
The new rules aim to protect consumers from scam communications perpetuated by robocalls and robotexts and give consumers the ability to choose which companies can contact them. Continue Reading
-
Feature
21 Dec 2023
The top 4 content management trends in 2024
Content management trends like generative AI, compliance, workflow automation and cloud deployment can help organizations automate processes and support remote work. Continue Reading
-
Feature
30 Nov 2023
Records vs. document management: What's the difference?
Records and document management both help organizations share and use files, but these strategies have different goals, information, processes and systems. Continue Reading
-
Tip
17 Nov 2023
SBOM formats compared: CycloneDX vs. SPDX vs. SWID Tags
Organizations can choose between three SBOM formats: CycloneDX, SPDX and SWID Tags. Learn more about them to determine which fits your organization best. Continue Reading
-
Definition
14 Nov 2023
cardholder data environment (CDE)
A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores or transmits cardholder data or sensitive payment authentication data. Continue Reading
-
News
09 Nov 2023
SolarWinds fires back at SEC over fraud charges
SolarWinds said the SEC's lawsuit contains several 'false claims,' including allegations about how Russian nation-state hackers first got inside the company's network Continue Reading
-
Opinion
08 Nov 2023
Research points to 5 ways to improve cybersecurity culture
Respondents to a new Enterprise Strategy Group/ISSA survey offered five key points on how to strengthen an organization's cybersecurity culture. Continue Reading
-
Podcast
01 Nov 2023
Risk & Repeat: Breaking down SEC charges against SolarWinds
This episode covers the SEC charges against SolarWinds and CISO Timothy Brown for allegedly hiding known cybersecurity risks prior to the 2020 supply chain attack it suffered. Continue Reading
-
News
31 Oct 2023
SEC charges SolarWinds for security failures, fraud
The SEC accused SolarWinds and CISO Timothy Brown of hiding known cybersecurity risks that were further highlighted by the supply chain attack revealed in 2020. Continue Reading
-
Tip
31 Oct 2023
How to use Managed Google Play with Microsoft Intune
IT teams can connect their Managed Google Play accounts to Intune to get the best of both management tools. Integrate the two for easier Android Enterprise enrollment and more. Continue Reading
-
Definition
30 Oct 2023
ISO 27002 (International Organization for Standardization 27002)
The ISO 27002 standard is a collection of information security management guidelines that are intended to help an organization implement, maintain and improve its information security management. Continue Reading
-
Definition
30 Oct 2023
privacy impact assessment (PIA)
A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system. Continue Reading
-
Definition
27 Oct 2023
compliance officer
Compliance officers are employees tasked with ensuring a company follows its internal rules and best-practice policies while always complying with applicable external laws and government regulations. Continue Reading
-
Tip
27 Oct 2023
Top 12 IT security frameworks and standards explained
Several IT security frameworks and cybersecurity standards are available to help protect company data. Here's advice for choosing the right ones for your organization. Continue Reading
-
Tip
26 Oct 2023
How to create a company password policy, with template
Use these guidelines and our free template to ensure your company's password policy sets the ground rules for strong and effective password creation and use. Continue Reading
-
Definition
24 Oct 2023
SSAE 16
The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), for redefining and updating how service companies report on compliance controls. Continue Reading
-
Definition
17 Oct 2023
speculative risk
Speculative risk is a type of risk the risk-taker takes on voluntarily and will result in some degree of profit or loss. Continue Reading
-
Tip
17 Oct 2023
How to conduct a cyber-resilience assessment
It's a good cyber-hygiene practice to periodically review your organization's cybersecurity plans and procedures. Use this checklist to guide your cyber-resilience assessment. Continue Reading
-
Answer
13 Oct 2023
What are the most important email security protocols?
Email was designed without security considerations. Email security protocols, including SMPTS, SPF and S/MIME, add mechanisms to keep messaging safe from threats. Continue Reading
-
Definition
12 Oct 2023
chief risk officer (CRO)
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings. Continue Reading
-
Feature
10 Oct 2023
Security posture management a huge challenge for IT pros
Enterprise Strategy Group's John Oltsik explains why executing security hygiene and posture management at scale remains an uphill battle for organizations, despite automation. Continue Reading
-
Tip
10 Oct 2023
Security log management and logging best practices
Learn how to conduct security log management that provides visibility into IT infrastructure activities and traffic, improves troubleshooting and prevents service disruptions. Continue Reading
-
Tip
06 Oct 2023
Collaboration security and governance must be proactive
Even as companies deploy more collaboration tools, they aren't keeping pace with effective governance strategies for these tools and their generated content. Continue Reading
-
Tip
06 Oct 2023
Is Android fragmentation still a problem for IT teams?
Android fragmentation has been a significant challenge for enterprise IT managing the OS. Find out how to manage fragmentation in the Android operating system. Continue Reading
-
Definition
04 Oct 2023
compliance as a service (CaaS)
Compliance as a service (CaaS) is a cloud service that specifies how a managed service provider (MSP) helps an organization meet its regulatory compliance mandates. Continue Reading
-
Definition
02 Oct 2023
ISO 31000 Risk Management
The ISO 31000 Risk Management framework is an international standard that provides organizations with guidelines and principles for risk management. Continue Reading
-
Definition
21 Sep 2023
governance, risk and compliance (GRC)
Governance, risk and compliance (GRC) refers to an organization's strategy for handling the interdependencies among the following three components: corporate governance policies, enterprise risk management programs, and regulatory and company compliance. Continue Reading
-
Definition
19 Sep 2023
total risk
Total risk is an assessment that identifies all the risk factors associated with pursuing a specific course of action. Continue Reading
-
Definition
12 Sep 2023
risk avoidance
Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets. Continue Reading
-
Definition
11 Sep 2023
What is risk management and why is it important?
Risk management is the process of identifying, assessing and controlling threats to an organization's capital, earnings and operations. Continue Reading
-
Definition
08 Sep 2023
pure risk
Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain. Continue Reading
-
Definition
08 Sep 2023
risk exposure
Risk exposure is the quantified potential loss from business activities currently underway or planned. Continue Reading
-
Definition
08 Sep 2023
risk profile
A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces. Continue Reading
-
Definition
08 Sep 2023
residual risk
Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Continue Reading
-
Definition
08 Sep 2023
risk map (risk heat map)
A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces. Continue Reading
-
Guest Post
30 Aug 2023
SEC cyber attack regulations prompt 10 questions for CISOs
New SEC regulations governing the disclosure of cyber attacks by public companies lead to 10 questions board members should ask their CISOs about managing cyber-risk. Continue Reading
-
Tip
16 Aug 2023
6 open source GRC tools compliance professionals should know
Organizations must meet a variety of regulatory compliance requirements today. Here's a look at six open source GRC tools and related resources that might help. Continue Reading
-
News
10 Aug 2023
Kemba Walden: We need to secure open source software
During her Black Hat USA 2023 keynote, the acting national cyber director said the White House wants to develop realistic policies to improve the security of open source software. Continue Reading
-
Tip
08 Aug 2023
5 steps to ensure HIPAA compliance on mobile devices
IT must implement several measures to comply with HIPAA, and mobile devices can add further complexity to this process. Follow these important steps for mobile HIPAA compliance. Continue Reading
-
Definition
03 Aug 2023
SOC 2 (System and Organization Controls 2)
SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care. Continue Reading
-
Feature
01 Aug 2023
Infosec experts divided on SEC four-day reporting rule
Professionals in the cybersecurity industry voiced concerns and praises of new incident disclosure rules that allow companies four days to report a "material" cyber attack. Continue Reading
-
Definition
01 Aug 2023
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that imposes criminal penalties on individuals who intentionally access a protected computer without proper authorization or whose access exceeds their authorization. Continue Reading
-
Definition
28 Jul 2023
compliance audit
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Continue Reading
-
Tip
25 Jul 2023
5 steps to approach BYOD compliance policies
It can be difficult to ensure BYOD endpoints are compliant because IT can't configure them before they ship to users. Admins must enforce specific policies to make up for this. Continue Reading
-
Tip
13 Jul 2023
The role of Mac file and folder encryption for businesses
IT administrators can enable the Mac FileVault utility across business files and data to provide an extra layer of security and meet compliance standards. Continue Reading
-
Definition
12 Jul 2023
data protection impact assessment (DPIA)
A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals' privacy and eliminate any risks that might violate compliance. Continue Reading
-
News
10 Jul 2023
Genesys Cloud CX gets FedRAMP certified for government use
The CX vendor obtained Moderate Impact level authorization for its Genesys Cloud CX platform, bolstering security and safeguarding internal operations for U.S. government users. Continue Reading
-
Definition
06 Jul 2023
cloud security architecture
Cloud security architecture is a security strategy designed around securing an organization's data and applications in the cloud. Continue Reading
-
Definition
27 Jun 2023
Occupational Safety and Health Administration (OSHA)
The Occupational Safety and Health Administration (OSHA) is responsible for protecting worker health and safety in the United States. Continue Reading
-
Definition
19 Jun 2023
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. Continue Reading
-
Tutorial
16 Jun 2023
Guard information in cloud with a data classification policy
The cloud's need for special data classification attention arises from a combination of risk factors. With proper care, classification and compliance can limit these risks. Continue Reading
-
Tip
13 Jun 2023
How to address mobile compliance in a business setting
When organizations plan for compliance and data security, they need to consider mobile devices due to their proliferation in a business setting and how easy it is to lose them. Continue Reading
-
Tip
08 Jun 2023
How to secure blockchain: 10 best practices
Blockchain has huge potential in the enterprise, but remember all emerging technologies come with their own risks. Consider these 10 best practices for securing blockchain. Continue Reading
-
Podcast
25 May 2023
Risk & Repeat: A troubling trend of poor breach disclosures
This Risk & Repeat episode covers three data breach disclosures from Dish Network, Gentex Corporation and Clarke County Hospital and the troubling trends that connect all three. Continue Reading
-
Feature
12 May 2023
Security experts share cloud auditing best practices
A cloud audit allows organizations to assess cloud vendor performance. Auditing experts Shinesa Cambric and Michael Ratemo talk about the role of compliance in auditing. Continue Reading
-
News
12 May 2023
Experts question San Bernardino's $1.1M ransom payment
While no public safety services were compromised in the ransomware attack on San Bernardino County's Sheriff's Department, the government opted to $1.1 million to threat actors. Continue Reading
-
Definition
12 May 2023
Generally Accepted Recordkeeping Principles (the Principles)
Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements. Continue Reading
-
Definition
09 May 2023
standardization
Standardization is the process of developing, promoting and possibly mandating standards-based and compatible technologies and processes within an industry. Continue Reading
-
Podcast
09 May 2023
Risk & Repeat: Ex-Uber CSO Joe Sullivan sentenced
This podcast episode covers the sentencing of former Uber CSO Joe Sullivan over the 2016 breach cover-up, and what it means for other security executives and the industry at large. Continue Reading
-
News
05 May 2023
Former Uber CSO Joe Sullivan avoids jail for breach cover-up
A U.S. district judge sentenced former Uber security chief Joe Sullivan to three years of probation and 200 hours of community service for his role in the 2016 breach cover-up. Continue Reading
-
News
04 May 2023
Cybersecurity execs ponder software liability implementation
Reactions to the Biden Administration's push for legislation enforcing software liability were mostly positive, but questions remain regarding implementation. Continue Reading
-
Definition
01 May 2023
compliance framework
A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation. Continue Reading
-
Opinion
25 Apr 2023
Cloud-native security metrics for CISOs
Author and chief risk officer Rich Seiersen talks about the challenges of securing cloud-native applications and how to use metrics to improve their effectiveness. Continue Reading
-
News
25 Apr 2023
DOJ's Monaco addresses 'misperception' of Joe Sullivan case
In her RSA Conference keynote, Deputy Attorney General Lisa Monaco was asked if the prosecution of former Uber CSO Joe Sullivan damaged trust with the private sector. Continue Reading
-
Tip
19 Apr 2023
How to prepare for a cybersecurity audit
Organizations should conduct regular cybersecurity audits to determine if their networks and other assets are properly protected, as well as if they meet compliance mandates. Continue Reading
-
Definition
31 Mar 2023
PCI DSS 12 requirements
The PCI DSS 12 requirements are a set of security controls businesses must implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS). Continue Reading
-
Definition
30 Mar 2023
cardholder data (CD)
Cardholder data (CD) is any personally identifiable information (PII) associated with a person who has a credit or debit card. Continue Reading
-
Definition
30 Mar 2023
PCI DSS merchant levels
Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per year to outline compliance verification requirements. Continue Reading
-
Feature
20 Mar 2023
Techno-nationalism explained: What you need to know
Techno-nationalism changes the way providers do business and the way users interact with tech. Continue Reading
-
Definition
08 Mar 2023
FACTA (Fair and Accurate Credit Transactions Act)
FACTA (Fair and Accurate Credit Transactions Act) is an amendment to FCRA (Fair Credit Reporting Act ) that was added, primarily, to protect consumers from identity theft... (Continued) Continue Reading
-
News
02 Mar 2023
New National Cybersecurity Strategy takes aim at ransomware
The Biden-Harris administration's 39-page National Cybersecurity Strategy covers multiple areas, including disrupting ransomware operations and addressing vulnerable software. Continue Reading
-
Definition
16 Feb 2023
E-Sign Act (Electronic Signatures in Global and National Commerce Act)
The E-Sign Act (Electronic Signatures in Global and National Commerce Act) is a U.S. federal law that specifies that, in the United States, the use of an electronic signature (e-signature) is as legally valid as a traditional signature written in ink on paper. Continue Reading
-
Definition
15 Feb 2023
personally identifiable information (PII)
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Continue Reading
-
Definition
14 Feb 2023
social media policy
A social media policy is a corporate code of conduct that provides guidelines for employees who post content on the internet either as part of their job or as a private person. Continue Reading
-
Definition
08 Feb 2023
SOC 3 (System and Organization Controls 3)
A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy. Continue Reading
-
Definition
07 Feb 2023
tokenization
Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Continue Reading
-
Definition
03 Feb 2023
audit program (audit plan)
An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations. Continue Reading
-
Tip
25 Jan 2023
Centralized services as a hedge against shadow IT's escalation
Proliferation of cloud, AI and integration tools has increased the deployment security risks of shadow IT and the need to centralize business functions and share support services. Continue Reading