PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

by Randy Bartels / April 5, 2023

 Developing a Security Awareness Program PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective…

PCI Requirement 12.5.5 – Monitor and Control All Access to Data

by Randy Bartels / April 5, 2023

 Someone to Monitor and Control All Access to Data PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs. Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a…

Data Center Physical Security Recommendations with Auditor Insights

by Mike Wise / June 15, 2023

Why is Data Center Physical Security Important? As we see more and more headlines of breaches, the focus on intruders accessing critical data has been heightened. What is the goal of those intruders? To access critical data stored by organizations. This brings data centers into focus because the ultimate nexus of that critical data is in the data center. One of the top responsibility areas for data centers falls into…

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

by Sean Rosado / April 5, 2023

Confusion About Vulnerability Assessments and Penetration Testing In my work as a penetration tester, I work with clients who are attempting to meet security and compliance objectives through penetration tests, vulnerability assessments, and other information security-related exercises. What I’ve seen time and time again is organizations who are confused about the difference between vulnerability assessments and penetration testing. I’m passionate about educating our clients on security exercises and determining what…

Auditor Insights: Compliance from the Start

by Shannon Lane / October 11, 2023

Why Don’t Organizations Start with Compliance? At its core, business is a function of time, vision, service, and money. What do we provide? How do we intend to provide it? What takes precedence - the opportunity now or the infrastructure to support things tomorrow? How do we do what we do in a way that makes sense with the resources we have? I’ve found that compliance tends to be one…