by
Sarah Harvey / June 14, 2023
One of the most frequent questions that our Information Security Specialists are asked when engaging in a HITRUST CSF assessment with a client for the first time is, “What is the purpose of narrowing the scope of the engagement?” This is a great question and the answer is simple: everything that you do in a HITRUST CSF assessment is about your scope. The larger your scope is, the more complex…
by
Sarah Harvey / December 16, 2022
How do you ensure you’ve identified security vulnerabilities before a hacker has? In today’s threat landscape, it’s crucial for organizations to take cybersecurity seriously and create a prevention strategy. We know that organizations today face extremely threatening cybersecurity risks. We know you need validation of your security methods. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. That’s why we offer quality…
by
Sarah Harvey / June 14, 2023
Microsoft’s Password Guidance recommends that passwords be set to never expire. Microsoft argues, “Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other.” NIST’s guidance suggests, “Verifiers should not require memorized secrets [passwords] to be changed arbitrarily. However, verifiers shall force a change if there is evidence of compromise of the…
by
Randy Bartels / April 5, 2023
Documenting Your Review Process The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11. PCI Requirement 12.11.1 mandates organizations to maintain documentation of a quarterly review process, which should include documenting results of the reviews and review/sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Why are PCI Requirement 12.11 and PCI Requirement 12.11.1 listed separately? The PCI DSS explains, “The…
by
Randy Bartels / April 5, 2023
Reviewing Your Personnel If you are a service provider, your organization must comply with PCI Requirement 12.11. It requires that you perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. These reviews must cover the following processes: Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes The PCI DSS explains, “Regularly confirming that…
