Who’s Enforcing GDPR?

by Sarah Harvey / December 16, 2022

The Information Commissioner's Office (ICO) enforces the GDPR as of May 25, 2018. There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. Its ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.…

How to Scope a HITRUST Engagement

by Sarah Harvey / June 14, 2023

One of the most frequent questions that our Information Security Specialists are asked when engaging in a HITRUST CSF assessment with a client for the first time is, “What is the purpose of narrowing the scope of the engagement?” This is a great question and the answer is simple: everything that you do in a HITRUST CSF assessment is about your scope. The larger your scope is, the more complex…

Components of a Quality Penetration Test

by Sarah Harvey / December 16, 2022

How do you ensure you’ve identified security vulnerabilities before a hacker has? In today’s threat landscape, it’s crucial for organizations to take cybersecurity seriously and create a prevention strategy. We know that organizations today face extremely threatening cybersecurity risks. We know you need validation of your security methods. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. That’s why we offer quality…

Password Expiration Policy and Best Practices

by Sarah Harvey / June 14, 2023

Microsoft’s Password Guidance recommends that passwords be set to never expire. Microsoft argues, “Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other.” NIST’s guidance suggests, “Verifiers should not require memorized secrets [passwords] to be changed arbitrarily. However, verifiers shall force a change if there is evidence of compromise of the…

PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

by Randy Bartels / April 5, 2023

 Documenting Your Review Process The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11. PCI Requirement 12.11.1 mandates organizations to maintain documentation of a quarterly review process, which should include documenting results of the reviews and review/sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Why are PCI Requirement 12.11 and PCI Requirement 12.11.1 listed separately? The PCI DSS explains, “The…