GDPR Readiness: Are You a Data Controller or Data Processor?

by Sarah Harvey / July 12, 2023

GDPR Roles - Where Does Your Organization Start? The most common questions we’re hearing related to GDPR have to do with roles – what role does my organization play? Are we a data controller or data processor? Joint controller? Controller-processor? Where should we start in our journey towards GDPR compliance? This can be a confusing aspect of compliance, but GDPR requirements depend on roles, so determining what role your organization…

How Can a SOC 2 Bring Value to Your SaaS?

by Sarah Harvey / June 14, 2023

No one wants to work with an at-risk SaaS provider. If someone is looking to use your services, they want to know how secure your SaaS solution actually is. You may think you have a secure SaaS solution, but does an auditor? Does a hacker? Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage. What is a SOC 2?…

HITRUST Update: HITRUST CSF v9.1 Release

by Sarah Harvey / December 20, 2022

HITRUST’s Continual Effort to Evolve As more and more organizations look to the HITRUST CSF® as a way to ensure security and compliance, HITRUST continually updates the framework to incorporate evolving regulations and standards. What's new in HITRUST CSF v9.1, HITRUST's latest release? HITRUST CSF v9.1 includes changes based on community feedback as well as two major updates: support of GDPR and 23 NY CRR 500 requirements. The incorporation of…

Overdue on New PCI Penetration Testing Requirements? What You Need to Know About PCI Requirement 11.3.4.1

by Sarah Harvey / December 20, 2022

What are PCI Penetration Testing Requirements? Nine new PCI DSS v3.2 requirements turned from best practices to requirements on February 1, 2018. One requirement in particular, PCI Requirement 11.3.4.1, outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states: “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes…

SOC 2 Reporting Update: 2017 Trust Services Criteria

by Sarah Harvey / December 20, 2022

SOC 2 Compliance: Reporting Changes You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.” Why the changes? The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO…