What is GDPR Personal Data and Who is a GDPR Data Subject?

by Sarah Harvey / December 16, 2022

Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are: What is GDPR personal data? Who is a GDPR data subject? If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies. Let's take a closer look at…

PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / December 16, 2022

 Implement Policies and Procedures PCI Requirement 11 states, “Regularly test security systems and processes.” Complying with PCI Requirement 11 is critical to ensuring that you’ve adequately secured your systems. For this requirement, we’ve discussed how to test your systems and processes, which includes vulnerability scanning, penetration testing, change-detection, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and…

PCI Requirement 11.5.1 – Implement a Process to Respond to Any Alerts Generated by the Change-Detection Solution

by Randy Bartels / December 16, 2022

 Responding to Alerts PCI Requirement 11.5.1 works in tandem with PCI Requirement 11.5. When your change-detection mechanism gives you an alert, you must have a process in place to respond to that. PCI Requirement 11.5.1 states, “Implement a process to respond to any alerts generated by the change-detection solution.” During the assessment process, your staff will be interviewed to ensure that all alerts are investigated and resolved. Keeping in…

PCI Requirement 11.5 – Deploy a Change-Detection Mechanisms to Alert Personnel to Unauthorized Modification of Critical System Files, Configuration Files, or Content Files

by Randy Bartels / December 16, 2022

 Change-Detection Mechanisms If change-detection mechanisms are not implemented properly, a malicious individual could take advantage and could add, remove, or alter configuration file contents, operating system programs, or application executables. This is why PCI Requirement 11.5 says, “Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.” During…

PCI Requirement 11.4 – Use Intrusion-Detection and/or Intrusion-Prevention Techniques to Detect and/or Prevent Intrusions into the Network

by Randy Bartels / December 16, 2022

 Detecting and Preventing Intrusion Has your organization implemented intrusion-detection and/or intrusion-prevention techniques? PCI Requirement 11.4 requires that organizations implement the following: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment. Alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and…