Common Gaps in Vendor Compliance Management

by Sarah Harvey / June 13, 2023

Effective Vendor Risk Management An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance. Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into the vendors' hands, so managing vendor…

What is GDPR Personal Data and Who is a GDPR Data Subject?

by Sarah Harvey / December 16, 2022

Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are: What is GDPR personal data? Who is a GDPR data subject? If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies. Let's take a closer look at…

PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / December 16, 2022

 Implement Policies and Procedures PCI Requirement 11 states, “Regularly test security systems and processes.” Complying with PCI Requirement 11 is critical to ensuring that you’ve adequately secured your systems. For this requirement, we’ve discussed how to test your systems and processes, which includes vulnerability scanning, penetration testing, change-detection, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and…

PCI Requirement 11.5.1 – Implement a Process to Respond to Any Alerts Generated by the Change-Detection Solution

by Randy Bartels / December 16, 2022

 Responding to Alerts PCI Requirement 11.5.1 works in tandem with PCI Requirement 11.5. When your change-detection mechanism gives you an alert, you must have a process in place to respond to that. PCI Requirement 11.5.1 states, “Implement a process to respond to any alerts generated by the change-detection solution.” During the assessment process, your staff will be interviewed to ensure that all alerts are investigated and resolved. Keeping in…

PCI Requirement 11.5 – Deploy a Change-Detection Mechanisms to Alert Personnel to Unauthorized Modification of Critical System Files, Configuration Files, or Content Files

by Randy Bartels / December 16, 2022

 Change-Detection Mechanisms If change-detection mechanisms are not implemented properly, a malicious individual could take advantage and could add, remove, or alter configuration file contents, operating system programs, or application executables. This is why PCI Requirement 11.5 says, “Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.” During…