What is Threat and Vulnerability, and How Does it Relate to Risk?

by Sarah Harvey / February 7, 2023

Vulnerability x Threat = Risk In order to understand risk, we must first understand the definition of threat and vulnerability. A business risk results from significant conditions, events, circumstances, actions, or inactions that could adversely affect your company’s ability to achieve its objectives and execute strategies. Risk is a condition that results when vulnerabilities and threats act upon critical assets. In information security, we like to use the formula “Vulnerability…

5 Ways to Defend Your Business From Cyber Threats

by Sarah Harvey / April 12, 2023

As cyber threats continue to be a major concern for business owners, not having a cybersecurity strategy in place is no longer an option. You must be prepared to defend your business from cyber threats and be proactive with your cybersecurity prevention strategies. Here are 5 easy ways to defend your business from cyber threats. 1. Know Your Risks As auditors, we frequently talk about risk assessment and risk management…

PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties

by Randy Bartels / February 7, 2023

Documentation Requirements PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.” The purpose of this requirement is to build a process for securely managing the software within your environment. For this requirement, we’ve discussed the 18 sub-requirements and topics such as how to securely develop applications, common coding vulnerabilities, and how to ensure your…

PCI Requirement 6.6 – Address New Threats and Vulnerabilities on an Ongoing Basis for Public-Facing Web Applications

by Randy Bartels / February 7, 2023

Address New Threats and Vulnerabilities for Web Applications PCI Requirement 6.6 states, “For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.” You can comply with PCI Requirement 6.6 through two methods: by reviewing public-facing web applications via manual or automated application vulnerability security assessment, at least annually and after any changes, or by installing an automated technical…

PCI Requirement 6.5.9 – Cross-Site Request Forgery

by Randy Bartels / February 7, 2023

What is Cross-Site Request Forgery? PCI Requirement 6.5.9 states that your organization’s applications are protected from cross-site request forgery (CSRF). PCI Requirement 6.5.9 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. OWASP describes a CSRF as a type of attack that forces an end-user…