If you’re thinking about embarking on your HITRUST Common Security Framework (CSF) certification process, you’re probably wondering how much it’ll set you back. It’s an important consideration and, frankly, may force a decision not to certify your organization’s security controls against the HITRUST CSF. I think it’s critical to make the case for an informed […]
Depending on who you talk to, the definition of a HITRUST “Gap Assessment” may sound very different. That’s because the HITRUST CSF nomenclature departs slightly from common security parlance. That’s a good thing, in my opinion, because the HITRUST CSF is exacting with pre- and post-certification process requirements. In this article, we’ll dig into what
If you’re a company that needs to comply with the General Data Protection Regulation (GDPR), you’re probably wondering whether or not you need to run penetration tests. Penetration testing assessing and evaluating corporate infrastructure is a critical part of any security program, but is it needed by law to protect personal data from a data
Many people wonder: does an SSAE 18 SOC 2 assessment require a penetration test? The answer is a resounding “no.” That being said, there are many good reasons to conduct regular penetration testing. Coordinating that testing with other audit functions promotes economies of scale and may even help with responses to those audits. (NOTE: If
Most startups only consider SOC 2 certification after a request from a new or potential new client. At that point there’s a decision to make: Will the time and money spent on attaining SOC 2 certification be worth the revenue it creates in new business? Having worked as a CISO across multiple industries, I’ve managed
Navigating the SOC audit process can be daunting. There are a few options for audits and while the standards are consistent among auditors, each auditor has their own unique style for conducting the audit. In this article, I’m going to break down the primary distinctions between a SOC 2 Type 1 vs Type 2 audit.
A SOC 2 readiness assessment, like other kinds of readiness assessments, highlights an organization’s ability to succeed in an assessment against a framework baseline. Readiness assessments are particularly helpful in driving cost savings for assessments, but take time and effort to conduct. In this article, I’ll outline what a SOC 2 readiness assessment is and
SOC 2 certifications are a must for many businesses in 2023 and a nice-to-have for many others. It’s become a defacto measure of economic and cybersecurity health because of the quality and extent of the review, and the easy snapshot it provides into organizational, financial, and cybersecurity health. Unfortunately, working out your organization’s potential SOC
Chances are you found this page because you’re a small business owner who heard about PCI compliance. Maybe you were notified by a bank or payment processor that you need to be compliant, or you read somewhere that similar businesses to yours have had to be compliant. In either scenario, you probably weren’t expecting it,
It’s common for companies with gaps in their PCI DSS compliance to wonder “How bad could it really be?” Knowing the possible extent of fines for non-compliance and being able to put dollar values on the risk, can help convince board members or executives to allocate the appropriate budget to your firm’s PCI compliance efforts.