Reading Time: 3 minutes

Vulnerability scanning and penetration testing are both testing methods that can be used to identify security vulnerabilities, but these testing methods each offer different benefits and are suitable for different applications. A penetration tester might run a scan during testing, but not vice versa. It’s a common misconception that the value offered by each of these methods is comparable or interchangeable. This summary explains the differences.

What is a vulnerability scan?

A vulnerability scanner is a program that checks your services for weak versions or weak configurations based on known signatures. In some cases, the scanner also checks if a weak version could be exploited. The scanner operates externally and scans the system according to this pattern:

  • Identify service
  • Identify service-version
  • Check DB for known vulnerabilities based on the version
  • Run the script that checks the vulnerability

The scanner generates a report that includes a generic description of the vulnerability and a generic security recommendation. If something happens to disrupt the flow of the pattern, the rest of the pattern will not be executed. For example, if the service version were tempered to show a non-standard format, no vulnerabilities would be evaluated because none would match the version that is stored in the DB.

What is a penetration test?

A penetration test is a system test that simulates a hacker attempting to get into your system or server. The only difference is that the tester has no ill intentions and will generate a detailed report of their findings after. The report will include an explanation of the vulnerability in the context of the business. The point of penetration testing is to identify and locate vulnerabilities and provide a proof of concept (POC).

 

 

Key Differences

 

Understanding Logical Procedures

A scanner cannot understand undescribed processes, so it could overlook problematic but logical manipulations, like an e-commerce store allowing users to bypass the payment process to submit a purchase without paying. A penetration tester or “pentester” can identify these logical manipulations and save the client from potentially severe losses.

Understanding Impact

A scanner can recognize the face value of a vulnerability but not the potential impact it can have on the business. For example, if a scanner found a web page that contains customer contact information, it might mark it as a low or medium vulnerability because there are exposed email addresses. A pentester would understand that this information could be the target of malicious intent because it can be sold to competitors, which would put the business at risk of losing clientele.

Detailed Report

A scanner report includes generic descriptions of the vulnerabilities it identifies and generic recommendations for alleviating those vulnerabilities. This can present a problem when the client cannot follow a recommendation because it is not aligned with their needs. The description might not be specific or detailed enough for the client to work out an alternative solution independently. A pentester report provides a designated description of each vulnerability with recommendations customized to the client’s needs. It might also offer alternative suggestions when the primary recommendation might interfere with the client’s needs. The pentester’s report will also include POC. Scanners rarely provide POC and tend to have more false positives that can lead to wasted resources.

Value

The scanner is easy to operate, faster than a human, and covers significantly more ground but yields generic results. A pentest requires kickoff and boundary settings but yields more detailed, dependable, and applicable results. The price of the vulnerability scan and the penetration test will both depend on the service provider. In most cases, the scanner is a cheaper option. There are also free scanners available on the market. Again, the results achieved by the scanner are not as valuable as the penetration test, so businesses should consider the value relative to the cost.

Summary

A vulnerability scan can be a valuable tool for covering a broad area with shallow testing. It’s “an inch deep but a mile wide.” Penetration testing can be as deep and thorough as you need it to be but has lower coverage because of its human nature. However, a penetration tester is a skilled professional who can target the most crucial aspects of your system.

Reading Time: 5 minutes

Secure Development Lifecycle

How to Incorporate Secure Practices Without Choking Development

The Secure Development Lifecycle is a process that can reduce the occurrence of security-related bugs and increase reliability and privacy. SDL integrates security and privacy considerations into every phase of development, resulting in highly secure software that meets compliance requirements.

It starts with security requirements as part of the outline of the client’s needs. A risk assessment and threat model are then completed, followed by secure coding, automated testing, and manual code review. Penetration testing is performed before the thread model is repeated. When all vulnerabilities are addressed, the application can be uploaded to production by a separate team, and ongoing monitoring can begin.

Benefits and ROI: Is SDL worth it?

Yes, SDL increases overall ROI. Initially, incorporating SDL seems disruptive and more costly than your existing development process on the surface, but it prevents the occurrence of security-related bugs and change requests in the later stages, which is far more complicated and expensive. Implementing security in the requirements and design stages identifies security issues and bugs and allows the team to address them while progressing in the development process. It’s a far more efficient process and saves money overall.

All Security Controls in SDL

These are the security controls that are possible to incorporate as part of the secure development lifecycle, but they are not all necessarily recommended as the most efficient means of optimizing security, hitting release deadlines, and maximizing ROI. Following this list are our recommendations for integrating SDL as part of an Agile environment without choking the development process.

Security Requirements and Design

A list of requirements should be assembled before the creation of a high-level design (HLD). These requirements will reflect the needs of the business. All security needs should be added to this list by the CISO as well. Include legal obligations for privacy and security. This ensures that the security needs are understood and considered from the very beginning. Ongoing requirements like secure coding practices and input validation do not need to be added to the list. A solution with embedded authentication should have requirements such as:

  • Credentials should be sent encrypted
  • Two-factor authentication (2FA) should be embedded
  • Password reset should not use the same channel as the 2FA
  • User account should be temporarily locked after ten consecutive failed attempts
  • Authentication should not be federated with any service unless approved by the CISO

Risk Assessment & Threat Modeling

Once the HLD is complete, conduct risk assessment and threat modeling to map weaknesses and security gaps. This will identify and mitigate risks before they breach your acceptance level. All risks that are mapped in this phase and their countermeasure controls should be documented for verification in later development.

Secure Coding

Secure coding practices are relevant to anything that the development team produces. It’s an ongoing effort to verify that the development code practices and developer knowledge are appropriately aligned with the company’s security goals and targets. Secure coding can be taught or reestablished in training, workshops, or online solutions.

QA & Security Tests

Security testing begins when coding is almost finished, during the QA/testing phase. Running automated testing tools before manual code review speeds up the process by getting most issues and errors out of the way. Then manual review can be conducted to ensure the strength and integrity of the code.

Static Application Security Testing (SAST)

Automation in code review not only accelerates the process but can also detect gaps that would otherwise be overlooked. An automated SAST tool can quickly reveal common and in-depth security holes for fast remediation by developers. The best SAST supports most of the languages used in the code that’s being tested.

Dependencies Weak Version Detection

Another aspect of code review that can be automated is the detection of weak versions within the code. As with SAST, these tools are often categorized by the coding language and the repository. The tool used should be compatible with the applications being diagnosed.

Dynamic Application Security Testing (DAST)

DAST tests the application after uploading it to a staging server. It’s the closest value you’ll get to an automated penetration test, apart from conducting actual penetration testing.

 

 

Code Approvals

Once all issues raised during automated testing are resolved, the code should be reviewed by a developer who was not involved in writing the code. This review is meant to identify any weak coding, back doors, and insecure configurations and verify that the code’s logic is solid. There are many online security training options for secure code review.

Penetration Test (PT)

Penetration testing tells you how resilient your application will be against a malicious attacker so you can minimize the risk of actual damage. This phase tests the final product for vulnerabilities that could be exploited by simulating various cyberattacks and is often considered the final security maturity test before releasing to production.

Risk Assessment & Threat Modeling

When all other testing and review stages are complete, the risk assessment and threat modeling should be repeated.  This helps devs verify that all findings from the initial assessment have been remediated and that no other threats have been created during the different stages of development.

Uploading to Production

Dev-ops or IT should be responsible for the upload to production. This prevents the creation of new security concerns with the development team having access to too many assets. A developer with admin access to a production server could bypass the security controls and upload their own code.

Monitoring

Once a service is uploaded and online, ongoing monitoring will help minimize and prevent attacks. Your team can identify attacks in real-time and avoid damage by maintaining log collection, monitoring illicit behavior, and sending alerts based on anomaly detection.

SDL for Agile Workflow

Implementing that entire process in an Agile workflow is likely to choke the process, slowing development and preventing timely delivery. This adjusted version of the SDL list provides the best ROI and security value with minimum weight and overhead on the development process.

Security Requirements

Making security requirements part of your pre-HLD requirements list doesn’t add much cost or time and is crucial to the success of the process. Without this step, the dev team is much more likely to miss legal security obligations and stakeholder requirements. We recommend keeping this step as part of your Agile SDL.

It is also worth considering running threat modeling on core-design\impactful changes, since this is not a standard operation in agile workflow, it often doesn’t get its own stage.

Secure Coding

Secure coding should be part of your developers’ training and should not change the development process from its existing format. This step is considered a benefit to the developers and should not be left out of your SDL process.

Q&A and Security Tests

Automated Testing

The automated testing processes SAST, dependencies weak version detection, and DAST have very little manual activity required and are light on overhead to the development process when appropriately implemented. Keeping these processes as part of your Agile SDL offers significant benefits over cost.

Code Approval

Manual code review and approval are critical and essential because all security tests were automated up to this point. While automated processes are efficient at identifying some mistakes, some logical mistakes in the code are not likely to be found until the manual review.

Periodic Penetration Testing

Penetration testing should be conducted annually and after any significant changes instead of running it for every version. If your risk appetite is low, you can run small penetration tests on specific scopes throughout the year. These tests will focus on changes to the application since the last test. Time should be reserved for developers to address vulnerabilities as soon as possible after each penetration test.

Upload to Production

Uploading to production has to be done anyway, so it should be done securely. The development team that wrote the code should not be involved in the upload to production because this grants too much access to a single team.

Monitoring

Attacks will happen regardless of the security measures you implement during development. Ongoing monitoring identifies attacks and enables you to respond at an early stage. Without monitoring, you may learn about attacks only after critical damage is done

 

Reading Time: 5 minutes

Ransomware Incident Response

When your network is breached by malicious behavior, the extent of the damage you sustain will depend on your immediate detection and response. To optimize the protection of your data, your reputation, and your company, you should establish a set of policies and procedures for malicious breaches like ransomware. These policies and procedures are known as an incident response plan (IRP).

What is ransomware?

Ransomware is malware that is used to ransom data. Malicious software is used to access data and hold it hostage. The cybercriminals will then demand payment in exchange for a decryption key or password or they will offer the data to competitors for a price. In some cases, attackers will threaten to release the data to the public if they don’t receive payment.

How can you prevent ransomware?

Cybercrime is making technological leaps as fast as or faster than many legitimate businesses. There are steps you can take to reduce the risk of a malware incident in your network, but it’s equally as important to create an IRP because there are no 100% guarantees against cybercrime. By taking proactive measures and creating an IRP, you can minimize the damage done by breach incidents.

Backup Your Data

The easiest defense against a standard ransomware attack is to keep updated backups that will allow you to access your data. Your backup strategy should be carefully planned with consideration to your budget and storage space, speed of data accumulation or changes, and the advanced nature of ransomware viruses.

How often should you backup your data?

Backing up your data too frequently will increase the cost and storage requirements, but not updating frequently enough will leave you with outdated and somewhat useless data in the event of a ransomware attack.

How long should you keep backups?

Some ransomware viruses are programmed to lay dormant for extended periods. The goal is to be copied into a data backup and remain undetected until your clean backups have been deleted. If this happens, your data and your backups will be corrupted. Backups should be kept for a minimum of two months and longer if storage space will allow.

Annual Test Restoration

Practice restoring your data from a backup at least once a year. This practice will allow you to identify any issues in your data backup and restoration procedures and verify that everything will work as expected in the event of a real malware incident.

User Permission Audit

Access to files is provided by user permissions. By regularly auditing and limiting permissions as much as possible, you can minimize the impact of ransomware attacks. When malware gains control of a user in your network, the databases that can be corrupted will be based on that user’s user permissions to read and write on other databases.

Monitoring

Active monitoring will alert you to cybersecurity incidents in real-time, allowing you to react and limit the blast radius. You can set alerts for certain behaviors like more than 30 files being opened and edited in less than a minute. Behaviors like this will require investigation, which can begin as soon as you are made aware by your monitoring solution, which should be connected to the security control agents like antivirus, anomaly detection, internet gateway, and firewalls.

 

Incident Response Procedures and Practices

An incident response plan accelerates the response time of your IT team and reduces the impact of breach events. During a cybersecurity incident, there will be no delay in assigning tasks and leadership. Defense and reparation can be executed immediately based on established guidelines.

Dealing with Hackers

Paying a ransom does not guarantee access to your data. In some cases when access is restored, hackers have been known to discreetly retain control of a network to repeat the attack in the future, now that it’s marked as a paying customer. When attackers utilize more than one of the following extortion options, it’s known as “double extortion”.

  • Encrypting all files
  • Retaining network control
  • Creating a backdoor
  • Releasing/selling data

Your board may decide to negotiate with the attackers. For this course of action, it is recommended to use an experienced and professional service provider that specializes in negotiation with cybercriminals. By negotiating with attackers, you can:

  • Identify your security vulnerabilities
  • Reduce ransom demands
  • Extend the deadline for payment
  • Profile the attacker to learn their probably next steps
  • Discover the full extent of the breach
  • Make a deal for essential data

 

 

Dealing with Ransomware

Your first move should be to contact the incident response team. Your in-house IT team may or may not have the necessary skills. In some countries, the government offers these services in cooperation with service providers to the best of their ability. Until the incident response team takes over, there are steps you can take to reduce the damage and stop the spread of malware.

Identify the Point of Infection

For any action to run on a computer, it needs a PC, process, and user. Find out which computer is running the malware and then identify the user and the infected process. This information can help the incident response team solve the issue faster.

Start with the breach notification. Identify the source and review the changes that were made to files in that location, as well as the permissions given to that user. To make this step easier, your monitoring system should log the date, IP, user, action, and parameters of:

  • Login
  • Read file
  • Write file
  • Delete file

Isolate the Infected Computer

Use firewall rules to restrict outgoing and incoming access to the infected computer. Deny all traffic to and from the infected computer until it is verified as virus-free. Keep in mind that any login information, including IT login, could be captured and the credentials could be used to attack other networks.

Apply the same restrictions to the user and the process. Disable the user and manually mark the process hash signature as suspicious on the corporate AV so it will be blocked on any other corporate network. Malware often names the infected process as a legitimate operating system process, so blocking it by name can cause workflow disruption.

Monitor for Similar Activity

Focused monitoring flags specific security events that are typical to the malware, such as opening certain files or heavy loads of communication. Monitoring for similar activities can help detect lateral movement and malicious activity running on other machines.

Document the Event

Keep a detailed log of the event, the team’s response, and tasks completed. This will help to inform the incident response team, formalize a report, and prove due diligence to authorities.

Consider the Health of Your Backups

During a crisis, do not delete any backups. Keep in mind that the most recent backups could be infected. Identify your most recent clean backup before taking any action to restore your data from a backup.

Practice Your Incident Response Plan

Test and practice your IRP at least once a year to identify any gaps that could cause a delay during a real ransomware event. Annual practice improves your posture against malware by ensuring your procedures, response teams, backups, and monitoring are practical and functional when you need them.

Critical Data Breach Notifications

Some data breaches require that you notify authorities and customers within a specified period. Not reporting could cause increased fines and sanctions on your organization. There should also be a plan to notify employees who can provide any relevant information to help with defense and response. Prepare contact information for applicable parties ahead of time and define the criteria that would require notification. Regulations that require notifications include:

  • GDPR
  • PCI-DSS
  • HIPAA
  • CCPA
  • SEC
  • NYDFS
  • SHIELD
  • SOC2

Business Continuation Plan (BCP)

A BCP will enable your organization to return to regular operations more quickly and minimize the impact of a data breach. If you don’t have a BCP, make one that can be implemented concurrently with your IRP.

How to Follow Up a Ransomware Incident

When the breach is contained and operations have been restored, review your security posture and identify opportunities for improvement that could prevent future incidents. Some appropriate actions include:

  • Revise IRP
  • Risk Assessment
  • Design Review
  • Penetration Testing
  • Phishing Simulation
  • Vulnerability Assessment
Reading Time: 3 minutes

The Importance of Supply Chain Risk Assessment and How to Get Started

When it comes to consequences, it does not matter much if a data breach was caused by weaknesses in your own cybersecurity or that of a third-party service provider. Whether it is your mistake or theirs, you will be hit with fines, seriously bad publicity, and a devastating loss of clients. As the world nearly completed the transition to digital commerce over the past year, supply chain attacks have jumped 430%. Vendor security is more important now than ever. Do you know which data your vendors have access to and whether their cybersecurity is adequate? Most compliance programs include vendor risk management and due diligence, but if you don’t plan on securing the benefits of ISO 27001 or SOC2, you should consider your vendor and service provider security carefully.

Here are just three of many examples.

Target Corporation 2013

Target was ordered to pay an $18.5 million settlement for putting 41 million customer payment accounts at risk. Attackers hacked the retail giant’s computer gateway server with credentials stolen from a third-party service provider and installed malware to capture names, contact information, credit card information, and other sensitive data.

Ticketmaster 2018

Ticketmaster was accused of failing to assess the risks of a third-party chatbot on its payment page, as was required by PCI-DSS standards, even though the chatbot was not meant to process payments. The event ticket company found malware within a customer function that had access to names, contact info, and payment info. They were fined roughly $1.7 million in just the UK, but the malware was found on Ticketmaster sites around the world.

SolarWinds 2020

SolarWinds is a software development company that was using a third-party service provider to update its Orion product. Hackers used password guessing, password spraying, and unsecured admin credentials to sneak malware into an update and gain access to the sensitive data of not only several Fortune 500 companies, but also various institutions of the United States government, including the Pentagon, the Department of Homeland Security, the National Nuclear Security Administration, the Department of Energy, and the State Department. Private companies that were affected included Microsoft, Intel, Cisco, and Deloitte. The attack went undetected for months until a cybersecurity firm detected their own hacking tools had been accessed and stolen, presenting another cause for concern. Though investigations are ongoing, Russia has been blamed for the attack and SolarWinds’ shares have plummeted.

 

 

How to Determine and Reduce Vendor Risk

Once you become aware of the potential threat posed by inadequacies in your vendor and service provider security, you will probably be anxious to identify and resolve weaknesses in your supply chain. You can outsource your supply chain risk management and security due diligence to experienced professionals, or you can take the following steps on your own.

Mapping

You might be surprised by the number of service providers and vendors you use but are not aware of. Create a complete map of them all by inquiring with each division and team. Document your list in a database where you can store additional details about each one as you obtain them. Consider using one of the platforms out there that can assist and automate the due diligence process for you. These platforms will provide great visibility, dashboards, and reporting capabilities.

Risk Assessment

Some of your vendors might not have any access to sensitive data, but some could have direct access to your environment. The risk they present to your business depends on the data they receive and how they receive it. Determining the risk of each vendor will help you determine which controls you should implement.

Implementation

One method of ensuring implementation of the appropriate cybersecurity measures is to send out a questionnaire for the vendor to complete. This method is appropriate for vendors who present lower risk and who do not require a significant control level. Another method is to send an auditor to collect information and evidence of the existing controls and security measures. This method is appropriate for vendors who require higher levels of security because they pose a greater potential risk to your business. After you assess the existing cybersecurity, discuss any gaps you discover and follow-up with your vendors as needed with questionnaires and evidence collection.

Summary

Part of taking care of your own cybersecurity is verifying that of your vendors and service providers. Begin by mapping them, then determine the severity of the risk they present, and ensure the implementation of appropriate cybersecurity controls using questionnaires and auditors. If you do not have the necessary resources to map, assess, and ensure implementation of your vendor security, consider outsourcing your supply chain security risk management and due diligence to GRSee Consulting for a turnkey solution based on your business needs and risk appetite.

Reading Time: 3 minutes

And what are the benefits of having one?

The budget needed to keep a qualified, full-time CISO is beyond what a lot of startups can afford. Security should definitely be a high priority, but it’s not cost-effective to take money out of development, marketing, and sales, to pay for a single role to be filled. In addition to the steep salary, an in-house CISO will require a sizable budget to achieve the points on his or her agenda. Overall, even if you can find a proven CISO who’s available, the costs are simply too high. vCISO services give you immediate access to elite cybersecurity professionals who can bring your business what it needs at a dramatically reduced cost.

What is a vCISO?

A virtual Chief Information Security Officer (vCISO) is a team or individual with high-level cybersecurity expertise that you can procure to design and support your security programs. The vCISO works with your existing security management structure to achieve measurable improvements in your security posture, which you can then leverage in attracting new leads and closing new deals.

What does a vCISO do?

An experienced vCISO will start with an analysis of your existing security system. This evaluation identifies weaknesses in the system and gives the vCISO a foundation to start from. From there, the vCISO will work with your management and technical teams to address cybersecurity challenges and achieve compliance. If existing practices are outdated or ineffective, your vCISO will direct your in-house information security teams and engage with executive management to set new privacy and security policies and standards. He or she will also carry out risk assessments to determine the strength of your operational security.

What does a vCISO not do?

A vCISO is not a cybersecurity program manager. They do not implement and execute your cybersecurity system or any of its functions. Your vCISO is a top-tier cybersecurity professional who is engaged to assess your cybersecurity system and design solutions for any inadequacies that might be making your business or your clients vulnerable, inhibiting business growth, or preventing compliance.

 

 

The Benefits of vCISO

The primary and most obvious benefit of working with a vCISO is the unbeatable expertise you’ll be able to leverage to increase the value of your company with better cybersecurity and certified compliance. Security is too important to be managed as a secondary role by the CTO or VP R&D. Your clients and prospects expect a higher level of prioritization for your security procedures and programs. Independent cybersecurity experts are familiar with the challenges of managing information security across a wide range of sectors and industries.

Cost-Effectiveness

The ability to carry out assessments, analyses, and communication remotely dramatically reduces the cost of CISO services compared to hiring and training an in-house CISO. The average salary of a CISO in the U.S. is $229,480 with benefits. Avoiding that expense enables you to optimize your cybersecurity program while making a decent return via increased leads and sales.

Faster Results

The experience and expertise of your vCISO enable him or her to get familiar with your system more quickly and begin directing improvements to your programs and procedures much faster than what could be achieved with in-house team training. The speed of vCISO services improved ROI with reduced startup times and reduced time to compliance.

Increase Team Value

Your teams will work closely with your vCISO, facilitating the sharing of knowledge and experience that will continue to provide value to your company long after your vCISO service arrangement ends. Your vCISO can also identify weaknesses within your team where more training might be needed. Throughout your service arrangement with your vCISO, your in-house team will have additional time to spend on other tasks.

Is vCISO right for your business?

If you’re a startup without an in-house, specialized cybersecurity team, an established business that struggles to obtain or maintain security compliance certifications, or if you need to be able to prove to your clients and prospects that you take security seriously, a vCISO could be the best solution for optimizing your security practices. Engage a vCISO service if you require security, but you don’t have either the time or the money to establish professional-level cybersecurity programs and practices on your own.

Industries That Commonly Utilize vCISO

Any business that deals with client or customer information should have a level of cybersecurity that is adequate for the type of information. A vCISO can help you determine the appropriate strength of your security and the path to achieving and maintaining that strength, along with any certifications required in your industry.

  • Tech
  • Marketing
  • Insurance
  • Retail
  • Finance
  • Healthcare
  • Manufacturing
Reading Time: 4 minutes

A company processing data of millions of customers is required to keep it protected and safe in order to keep its reputation unharmed. There are also a lot of transactions and data transfers that happen between organizations whether it is different offices of the same company or with other outsourcing partners.  In terms of GDPR/ISO 27701, these are controllers or processors of personally identifiable data. When such huge transactions of data happen, data privacy becomes very important. Just having robust controls for data security doesn’t cut it anymore. While data security protects customers from possible hacking attacks, data privacy deals with how the company processes customer data; it’s about data being used for legitimate purposes and this is where most of the customers are concerned about these days.

One of the burning questions that GRSee Consulting gets from our partners these days is for a certification that will prove that they have efficient privacy controls to external and internal stakeholders. Look no further, ISO 27701 is as close as you can get to GDPR compliance.

What is ISO 27701?

ISO 27701 was developed by ISO technical committee in consultation with 25 external bodies, including the European Data Protection Board (EDPB). ISO 27701 specifies requirements for establishing a privacy information management system (PIMS) and includes privacy-specific requirements, control, and control objectives on top of the ISO 27001 requirements and controls. It is an extension to ISO/IEC 27001. It enhances and improves the existing Information Security Management System.

Much like other ISO standards, ISO 27701 divides its content by clause, of which Clauses 5–8 set out the additional requirements and amendments to be applied to ISO 27001.

ISO 27701 requires that the organization recognizes its privacy-specific requirements within its context. Additionally, control guidance for Privacy Information Management System is set out in ISO 27002 which the organizations need to comply with. ISO 27701’s also describes Annex A controls, which are specific to privacy for the purposes of personally identifiable information (PII) controllers and processors. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.

It is important to mention here that though ISO 27701 is a complete framework for implementing a privacy management system in the organization, it needs to be implemented along with ISO 27001 as certification can only be obtained under ISO 27001.

 

 

How do ISO 27001 and ISO 27701 work together?

ISO 27001 and ISO 27701 go hand in hand. They work together and ISO 27701 cannot be implemented if ISO 27001 is not implemented beforehand. So, if you want ISO 27701 and establish a Privacy Information Management System, you need to also establish an Information Security Management System.

For any company to be ISO 27701 certified, it must have an ISO 27001 system in place.

ISO 27701 and GDPR

Implementing ISO 27701 can help you align with GDPR and other privacy laws and regulations. GDPR provides consumers with the number of rights with the sole aim of providing consumers with more control over their personal information. GDPR focuses on the processing of personal data by the controller and processors and defines a set of rules against that. Similarly, ISO 27701 also makes the PII controllers (one who determines the purposes and methods of processing of personal data) and PII processors (one who processes data) responsible for implementation of controls. While GDPR is quite exhaustive, it doesn’t include any information or guidance related to the implementation of the rights of individuals and the associated principles. ISO 27701 along with ISO 27001 provides the much-needed guidance here. ISO 27701 is a set of best practices with the sole focus on the privacy of information which gives practical advice on how the requirements of GDPR or similar privacy regulations can be met. So, by implementing ISO 27701 and getting yourself certified to it, will ensure that you are meeting most of the requirements of GDPR.

To summarize, GDPR and other privacy laws require organizations to implement multiple measures and controls in order to assure their customer’s privacy but do not provide guidance on how to do so. ISO 27701 provides organizations with guidance on how to develop their PIMS and relevant processes and controls. Also, in the cases where companies not just process a large amount of personally identifiable data but also collaborate and process on behalf of each other, ISO 27701 helps companies be assured of privacy controls of each other.

Implementing ISO 27701 along with ISO 27001 ensures that risk related to security and data breaches is reduced. This also demonstrates to your customers that your company has effective systems in place to protect data of customers and other stakeholders and that the privacy of their data will not be compromised. This increases the trust quotient of your organization and customers would be willing to do business with you.

So, how should you start? If you already have ISO 27001 you are one step closer to ensuring privacy. Check your current status with ISO 27701 by performing a gap analysis and understand what you need to do in order to comply with the latest standards.

Reading Time: 4 minutes

Privacy is the new buzzword. People have become increasingly aware of privacy rights in the last few years and expect that businesses protect their personal data. It is becoming increasingly important for leaders to ensure that data protection is built into their company products and services.  They need to be proactive in complying with various data protection laws, failing to do so can lead to hefty fines, a negative public image, and eventually a huge loss of money.

According to Gartner, currently, 10% of the population is covered by modern privacy laws which are going to increase to 65% by 2023. GDPR (General Data Protection Regulation) is one of the most comprehensive data protection laws introduced in 2016 which aims at providing data protection to European Union citizens. Other countries have also introduced data protection laws and numbers are constantly increasing. Looking at the need to comply with various laws and the huge penalties associated, more and more organizations are considering a comprehensive privacy program that can adapt well to various privacy regulations. The requirements of cybersecurity and the privacy laws overlap at many points, and organizations can leverage their current cybersecurity posture to enhance their privacy.

Leveraging the ISO 27001 Framework

One of the most known and used cybersecurity standards implemented in many organizations is ISO 27001. The standard presents a framework for all businesses large and small for cybersecurity management. ISO 27001 applies various information security processes in the organization and these can help in managing GDPR related requirements with ease.

By implementing the ISO 27001 with privacy in mind you can benefit and save the effort of meeting privacy requirements presented by different laws. Many of the privacy laws and ISO 27001 have similar if not identical requirements, such as risk assessment/privacy risk analysis, written procedures, asset mapping, classification, etc.

 

 

By defining the right assets as part of the ISO efforts you will gain both information security and achieve privacy compliance. Some examples of how GDPR and ISO 27001 are similar and how the ISO framework can be leveraged to meet GDPR requirements:

  • Technical and Organizational measures: Article 24 of the GDPR specifies that organizations shall adhere to codes of conduct and have technical and organizational measures to demonstrate that processing is performed in accordance with GDPR. ISO 27001 can be used as a component to demonstrate compliance with this requirement of GDPR.
  • Vendor management: GDPR Article 28 requires that the processors shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Regulation. ISO 27001 Annex A.15 specifies the requirements that an organization shall meet to protect the organization’s assets that are accessible to or affected by the vendors. The vendor management framework of ISO 27001 can be leveraged to meet this requirement of GDPR.
  • Security of Processing: GDPR Article 32 requires that the organizations implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. The ISO 27001 requirements overlap with the requirements of GDPR Article 32 at a lot of places. An effective Information Security Management System (ISMS) created based on the requirements of ISO 27001 can be leveraged to meet all the requirements of this article.
  • Breach notification: GDPR Articles 33-34 requires that the organization shall inform the supervisory authority and the data subject of any data breach. ISO 27001 A.16 requires that a consistent and effective approach to the lifecycle of incidents, events, and weaknesses is followed. If you set up incident management processes in your organization as per ISO 27001, you can easily handle the requirements of GDPR Article 33-34.
  • Record Keeping: GDPR Article 30 requires that the organization shall maintain a record of processing activities under its responsibility. ISO 27001 A.8 requires that the organization identifies information assets in scope for the management system and defines appropriate protection responsibilities. With this goal in mind, the records should show why and how the data is being processed.

In addition, the ISO organization has introduced ISO 27701 which is a Privacy Information Management System (PIMS). ISO 27701 is not a standard by itself but an accredited extension to the existing information security standard ISO 27001. ISO 27701 is designed to cover privacy laws and regulations around the world. Complying with ISO 27701 can support your organization in meeting the regulatory requirements and manage privacy risks related to Personally Identifiable Information (PII).

So if you start your ISO 27001/27701 journey with privacy compliance in mind, you will meet some of the requirements of the new privacy laws. This will save you a lot of effort and your organization will be more than ready whenever a new privacy law is introduced and with a little tweaking, you will be good to go.

When starting your ISO 27001 project or renewing it, think not just about security but also about privacy. Define assets that are PII (personal identification information) as assets to protect. For those of you who already have ISO 27001, make sure to check the latest privacy ISO 27701 for privacy information management that can be implemented as an extension to your current ISO 27001.

Get in touch with GRSee Consulting regarding ISO 27001 and ISO 27701 projects.

Reading Time: 4 minutes

How to Incorporate Cybersecurity into Your Framework

When you strike upon a viable idea for a business, Cybersecurity might be the last thing on your mind. Even in industries like healthcare and eCommerce where cybersecurity is a vital component, it’s often addressed on the backend. The problem with that approach is that it forces your security team to work retroactively through your architecture to incorporate security as part of your basic infrastructure, like tearing out your home’s foundation to lay plumbing, and it hinders your ability to lay the groundwork for success in each stage of business growth. Often in the early phases of planning and development, startups don’t have the budget to bring in a CISO, so it’s important to familiarize yourself with basic security milestones that you should be hitting in each phase. The following framework was developed by Head of Growth at Qualaroo and GrowthHackers, Morgan Brown, and we’ve outlined the cybersecurity phases that correspond with each stage. While frameworks like this provide invaluable guidance, it’s important to remember that there will be variations and you should be able to adjust your focus depending on what your business needs at any point in your trajectory.

Developing Your Solution

The first and invariably most important factor in startup success is whether your product or service solves a problem, so the first step in your business plan should be to develop your solution. Define a target user and conduct interviews to discuss the problem and their existing solutions. Create a blueprint for your MVP (see phase two) and iterate your solution as you gather more information until you have a solid product that’s ready for testing. During this phase, start researching cybersecurity as it will apply to your business. Learn the standards that will be required for your solution to fully meet the needs of your target users. Study best practices and privacy regulations for your application. Gathering this information now will enable you to incorporate the necessary measures into your business plan.

Minimum Viable Product (MVP)

You’ve developed your solution and your target user, so now you need to test it and identify any weaknesses or areas of opportunity. Because it’s still so early, it’s not a good idea to invest everything you have into launching and testing at this stage. That’s what the MVP is for. Test your problem/solution fit with as little investment as possible. Discover which channels are the most responsive and measure retention to get a good idea of your solution’s potential. This is where you’ll need to start designing your cybersecurity and privacy structure. Gather specific requirements from your internal and external stakeholders and start shaping your security around those needs. This structure will be a key part of your product, so it needs to be designed early enough to include in your MVP testing.

Check Your Market

Once your product gains some exposure, start surveying users. Measure your retention rate and get a net promoter score (How likely are you to recommend us?). This information will tell you if you’re testing your product in the right market. Brown suggests including language, channel, and funnel optimization in this stage as well. What style of communication does your target market respond best to? What channels are the most responsive? What works for your users and what needs to be changed? By this time, your startup should be gaining a solid footing. Perform penetration tests and risk assessments to confirm the reliability of your security structure and determine what aspects need to be improved. Ensure you’re surpassing all relevant compliance requirements, standards, and regulations, as well as your stakeholders’ expectations. Being borderline is risky and can result in delayed sales cycles. Bring in a vCISO or a CISO to manage and improve security throughout your system. Optimizing your security before you attempt to scale is crucial to achieving the highest possible returns.

Scaling Your Business

When you’re in the right market with a solution that works and security that your stakeholders and customers can rely on, it’s time to maximize your strong points. Pour resources into the channels that perform well. Develop detailed playbooks and bring in specialists with extensive knowledge and experience for each channel. Prepare for channel saturation by grooming less successful channels for future growth. As your business grows, stay aware of evolving security needs. Maintain compliance and be open to new security feature requests and rising standards in your industry. A growing startup needs to be able to show dedication to maintaining high-level cybersecurity practices to continue attracting your audience.

Reaching Maturity

At this stage, you might have reached saturation in your primary channels and begun to level off in your growth chart, but a startup is never actually finished growing. The top companies in the world are still investing in new growth plans. Actively seek out expansion and acquisition opportunities at home and overseas. Look for products that serve the same audience you have now or consider architectural innovations that will connect a new market to your solution. Continue to manage and improve your cybersecurity to maintain a competitive edge that drives sales. Prepare for the possibility of mergers and acquisitions by completing cybersecurity due diligence. Review your posture, consider the current landscape, and identify the laws and regulations that might interest a company into which you’ll merge.

Conclusion

Again, this framework is a flexible guide that will have to be modified to fit the needs of your unique startup, but it can help develop a complete business plan and budget that includes cybersecurity as an essential part of your infrastructure.

If you’re still unsure of how to navigate the security of your business or if your time would be better spent managing the more front-of-house aspects, contact a compliance consultant who can get your startup up to snuff quickly and cost-effectively.

Reading Time: < 1 minute

You achieved your PCI-DSS compliance! Great!
But now, you need to maintain it, this is why we created this checklist.
Follow it and stay compliant.

Reading Time: 4 minutes

Visa Suspensions, Exemptions, and Remedies for Affected Businesses

On April 22, President Trump signed Proclamation 10014, suspending the entry of aliens who weren’t already in possession of a valid visa or travel document, unless those aliens were seeking entry to perform medical services that would lessen the effects of COVID-19. The proclamation was designed to alleviate the economic crisis that developed as a result of the pandemic. It was originally set to expire after 60 days but was extended through the end of 2020 by Presidential Proclamation 10052.

This decision caught a lot of American startups off guard, stalling productivity and forcing them to abandon their foreign talent and begin costly and time-consuming recruiting processes. Despite the Proclamations’ intentions, the loss of these businesses presents its own threat to the U.S. economy.

Which Visas Are Suspended?

Several visa categories are affected by the suspension. The following are three of the most common visa categories that will no longer be processed until the restrictions are lifted, which is optimistically expected sometime in 2021. Any applications or petitions submitted for these categories in the meantime will be reviewed for exempting circumstances and denied if none are proven in the initial application.

H

The H-1B visa is for specialized foreign workers who perform functions that the employer cannot have filled in the U.S. This visa is most often used by the tech industry. Employers who are looking to hire nonagricultural seasonal workers would normally petition for H-2B visas. The suspension restricts these visas, as well as the H-4, which is for the immediate family of H-1B holders.

L

Upper-level management and specialized workers who wish to transfer to the U.S. branch of their current company could previously do so with an L-1 visa. The L-1 visa will now be restricted along with the L-2 for immediate family.

J

Cultural exchange programs will no longer be able to get J-1 visas for interns, trainees, teachers, camp counselors, au pairs, and summer work travelers due to restrictions on the J-1 visa. Immediate family is also affected by the J-2 visa restriction.

 

 

Who is exempt?

Spouses and children of U.S. citizens may still apply for an immigrant visa sponsored by your citizen family member. Foreign workers in the food and agriculture industries are exempt from the proclamation, as are any immigrants or nonimmigrants petitioning for the purposes of serving national interest. Other more exclusive nonimmigrant categories are also exempt, such as the O visa for persons of extraordinary ability or achievement. Specifically mentioned in the petition are medical professionals and researchers whose service in the U.S. will aid in the alleviation of the effects of COVID-19.

Exempting circumstances for the visas affected by the proclamation include the inevitability of a financial crisis in the event the foreign worker is not allowed to transfer, assuming the position cannot be filled by a current U.S. resident, and travel that is requested by the U.S. government to satisfy obligations.

In some cases, the wage being paid to the applicant must exceed the prevailing wage for that position by at least 15% in order to qualify. Exemptions may also be made for travelers who are needed to provide care for U.S. citizen minors. If a national interest exemption is granted to an applicant, his or her family may also be granted their related visas.

GRSee Consulting E1 Program

Another category of nonimmigrant visa that is exempt from the suspension is the E1 Trader’s Treaty Visa. This visa allows the applicant to enter the U.S. to conduct business involved in international trade. It may also cover immediate family members. Once approved and present in the United States, the spouse of the applicant may work, as well.

GRSee Consulting operates under the U.S. Trader’s Treaty to offers outsourcing services to companies that need to relocate their existing employees to the United States but are inhibited by Proclamation 10014. We work with startup companies who are hoping to save all the time and money that would otherwise be spent on extensive recruiting to fill positions affected by the suspension. In certain circumstances, we’re also able to bring our own staff onsite to fill a permanent position.

How to Secure the Talent You Need

Don’t let the visa freeze damage your business during an already difficult time. If the talent you need to support your startup is located outside the United States, save your resources by letting us handle your employee relocation. Contact GRSee to discuss the needs of your company and find out how we can help you survive the effects of COVID-19 and related legislation.

Intro

The latest relocation freeze by the American government caught a lot of startups unprepared. Many startups bring talent from abroad over different relocation visas.

This means many startups employees have to leave the states and leave their positions unmanned or cause organizations to start the recruiting process which is costly and time-consuming.

Body

GRSee Consulting offers its E1 program and can save you a lot of money and time.

Describe current visa programs.

Under the recent Trump proclamation, many work visas such as L Visas, H-1B/H-2B and J Visa were suspended for the time being. However, GRSee Consulting operates in the US under the trader’s treaty and a part of the E-1 program. We now offer outsourcing services to our select customers who want to relocate their employees to the US.

Mention that we are working with a lot of startup companies and as a trusted advisor we can sometimes bring our own staff onsite for our customers for a permanent position

Conclusion + CTA

Don’t let the current visa freeze to stop your business, let us take care of your relocated employees, and save you time and money.

Reading Time: 5 minutes

The primary objective of a CISO is to bring value to the organization, keep it secured, and follow their planned roadmap. 70% of all large organizations use a CISO for better security management.

In fact, the job of a CISO proved to be the second highest paying technical job last year. This high caliber roles basically mean that a CISO is likely to find oneself over burdened with phone calls, receiving dozens if not hundreds of emails regularly, Facebook Friend Requests, LinkedIn requests, and the likes. In the process, they become unavailable to potential vendors. Then, how do you break that wall and engage with a CISO? Let’s try to clear the fog.

What is so Difficult about Engaging with a CISO?

More often than not, you would notice, there is a strong dissonance between a CISO and the potential vendors. But why is it so difficult to be engaging with a CISO? And why are most security officers displeased by the way they are approached by potential vendors?

I think the primary reason for this dissonance would boil down to social media. This is one of the most popular mediums for people to grow their network and interact with other people. In this regard, CISOs also garner a lot of popularity and build their image, voluntarily or involuntarily, on social media. While this is actually a great place to network, social media platforms are also known to create a lot of noise.

Facebook alone has two and a half billion active members. In effect, sometimes it becomes very difficult for CISOs to deal with this unnecessary clutter on social media.

And the larger vendors are actually aware of this scenario and about how difficult it is for CISOs to filter through all the social media attention to extract useful information and notice them. Thus, more and more vendors tend to spend a lot of money on advertisements on social media, in order to be noticed and to increase their visibility. In effect, the only players that gain from this arrangement are the social media platforms.

However, you would have to agree that CISOs ultimately need good vendors in order to fulfill their internal goals, appease the external auditors, as well as the business partners and customers. Essentially, there have been some stable mediums to get in touch with CISOs, pitch for services, and engage with them.

So how do CISOs Actually Come Together with Vendors?

Come to think of it; it is not that difficult to reach a CISO if you have the right channel of approach or communication. Most CISOs I have spoken with personally have actually voted for the following four approaches to engage with them.

1.     Trust

One of the most important deciding factors for CISOs for choosing a potential vendor is based on trust. CISOs will always be more likely to engage with someone they know through another source or who has been referred to them.

This pre-establishes a sense of trust and brings in an environment of comfort. In effect, when somebody refers you, you know the CISO already knows a bit about you and how you operate. This makes it easier to engage with them.

Also, another useful tip is that you should never try to sell on the first meeting with the CISO. Let this meeting only be limited to building a connection and trust!

2. Network

Networking within the community actually increases your visibility and, thus, the chances of being noticed by the CISOs. It would do you a world of good if you could attend some industry events or even volunteer or sponsor them.

This helps build and grow your professional network and, in turn, your image. CISOs once again will be more familiar with your image and name, and it will be easier to engage with them.

 

 

3. Seeking out thought leaders in their fields

The key to engaging with CISOs is engaging with thought leaders first. Industry thought leaders are rather important and useful. If you have been in the industry for long enough, you will have a decent network and idea of who to reach out to.

When the security officers notice your reputation with the thought leaders in the fields, it makes their job of vendor selection a lot easier. It clears the road ahead of you, and you can engage with them more smoothly.

4. Actively engaging with a team member seeking out your solution

Mature CISOs always take it upon themselves to research the market and align their security needs with business goals. Said CISOs are likely to assign a team member with the task of researching those much coveted products or services. Identifying these individuals and exploring a potential fit would be a great first step.

 

What not to do to engage with a CISO?

  1. Don’t randomly call up a CISO you have wanted to work with. It adds no value to your portfolio and will lead you nowhere.
  2. Don’t only invest huge amounts of money on advertisements and social media image building operations. Instead, use the same money in creating value for your customers and thus yourself.
  3. To be honest, stay as far away from sleazy sales techniques and ideas as possible. They do not add value; instead, they can harm your image.
  4. Don’t jump to a business directly. Give your CISO some time to build their trust in you and ensure that you have a cooperative working relationship.

 

Bottom Line

The process of engaging with a CISO is slow but fruitful. It is best not to rush this process. Instead, create an image and a portfolio that supports it, and have a strong contact base.

So, you’re a CISO. This means you probably get dozens of emails a day, bunch of phone calls, LinkedIn requests of friendship followed up by an immediate pitch when all you want to do is carry out your well thought out roadmap, bring value to the business and keeping your organization secure and employees happy.

With me so far?

So why is there such a dissonance between a CISO and potential vendors? Why are most CISOs appalled by the different ways and means through which they are approached by vendors?

I blame social media for this. On one hand, all these fast growing platforms let us have greater visibility than ever before and global connectivity. On the other hand, they produce so much noise. It’s hard to deal with, really. Some platforms are more prone to noise and clutter than others, but all ‘suffer’ from the same disease. Big vendors know that and they quickly realize that in order to have your voice heard above the crowd they need to throw in big bucks into ads to increase visibility. Really, it’s a zero sum game with one winner – the platform itself, whether it’s LinkedIn, Facebook or Google, depends on your sector, they are the main benefactor while all the players in this game fight for scraps.

At the end of the day, CISOs do need vendors to be able to execute their own roadmap, achieve their internal goals and satisfy external auditors, business partners and customers.

So how do CISOs actually come together with vendors?

I’ve spoken to a lot of CISOs about this specific questions, and I was able to boil it down to the following:

  1. Trust
  2. Network
  3. Seeking out thought leaders in their fields
  4. Actively assigning a team member to hunt down for a specific product or service

So where does that leave all those service providers?

Not too sound too corny, but I think the answer really lies in front of you.

Let’s talk a bit about what not to do:

  1. Don’t cold call CISOs. It will not get you anywhere
  2. Be smart with your time and with your money. Invest it in creating value
  3. Sleazy sales techniques are usually frowned upon
  4. Not always though. Some big players are investing top dollars in ‘perks’ that sometimes work
  5. Don’t treat your typical CISO as a walking wallet – it shows and it’s not attractive
  6. Get to know the person and see that you click

Granted, all these ‘insights’ or self-beliefs are not scalable. But this is what I have so far.

Share your thoughts below…

Reading Time: 5 minutes

Technological Differences That Affect Compliance

Setting up PCI within a container environment presents unique challenges. The following QSA-reviewed solutions can help navigate those challenges to achieve PCI compliance. These solutions aim to address the most common issues. Every scenario is potentially unique and it’s important to consult with your Qualified Security Assessor before implementing any of our recommendations.

Fundamental Differences

PCI requirements and guidelines generally focus on legacy infrastructure. Container services do not have specific guidelines that dictate how to build a PCI compliant application within a container environment. These environments have characteristics not found in standard infrastructure, such as dynamic expansion and shrinking, sharing a hosting environment, temporary storage, and short uptime.

The infrastructure requirements for compliance include but are not limited to:

  • Build and Maintain a Secure Network
  • Protect Card Holder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Network
  • Maintain an Information Security Policy

Key Discussion Topics

  • Container Segmentation

Orchestrated container environments are more dynamic, so standard auditing for IP-based rules is not enough.

  • Dynamic Hosting

Environments where all pods can be initiated on all nodes might include other machines into the PCI scope.

  • Container Scanning

External resources require security testing. Otherwise, frameworks and services might hold known vulnerabilities within the environment.

  • Log Collection

PCI requires you to maintain a full audit trail of user interactions with the service, even after the container is gone.

Container Segmentation

Containers can create a false sense of segmentation because they run in both virtual environments and networks. While segmented in the virtual environment, they are not necessarily segmented on the network layer. Container orchestration tends to work in a similar format to NAT where port assignment is predetermined, which can undermine segmentation. Base internal communication is allowed between pods under the same host. Any service on the hosting server is allowed communication with any pods on that host.

Orchestrated environments offer great flexibility, but PCI segmentation rules create strict limitations on what communication is allowed into the environment. This false segmentation provides attackers with access to the entire network interface once they’ve accessed a pod on the network or a service on the hosting machine. The general rule of thumb is to block everything that has no business justification.

Micro-Segmentation

One way to circumnavigate the container segmentation issue is to use micro-segmentation and assign pods to nodes. Assigning pods to nodes can be done in nodeSelector, which is a field in the PodSpec that specifies a map of key-value pairs. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels. This limits where the pods can run. You can then designate certain nodes to manage PCI data without fear of introducing pods that are irrelevant to the environment.

 

 

Dynamic Hosting

The default setting for pods is to allow any other pod on the same node to communicate with each other, aggregating more machines into the PCI scope. These settings break segmentation between environments and external pods can put other more secure pods at risk.

Isolation Via Label Selectors

Limiting all PCI pods to the same node and preventing other pods from being loaded in that node can eliminate the dynamic hosting issue. This can be done in several ways, but most of them rely on label selectors.

nodeSelector

NodeSelector is a field of PodSpec. It specifies a map of key-value pairs. For a pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels. It can have additional labels as well. The most common usage is one key-value pair.

nodeRestriction

This is a simple way to constrain pods to nodes with particular labels. NodeRestriction is an admission plugin that prevents kubelets from setting or modifying labels with a node-restriction.kubernetes.io/prefix. The affinity/anti-affinity feature greatly expands the types of constraints you can express.

nodeName

NodeName is the simplest form of node selection constraint but is not typically used because of its limitations. When this field of PodSpec is non-empty, the scheduler ignores the pod, and the kubelet running on the named node tries to run the pod. If nodeName is provided in the PodSpec, it takes precedence over the above methods for node selection.

Taint

Node affinity is a property of pods that attracts them to a set of nodes, either as a preference or a hard requirement. Taints are the opposite. They allow a node to repel a set of pods. Tolerations are applied to pods and allow but do not require the pods to schedule onto nodes with matching taints. Taints and tolerations work together to ensure pods are not scheduled onto inappropriate nodes. When one or more taints are applied to a node, it indicates that the node should not accept any pods that do not tolerate the taints.

Container scanning

Embedding foreign code or services into your service can expose your product to attacks of great impact such as injection of malicious code. This is one reason code review and automated security testing are mandatory on most security standards. The product owner is responsible for the published product on all aspects, including third-party libraries. PCI requires automated application vulnerability security assessment tools or methods like image scanning solutions and static code analysis.

Running code review is useless if the reviewer is not trained in secure coding practices. Therefore, it is required that developers are trained in secure coding practices based on industry best practices, such as OWASP TOP 10, so they can identify vulnerabilities in foreign code embedded into a product. Platforms like Secure Code Warrior provide user-friendly interfaces and gamification of the training to keep developers engaged.

Static Code Analysis and Other Scanning Solutions
Additional Image Security Tools

Log Collection

Local log collection, on the pod, is deleted once the pod is destroyed. Collecting logs for longer periods is therefore problematic due to the short uptime behavior.. PCI requires you to store full audit trails of user and service activity for at least one year because it can take that long for an attack to be identified. In such a case, you would need those logs to trace attacker activity. PCI also requires monitoring or identifying attacks in real time, so an external, long-term service is essential.

Designated Log Storage

Some popular container services that are designated for storage and parsing of large quantities of date include:

  • Kibana
  • Greylog
  • Splunk
  • ElasticSearch
  • Falco

While dedicated SIEM/log collection services like Greylog or Kibana are harder to set up than the general data aggregation services like Splunk or Elasticsearch, parsing log data is usually easier on the SIEM services.

Hooks

Orchestration platforms offer hooks into the container lifecycle. Using hooks, such as the preStop hook in k8s, at the end of the container lifecycle allows a container to export its generated logs into safe, non-volatile storage. Before utilizing this solution, consider certain edge cases like orchestration platform crashes that would prevent the hooks from being executed.

Your Thoughts and Solutions

We welcome your feedback, opinions, and ideas. Let us know if you disagree or have used better solutions and architectures for your PCI in a container environment.

Reading Time: 2 minutes

With our growing dependence on digital platforms, sharing our personal data like name, phone number, email, address, credit card numbers have become a norm. We provide all our details when we buy something through Amazon, subscribe to a newsletter on a website, buy a new telephone connection or generally surf the internet. The need for the protection of our personal data is felt more than ever and every country is now coming out with laws to protect personal data of individuals.

California Consumer Privacy Act (CCPA), Texas Privacy Protection Act (TXPPA) and General Data Protection Regulation (GDPR) are some such laws that companies need to comply with. Since these have many overlapping requirements, these create a lot of confusion for the companies. All of these laws are primarily data privacy laws aimed at the protection of personal data of consumers.  All these laws provide consumers with a number of rights allowing them to have more control over their personal information.  All these data protection laws have many similar rules and certain key differences which should be understood well to help companies comply with these laws.

 

 

Here we compare the 3 laws to help you understand each of these on different aspects:

GDPR protects the rights of data subjects which is defined as “an identified or identifiable natural person” while CCPA takes a broader view of data to be protected. CCPA definition extends to household, device or business and is not just confined to data of an individual. TXCPA also extends to households but this is not very clearly defined yet.

Key Takeaways

TXCPA and CCPA would only apply to some businesses, which would meet certain thresholds while GDPR applies to all companies that process EU citizens’ data.

In CCPA, employees are temporarily excluded from most of the CCPA’s protections, except two areas which are (i) providing notice at the collection, and (ii) notification on data breach caused by a business’s failure in protecting the data of the employees. GDPR applies to all natural persons including employees, suppliers, customers, etc. TXCPA is yet to come out with clarity in this area.

While most of the rights are more or less similar in all the laws, there are some differences that need to be understood in detail. For example, Rights of Deletion in CCPA is less stringent than GDPR. Business can always claim fulfilment of a contract or legal obligation. Overall, GDPR is more comprehensive than CCPA and TXCPA.

Reading Time: 4 minutes

A general dictionary meaning of the term compliance is known to many of us. It simply means to abide by the rules and regulations laid down by the authorities, law, or maybe a governing body. The broad meaning of good compliance remains the same, even if we associate it with business.

Therefore, compliance in the business sector ensures that the company works responsibly and in accordance with the laws.

In this article, we will explore compliance in detail and why it plays an important role in running a business. Now, the question that arises here is, why is compliance mandatory to a business?

Importance Of Good Compliance

According to a report from Globalscape and Ponemon Institute, program certifications helped businesses save $820,000 on average.

●     To avoid any criminal charges

No business would ever want to face court trials or be held responsible for violating the laws. This is where compliance plays a crucial role and turns out advantageous. Compliance specifies all the guidelines that a business must follow to carry out its operations. It covers the internal policies, procedures, and federal and state laws.

Workflows like how to manage the inventory, customers, the staff, and limitations when it comes to advertisements and negotiations, employees’ salaries, terms, and conditions related to buying and selling, and safety rules should be well-compliant as per the industry standards. With the assistance and enforcement of good compliance, the company detects and prevents any laws violation in the company. This, in turn, saves the company from fines and lawsuits.

●     Developing a positive reputation

A company’s success largely depends on its reputation and the public image. Compliance ensures that the company maintains a positive image and demonstrates maturity, which boosts customers’ trust and loyalty. These satisfied clients return to buy your services and products as they find them trustworthy.

●     Enhanced productivity

A good compliance ensures that businesses don’t need to pitch in to relevant stakeholders that their security framework indeed works. This, in turn, makes the overall process much more productive and efficient.

 

 

Starting Early Is The Key

Many companies don’t invest in the compliance program right from the initial phase; they wait for their setup to grow. During this phase, either severe disruptions take place, or they reach a stage when implementing the changes becomes a tedious affair. The organizations must gradually start working on their compliance program from the early stage itself so that even if they are found guilty of a compliance violation, they have the necessary documentation in hand to produce before the law. In such cases, either they end up bearing huge fines with a spoilt brand reputation in hand.

Another big reason to start soon is that B2B customers expect their partners to have an efficient compliance program. Thus, if your company doesn’t pay any heed to data privacy, compliance with regulations, and security, you end up losing a major part of the market. This includes all the organizations that manage sensitive data like hospitals, government, big companies, etc.

Depending upon your business type, your company will have to be CCPA, DFS, SHIELD Act, PCI DSS, SOC 2, ISO 27001, and GDPR compliant.

How To Get Started?

The organization’s compliance program depends on its assets, sector, target market, and geolocation. Thus, there might be a slight variation in the compliance program of different companies. However, some ideas and strategies remain universal and can work as building blocks for your business’s compliance program too.

Here is how to get started!

Keep it pragmatic

This is similar to a situation where a newly recruited employee is handed over hundreds of documents to read and sign. The concerned person doesn’t even bother to read them and simply sign it. Therefore, by not ensuring that the person has read all the details and understood the processes, you are putting your organization at risk. So, understanding the kind of data that your company holds is of utmost importance.

Involve key stakeholders

Your stakeholders should consider the compliance program as a priority; only then will the team pay importance to it. The stakeholders include Executive leaders, CISO, Privacy Officer, Marketing, Legal, and IT team. The same should be discussed regularly, and the business decisions must be taken accordingly. The sales team will give more insights about the compliance requirements demanded by your clients.

Prioritize the tasks, first things first

At first, the compliance program may seem aspirational and easy. To find out where to start from, draft an organized approach. In this regard, the first step is to analyze the type of data your organization holds, accordingly decide the most relevant framework for your business. Check your competitors’ compliance strategies and how they are addressing them. Don’t forget to analyze your customer’s demands. Since compliance is an ongoing process, regular feedback from the sales team and the legal team will further help in defining a good compliance approach. Don’t impose too many regulations at once- Understanding all the policies and procedures, in the beginning, might leave you puzzled.

Hire a vCISO

It is very difficult to find a reliable CISO. Even if you find one, they ask for a 7-figure Salary which is not possible if your business is in early stages. Therefore, a Virtual CISO comes handy here.

Seeking help from vCISO experts will enable you to save a lot of money and time. They will help you to get your compliance faster and in a cost-effective manner.

Final Thoughts

In conclusion, many big companies, as well as start-ups, are investing their resources in defining their compliance needs and program. If you are not sure how to make your business compliant, you can seek assistance from a vCISO and save thousands of dollars every year by getting the right guidance.

Compliance is a must if you want to take your business to new heights. Take the help from a vCISO to discover beforehand when the first compliance requirement will be and what it will be about with respect to your business.

Do you have anything to share with us regarding good compliance? Please let us know in the comments section below.

Reading Time: 3 minutes

California Consumer Privacy Act (CCPA) enacted on Jan. 1, 2020 is the new Privacy Law created to protect the privacy rights of Californian citizens.  The Act, as we described in our article – (link to the first article), puts restrictions on companies on how they collect and use consumer data. The act requires companies to build in mechanisms that will ensure that CCPA requirements are met. This includes establishing methods of interaction with the customer and internally building mechanisms to handle the requests from the end-user. Some of the key mechanisms that you need to establish in the organization to interface with the end-user are:

  • The organization shall put in place methods to provide the information on their data upon a request from the end-user. The systems shall allow the end-users an ability to see what personal data the organization have, make requests to understand how their information and data are managed, provide rights to sell it or request to remove all or a part of the data, etc. The organization shall, at a minimum, put in place a Toll-free number and a web portal to enable the end-users to exercise their rights.
  • The information requested from the end-user shall be delivered to the customer within 45 days and no charges shall be levied for such a service
  • The organization shall verify the customer before disclosing information.
  • Information shall cover 12 months period preceding the request.
  • Companies also need to train their employees on CCPA and non-discrimination policy, in particular, to ensure they understand the CCPA principles and ‘Right to equal services and prices’ is followed.

Gap Analysis and Remediation

While compliance to CCPA seems like few simple steps to follow, especially if you look at the mechanisms that you need to put in place for interaction with the end-user and most companies will solely focus on this. But, a lot of effort is required especially on your internal data to ensure the customer is given the right information and all his requests are fulfilled. Creating a database of customers which includes information on who is using it within the company, the purpose of the data being collected, and what are the rights granted on the data is the first step towards this.

 

 

A detailed gap analysis shall be conducted by the organization to understand the consumer data that is collected and used. The steps that you need to take to conduct a gap analysis are:

  • Data and Process Mapping and dataflow analysis: This requires an organization to understand their data and process mapping, data sources and how the data flows.
  • Creating a compliance program (and relevant tasks for alignment): Planning for the compliance program and listing all the tasks required to meet the CCPA requirements would be the next step.
  • Reviewing the current consent mechanism in place: The organization needs to review the consent mechanisms and understand what processing right the current consent mechanism grants.
  • Reviewing the data access mechanisms: Next, an organization need to understand how the data is accessed and who accesses and uses the data.
  • Creating data elements inventory: Next, create a data elements table to define the purpose of data, who uses the data, rights granted on the data, etc.
  • Reviewing the identification mechanism: upon receiving a data access request by a consumer, the organization must put in place an identification mechanism ensuring that the consumer is identified.

Once gap analysis identifies key data elements, the next step required is remediation. This will include:

  • Review of existing policies: Conduct a review of Third-party agreements, Privacy Policies, Privacy Notices, data breach incidence policy, etc against the CCPA requirements
  • Create relevant policies and procedures: Update existing policies to comply with CCPA or draft new policies
  • Training and Awareness Program: Run a training and awareness program within the organization for employees to clearly understand CCPA requirements and the changes done to procedures/new procedures created
  • Privacy by design: Build privacy into the engineering process. This means privacy and data protection is handled at each step including internal projects, software or product development, IT systems, etc. for each personal data that is processed by the organization.
  • Perform PIA (Privacy Risk Assessment): Carry out a risk assessment on the company’s processes to determine how these processes may compromise or impact the privacy of personally identifiable information (PII) the company collects or uses.
  • Review/create an opt-out mechanism: a basic right of all consumers protected under the CCPA is the right to opt-out of any service and mailing list.

CCPA compliance may seem like an enormous task, but with the right guidance and experienced consultants to handle this, this can be done quickly and with ease. Companies need to start complying to the CCPA requirements to avoid any unnecessary penalties and financial losses in future.  Act now and begin your CCPA compliance journey.

Reading Time: 3 minutes

The fintech market is growing at a rapid rate but at the same time, there are several challenges and risks they face because of their high dependence on technology. Security issues and data privacy is one of the top concerns that Fintech startups need to deal with both to gain the trust of businesses and consumers and to improve their own processes. A single data breach may lead to huge fines imposed from payment card issuers or lawsuits may be filed against them. This could damage a Fintech’s reputation and in the long run, reduce sales. With growing cyber security concerns, improving security posture becomes a necessity for a Fintech company.

Many organizations try to improve their security posture all creating their own frameworks instead of adopting a leading standard as a baseline. They end up reinventing the wheel and struggle to keep their compliance level. And, if they decide on using an industry-standard, they have difficulty in deciding on the right industry standard. With a myriad of industry-standard such as ISO 27001, SOC 2, FedRamp, Hitrust, CSA, PCI DSS and many others, choosing the right one which will suit their needs and cater to their specific requirements becomes a difficult decision to make. PCI DSS can be a good starting point and can serve as a baseline which can be used to improve your security posture.

ISO 27001 Vs SOC 2 Vs PCI-DSS

Let’s understand the key features of these standards to help you make an informed decision. ISO 27001 focuses on the development of an Information Security Management System (ISMS) which is a set of policies and procedures to help manage an organization’s sensitive data systematically. To ensure compliance, ISO 27001 requires that you conduct risk assessments, determine the security controls required and review the effectiveness of the controls applied on a regular basis.

SOC2, on the other hand, focuses on the internal controls connected to the operating environment of a company. The controls are related to any combination of Availability, Security, Confidentiality, Processing Integrity, or Privacy. The standard covers basic static security practices.

 

 

 Payment Card Industry Data Security Standard (PCI DSS) is a standard that is defined by industry groups and is suitable for any company that stores, processes, and transmits credit card information. PCI DSS has 6 main goals, broken down into 12 requirements that need to be achieved in order to obtain the PCI DSS compliant certification. The standard gives a practical set of best practices for fintech companies, is more technical in nature and caters specifically to the data security of credit card information stored, processed or transmitted.

With the exception of BCP/DRP and possibly forensic investigation, PCI DSS pretty much touches on all security domains, from how to manage your network security, security patches, cardholder data security, encryption at rest and in transit, vulnerability management, antivirus/anti-malware deployment and all the way to Secure Software Development lifecycle, access control, audit trail, security testing, physical security as well as policies and procedures you should have in place.

Another advantage of PCI DSS is the flexibility it offers. If you elect to adopt PCI DSS, you are not bound to implement the full extent of PCI DSS.  The number of requirements that apply to your business is dependent on how you have set up your environment, that is, what’s the total volume of transactions, how does the CDE (cardholder data environment) look like, how many payment card numbers your company stores, processes, or transmits. So, minimizing the number of such instances will make the standard simpler to comply with.

Here is a small checklist which will help you to decide. Go for:

  • PCI DSS, if you’re looking to adopt a highly technical standard and would like to incorporate all the best practices relevant to credit card information security. This will also help you gain the trust of your customer and business partners.
  • ISO 27001, if you’re looking for creating a complete information security management system. It offers a generic set of requirements which you are free to interpret and apply and is applicable to any organization.
  • SOC 2, if you’re looking for reporting to your customers and business partners where you are in terms of basic security principles and criteria.

SUMMARY

Though there are many standards and frameworks, PCI DSS might be the best choice to implement actual technical guidelines relevant to Fintech startups. It can serve as a baseline standard with which you can start your information security journey and later on, complement it with an information security management system and detailed risk assessments that ISO 27001 offers. SOC 2 would be a good starting point to demonstrate some kind of basic security posture for your customers but lacks the technical depth that PCI DSS offers.

GRSee Consulting is the first Qualified Security Assessors (QSA) company in the world to certify a fully AWS hosted environment to PCI-DSS. Call us now and get your PCI-DSS certification.

Reading Time: 3 minutes

In the world of technology and cloud computing, cybersecurity measures become an essential component of any organization. It requires firms to stay alert and be prepared if any data breach occurs. In this regard, the ISO 27001 certification and SOC2 compliance report are key indicators of the company’s cybersecurity readiness.

Both of these compliances have similar requirements. But why exactly do you need these reports? How can these reports benefit you? Let us find out.

Shows maturity

Cybersecurity maturity becomes an important component of data security measures while dealing with a huge amount of client data. It helps to improve the company’s preventive measures against any security breach. It further helps in planning and readiness to deal with secure data if it gets breached.

A survey was conducted with 267 security operations practitioners as part of the Cyentia Institute Research Report. Only 20% of the practitioners said that their company had mature security models. SOC2 report and ISO 27001 certification are useful in fulfilling the company’s cybersecurity maturity goals.

These reports and audits essentially help the firm be better prepared to deal with such cybersecurity threats and mismanagement of important data.

Actual security

With an ISO 27001 certification, the organization’s data is protected, covered by restricted access and does not land up in unauthorized hands. With a SOC 2 audit report, you are assured that any potential breaches would be highlighted to the organization before they make any significant impact on the client data, and the firm is well equipped to handle such breaches.

With these certifications, you receive actual data security that effectively protects company data and customer information from breaches or malicious activities with better-managed cybersecurity practices.

This increased business reliance provides better partner confidence and helps come up with risk assessment and management strategies. In effect, both these measures make the firm stronger in cybersecurity.

Peace of mind

An ISO 27001 certification or a SOC2 report indeed improves your brand image or reputation. But more importantly, such audit compliance provides you with a peace of mind that you lowered the risk of potential data breaches and other threats.

 

Competitive advantage

One of the primary benefits of adopting ISO 27001/SOC2 is the competitive advantage it provides to the vendor over other vendors. This, in turn, proves to be a competitive advantage for the vendors in question.

When pitching for a new client, having a SOC2 report audit, for instance, gives you an edge over the other competitors. This eventually proves to be useful for your business.

Overcome sale cycles

While trying to dive into the market of new clients, it is always an advantage to have secured cybersecurity practices that would indicate that their data will remain safe. But claiming that the practices are secured, and full-proof is not sufficient. And the client will always want to get the report and certification check done before getting into business with you.

 This new process simply leads to longer sales cycles. This, in effect, translates to longer periods between following up a lead and converting it. Having a SOC2 report or ISO27001 audit performed in advance could save you this time and wrap up the deal in a shorter sales cycle. Of course, this also helps in improving your credibility in front of the customer.

Cheaper than a data breach

According to the 2020 Cost of Data Breach Report, the average cost associated with a data breach is estimated at $3.86 million. And this cost is on the rise with each passing year. This could adversely impact your business and hurt your finances.

On the other hand, planning and budgeting for the SOC2 audit and ISO27001 audit in advance would prove to be cheaper, while giving you peace of mind. For instance, a SOC2 audit or ISO 27001 implementation could cost the company thousands of dollars. 

If planned and budgeted in advance, these costs could be dealt with more easily by the organization. This is much cheaper than going through a data breach and their related recovery costs.

The ISO 27001 certification and SOC2 reports are both effective proofs of your organization’s cybersecurity measures and readiness. These help you become market differentiators that act as an advantage with the clients. These certifications and reports also open up doors to industry-specific benefits like managed services, banking, and financial services and the likes. It is indeed a big advantage to be SOC2 compliant or ISO 27001 certification compliant.

Both of these reports have the ability to save time and money by helping the organization stay prepared ahead of time. Since both of these compliance requirements has overlapping requirements, you could do a combined project that takes care of both the factors. 

GRSee Consulting is well equipped to handle SOC 2 compliance and ISO 27001 certification projects and could help you fulfill the combined requirement. Contact us to know more and take care of your cybersecurity measures with ease.

Reading Time: 3 minutes

There are a few different ways to approach the California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. As we’ve discussed before, the ISO 27001 standard can be a great springboard to CCPA compliance. If you’ve already gone through the ISO compliance process, that might be your best starting point. Europe’s GDPR is similarly suitable as a platform to build off of towards CCPA compliance.

Whichever approach is most helpful for you to tackle the CCPA, there can be no doubt that the time to get started is now. The CCPA may not be law just yet, but it’s never too early to prepare for the inevitable and waiting could come at significant cost in last-minute effort or even fines for failure to comply. Here are several steps you can take now on the road to compliance which, coincidentally, are integral parts of a full, professional compliance process.

Review and make notes

It may sound basic, but before we get into more technical steps and considerations, take a few moments to read up on exactly what the CCPA is and what it requires of you. As you read, make some notes for yourself to look back on for reference. Is there a part of the legislation you don’t understand? Write it down. Parts of the CCPA require that you take stock of processes and behavior within your own organization that you may not have enough information about yourself. Jot them down so you can look into it further. If you have any serious legal or security concerns after this step, consult with compliance experts for some guidance.

Map consumer data

Now to the juicy stuff. A professional compliance process will begin with a proper gap analysis and risk assessment, designed to find the specific points that are lacking for CCPA compliance. Without the technical or practical knowledge to properly perform this process yourself, you’ll want to cover a few activities that will make risk assessment and compliance as a whole far easier.
The first is to map consumer data and understand how that data moves within your organization. What information is or has been collected by your organization? What methods do you use to collect it and how is it stored? What security measures have you put in place to keep it secure? Is that data shared or sold to other organizations? With your focus on providing a good service or product, these are questions you might not know the answer to. Now is the time to answer them and note them down.


Review privacy disclosures

Once you have a better idea of where and how consumer data flows within your organization, the CCPA stipulates that consumers themselves must be informed of your data practices at or before the point of collection. Update your privacy disclosures to reflect what you’ve learned and start to plan out the best ways to put them in front of consumers. Don’t forget to add a link to these documents on your website’s homepage.

Strategize for consumer requests

According to the CCPA, consumers have the right to make various requests regarding their data that you have to be ready to follow up on. They may ask to see what data of theirs you have stored and how it’s used. They can also request that their data be deleted and opt-out of the sale of their personal information. Consider how best facilitate such requests and have some ideas ready before you consult with compliance experts.

Inform the whole organization

While just preparing for the CCPA, you may not be able to tell your employees exactly what changes are going to be made as part of the compliance effort, but you should at least be able to tell them that certain changes are on the way. Once compliance is enacted, these workers will need to be aware of what’s required to them to uphold the law, and it’s best if that doesn’t come as a surprise.

Increase security measures

The CCPA puts the impetus for data protection on the organizations that collect and store it. Review your organization’s security measures and consider how they might be increased. The legislations does not stipulate specific security measures but does say these must be “reasonable.” The better you are able to protect consumer data, the less likely it is that you will find yourself in legal hot water.

The key to being prepared for the CCPA is awareness – awareness of what the law requires and awareness of your own organization. Compliance may be a legal matter first and foremost, but it is also a matter of organizational culture and mentality, calling on you to put the protection of your consumers high on your list of priorities. The CCPA and your entire organization should be looked at through this lens so that you are ready for compliance.

Reading Time: 3 minutes

Well, it’s happening. After the introduction of the GDPR in Europe, it was only a matter of time before some jurisdiction in the U.S. took up the cause of data protection and privacy. That came in the form of the CCPA in California, which in turn, was expected to lead to data legislation in the other 50 states. Now, the first of these expected attempts is here, with Texas, the second most populous state in the U.S. after California.

Like the CCPA and GDPR, the Texas Consumer Privacy Act (TXCPA) is all about creating a basic layer of regulation around the use of data that empowers consumers and gives them some control over the information they generate and that companies profit from. In fact, the TXCPA is very similar indeed to the CCPA, with a few general differences that we’ll mention here:

  • It hasn’t been passed yet – The TXCPA is still just a bill at this stage, which means there could be changes made between now and when it would come into force on September 1, 2020. It could technically be scrapped altogether, but overall trends suggest that data regulation will make it through in one form or another.
  • Texas legislation is split into two bills – The TXCPA is actually just one part of the data regulations that Texas is considering, with the Texas Privacy Protection Act (TXPPA) being the other. In many areas, the two bills overlap and repeat one another but together they cover many of the same principles as the CCPA, including transparency clauses regarding the use of data and gaining consent from consumers to process their data.
  • The scope of the TXCPA is different – As legislation from Texas, the TXCPA and TXPPA target businesses of a certain size (measured in profits and the number of consumers they process data from) that operate in Texas. Many, but not all of the businesses that are included in the scope of this legislation will be the same ones that had to handle CCPA, and possibly also GDPR compliance, due to the often global nature of data-driven businesses. 

How you should prepare

At this stage, before the passing of these bills into law, full-on, certified compliance isn’t possible. But you can start preparing your organization rather than leaving it for later. We suggest you read up on the CCPA to understand the overall concept and get an idea of what will be required of you.

But beyond informing yourself, you can start to take some meaning action – action that will no doubt benefit your organization regardless of the TXCPA. First and foremost, you should adopt ISO 27001 as a baseline framework for how your organization handles data. Though not a government-mandated regulation in most areas, ISO 27001 is an industry standard and, as we’ve discussed before, has served many California companies as a great base to build off of to achieve CCPA compliance.

Similarly, approaching the TXCPA through the lens of ISO 27001 will put your organization ahead of the curve no matter what changes are or are not made to these bills as they currently stand.

If you do embark on a readiness project, consulting with compliance experts is the best way to go. The first step is performing a risk assessment and gap analysis for your organization to determine exactly where and in what ways you might fall short of what’s expected from the TXCPA. Experts can help guide you through that process and make sure you’re on the ball and getting it done right.

Even more important, a dedicated compliance team can start to help you address the technical aspects of the TXCPA rather than focusing on documentation alone.

Reading Time: 3 minutes

With the California Consumer Privacy Act (CCPA) about to come into force on January 1, 2020, it’s time for all liable organizations to hit the gas on compliance. If you haven’t started yet, you should be aware that failure to comply could result in financial penalties in the form of damages paid to consumers and/or fines paid to the state.

Luckily, a fair number of organizations in California that fall under the scope of the CCPA have already encountered something like it in Europe’s General Data Privacy Regulation (GDPR). In fact, the GDPR is in many ways a parent legislation to the CCPA, heavily influencing its drafting and development.

For organizations that are already GDPR compliant, that means a simpler, quicker and cheaper road to CCPA compliance. But be careful: the GDPR and CCPA are not identical by any means. You absolutely must dedicate some time, energy and resources to understanding the CCPA and bringing your organization into compliance with its stipulations.

But what are they exactly? If you’re already GDPR compliant, what’s left to do? Let’s discuss three key differences in these regulations and how they impact the actions you’ll have to take to become CCPA compliant:

  1. Scope

One of the most obvious differences is which organizations these regulations target and which consumers they are meant to protect. The GDPR applies to any and all organizations (be they based in the EU or abroad) that process the data of Europeans. The CCPA targets only for-profit, California-based businesses and Californian consumers. This is why businesses like yours can be expected to comply with both sets of regulations.

And what does this mean for what’s required of you? You will have to map your data and processes regarding Californian consumers. You already did it for the GDPR, and the mapping required in Europe is usually similar if not identical for that required for the CCPA. Now you just need to follow the same process in California, creating a map of what’s being saved where and the processes involved.

  1. Privacy policies

California law already requires that companies maintain written privacy policies. The GDPR does as well, but gets detailed about how such policies should look and how they should be made available to consumers. The CCPA doesn’t include such strict stipulations, but does require that you issue an update to your privacy policies at least once every 12 months. Generally speaking, the privacy policy you established to meet the needs of the GDPR will fulfill the requirements of the CCPA as well. Now you need to put a protocol in place to review and update it every year.

  1. Opt-in/opt-out

While both pieces of legislation aim to put more power in the hands of consumers when it comes to the data they generate online, but they do it in slightly different ways. The GDPR requires that consumers knowingly opt-in to having their personal data collected and used, whereas the CCPA requires that consumers have the option to opt-out of these activities.

That means taking the opt-in mechanism you established for European consumers and applying it with small adjustments to meet the opt-out nature of the CCPA to your Californian consumers.

Generally speaking, the GDPR is more ambitious than the CCPA, creating a situation in which many aspects of GDPR compliance will more than fulfill the stipulations of the CCPA. However, there are several small differences, like those detailed above, that require action on your part. Luckily, as we can see in cases where differences exist, being GDPR compliant will be a huge advantage as you approach the CCPA.

Whatever the case may be, your first step towards CCPA compliance should be the performance of a gap analysis and defining precisely in what ways your organization needs to adjust the CCPA. The best way forward is always to consult with compliance experts to avoid mistakes and give yourself some valuable peace of mind.

Reading Time: 3 minutes

Enforcement of the California Consumer Privacy Act (CCPA) is just around the corner, coming into effect on January 1, 2020. Compliance with this important piece of legislation is becoming ever more urgent as this deadline nears. If you haven’t already made plans to bring your organization into compliance with the law, now is the time to get started.

Luckily, you may not have to start entirely from scratch. While the CCPA is an entirely new initiative for California and the first of its kind in the U.S. designed to protect consumers against data misuse and privacy violations, many of its stipulations are not entirely foreign in their substance to businesses that handle consumer data.

That’s because the vast majority of businesses that handle consumer data have already encountered ISO 27001, an industry-standard dealing with information security. Though not required by law, many customers and even some investors  expect to see that an organization is compliant with ISO 27001 to trust in its ability to conduct itself in a secure manner.

So, what does ISO 27001 have to do with the CCPA? Surely the new legislation is closer to Europe’s GDPR, the data security legislation that inspired the CCPA? The short answer is yes, the CCPA is similar to the GDPR in many respects although even there, compliance with one does not equal compliance with the other.

What’s more, the GDPR is only relevant to businesses that handle the data of European citizens. Companies operating out of California, where the CCPA will come into force, have not necessarily encountered the GDPR. Instead, these companies can look to ISO 27001 as a platform to build on and achieve CCPA compliance. And if you aren’t ISO 27001 compliant already, this is your chance to kill two birds with one stone and get CCPA compliance done at the same time.

It’s important to note that being compliant with ISO 27001 absolutely does not mean you are already CCPA compliant. But there is enough of an overlap to make ISO 27001 a solid base from which to progress towards CCPA compliance. Here are some examples of this helpful overlap:

  • Privacy policy – If you’re already ISO 27001 compliant, a small update to your publicly-available security policies is all that’s necessary. If not, you’ll need to write them from scratch, and writing them to follow CCPA requirements is hardly any extra work.
  • Processes and procedures – The CCPA requires proof that a number of processes are in place in your company. How do you prove that these processes have been established? By putting them in writing as formal procedures that can be taught to new employees and repeated throughout the company. Lucky, ISO 27001 requires a set of written procedures that closely, though not perfectly, match the CCPA-required processes. This is true of important items like information security policy, third-party/vendor information security and HR procedures. Take note, however, that while ISO 27001 gives you a solid base for proving some processes, the CCPA requires others that are not a part of ISO 27001 at all.
  • Inventory and classification – ISO 27001 requires that you take a full inventory of your assets and classify the information you gather. Though not specifically required by ISO 27001, you can define all PII as data assets to meet one important clause of the CCPA.

By approaching the CCPA through the lens of ISO 27001, you can save your organization valuable time and effort that you might otherwise spend on achieving compliance with both individually. As such the systematic process used to achieve ISO 27001 compliance can be applied to the CCPA.

Reading Time: < 1 minute

You need to be GDPR compliant, but it doesn’t have to be overwhelming or confusing. Here are the 10 steps you’ll have to go through to get there.

For any extra assistance, you are welcome to book a free consultation call with our team. We will be happy to help.

Reading Time: 3 minutes

Nearly two years since its introduction, businesses are growing accustomed to the European Union’s General Data Protection Regulation (GDPR), a piece of legislation that puts power back in the hands of consumers when it comes to how their own data is used and who has it. Compliance with the GDPR may have seemed like a nuisance to begin with, but everyone has quickly seen that the penalties for failing to comply are too heavy to ignore and GDPR compliant businesses earn greater trust from consumers anyway.

It’s a little bit of extra work, but well worth it. The success of the GDPR and the recognition that the questions surrounding the use of data cannot go unanswered any longer have driven other jurisdictions towards relevant regulation as well – most notably California, the world’s third-largest economy and author of the California Consumer Privacy Act (CCPA).

But the CCPA isn’t a carbon copy of the GDPR. The world’s leader in the data industry has its own ideas of how to start addressing the topic of data use and privacy. As with the GDPR however, businesses are going to find that the CCPA is not a regulation to ignore or take lightly. So, before it comes into effect on January 1, 2020, what are the differences between the two and what do businesses need to know about the CCPA?

Who needs to be CCPA compliant?

Europe’s GDPR is generally considered to be broader and more ambitious in scope than the CCPA – a characteristic that can be seen in stipulations regarding which businesses must comply. The GDPR applies equally to all businesses, European or otherwise, that process the data of EU citizens. African, Australian, Asian and American businesses must all comply with the GDPR if they intend to process and profit from the data of Europeans.

The CCPA, on the other hand, applies strictly to California-based businesses and only businesses earning more than $25 million annually or those whose primary business is the sale of personal information. Even If none of these apply to you, the CCPA should still be followed closely as it impacts and relates to future data regulation.

What CCPA means for the future

The CCPA’s impact on the future of data regulation could be significant, in fact. While it may not be as robust as the GDPR, the CCPA is seen by many as just the first step in regulated data protection, meant to introduce California and the U.S. as a whole to a workable framework to address the urgent issue of data usage and protection.

The same way the general outline of the GDPR has influenced the CCPA, the CCPA is expected to impact legislators throughout the U.S. and possibly even abroad as data protection becomes an ever-more immediate concern. The CCPA, which goes into effect on January 1, 2020, specifically addresses American concerns over cases like that of Facebook and Cambridge Analytica while the GDPR, which came into force in 2018, took a broader stance in trying to foresee future issues that may arise as well.

The price of non-compliance

One of the biggest differences between the two pieces of legislation is how they allot penalties for non-compliance and violations. Under the GDPR, businesses may be fined as much as 4% of annual global turnover or 20 million euros (whichever is greater). Sanctions may also be applied to a company under the GDPR simply for being at risk of a breach or behaving irresponsibly.

The CCPA, on the other hand, mandates fines per violation, up to $7,500 for each. The total cost of penalties is limited only by the number of violations discovered and, while still subject to change before enforcement in 2020, there is currently no threat of sanctions for non-compliance. Notably, violations are only considered violations at the point of breach, which proponents of the GDPR model believe is too late.

Consumer rights

Finally, the CCPA and GDPR differ on some of the specifics regarding the rights granted to, and protected for consumers. For example, while the GDPR requires that consumers opt-in to allowing their data to be stored and/or sold, the CCPA instead requires that companies give consumers the ability to opt-out.

There is one important similarity between the GDPR and CCPA that should be mentioned: both directly address encryption. Though both regulations keep most stipulations broad to allow for some flexibility and changing technologies, both feature articles with technical stipulations for responsible encryption of data, meant to reduce the likelihood of data being compromised even in the event of a breach.

Such specific requirements addressing technical aspects of security highlight the importance and urgency of adopting more rigorous security practices across the entire data industry. After all, regulations like the GDPR and CCPA are not only important to keeping your business out of trouble, they are crucial to creating a healthy data ecosystem backed by good practices and security.

Reading Time: 3 minutes

When the topic of online privacy comes up, one of the most common arguments you’ll still hear is, “I’ve got nothing to hide, so it doesn’t matter to me who has my data or files.” While this kind of statement has always been problematic, there are new developments that reveal this kind of thinking as downright dangerous for the future.

According to a report in The Financial Times, an Israeli security company called NSO has the key to break into popular cloud storage services like iCloud, OneDrive and Google Drive. Even more concerning, the report claims that NSO is advertising and possibly selling this knowledge to governments around the world as part of its Pegasus software.

The company has directly denied marketing or providing the ability to crack encryption on cloud services, but it said nothing of having the technical capability themselves. According to The Financial Times, the Pegasus software has been identified installed on devices beyond the internal scope and boundaries of NSO. If true, NSO has either sold its software and given it away while lying about it, or it was somehow stolen. Both scenarios are cause for serious concern.

For proponents of the “I have nothing to hide” mentality, this may not sound too alarming at first glance. As long as these technological tools are going to responsible governments and not malicious cyber criminals, it’s only criminals that have something to fear, right?

At first, perhaps. But this case gives rise to several considerable worries:

  • How long will the ability to breach the cloud remain in the hands of government alone?
  • What governments is this ability being sold to?
  • What happens when new leaders emerge in a rapidly evolving political situation with new ideas about how to use this technology?

In the end, if one person or institution can access everything on the cloud, then anyone can with a bit of time and effort. To those who don’t mind if your government sees what you’ve stored on the cloud, we say this: it doesn’t matter what you as an individual have there, it matters what everyone as a collective has stored there.

Governments with the ability to access all your files and documents are unlikely to use them against you as an individual unless you’re directly involved in criminal proceedings. But the fact that governments seem to be in the market for such technology suggests that at least some of them want the capability of quietly gathering and storing data on entire populations that can be used in all kinds of nefarious ways. You may not notice it right away if your government has access to the information you’ve stored on the cloud, but it doesn’t bode well for the future as digital dictatorships become an increasingly realistic possibility.

But it’s not all doom and gloom – not yet, at least. Google told Inc.com that they have not thus far found any evidence that their cloud services have been compromised. While it’s unclear exactly how NSO might have technically succeeded in breaking encryption for cloud services, it is known that they would have to have root access to your device to break into your cloud storage, which makes it highly unlikely your cloud storage could be penetrated without physical access to your device (e.g. if it were confiscated by police or an intelligence agency).

But that may not be the case forever, and there are larger issues to consider. Companies who gather and control big data may not always have your privacy in mind when they sell it to third parties, but they are subject to the law and the forces of the free market. The forces restraining government are often far more tenuous.

Reading Time: 3 minutes

Headed out on vacation this summer? If you haven’t made it yet, you still have some time. Grab your passport, wrangle the kids into the car for a road trip or just head to the beach for a few days to soak in some sun – but not without taking the necessary precautions. Travelers insurance is always handy, sunscreen will protect your skin in the long run and it’s a good idea to know what number to dial to reach the police in whatever country you’re traveling to.

It’s common sense to take these steps to protect yourself, right? Then it should also be common sense to protect yourself in cyberspace this summer. After all, when we travel and have new experiences, our guard is down and our thoughts are on other things, which is the perfect opportunity for a hacker to compromise your online presence, just like a pickpocket trying to get your wallet. Here are a few tips and things you should be aware of in order to reduce your vulnerability.

1. Fake Wi-Fi

Fake news may be all the rage these days, but did you know there is fake Wi-Fi as well? Especially while traveling, you’re likely to connect to every free Wi-Fi access point you can: at airports, cafes or other places of business. Generally speaking, these places do offer legitimate internet connections to their customers and, without password protection, to anyone in the vicinity. But malicious players are well aware, and they’ve thought of ways to take advantage.

Data thieves sometimes set up fake Wi-Fi access points under names similar to nearby businesses and known access points so that users might trust it and log on, believing it to be the proper connection. While browsing with these Wi-Fi connections however, criminals can intercept any data that passes between your device and your social media accounts or even your bank. More sophisticated attacks can even trick your device into automatically connecting, believing it to be a recognized Wi-Fi connection.

Protect yourself by asking the business for the name of their Wi-Fi SSID or installing VPN software onto your device for encrypted connections.

2. Password protection

How many passwords do you have to remember in order to access your online accounts? 10? 50? Maybe more? Whatever your number, most people use at least dozens of different websites that require unique passwords to login. That’s why many people also use the same password for everything, but that means hackers who get your password for one site can then access them all.

Protect yourself by using a password vault so you only need to remember one strong password, using 3-4 different passwords for different kinds of sites and apps, changing your passwords every few weeks and using two-factor authentication whenever and wherever you can.

3. Don’t be the phish

If you’re going fishing this summer, you want to catch fish, not be caught like one – and that means being aware of what’s in your inbox. Attackers try to induce you open malicious emails with alarming subject lines or sending you messages from a friend’s compromised account.

Protect yourself by being on the lookout for suspicious elements in emails. Don’t open emails from unknown individuals you weren’t expecting to receive and watch out for links that may appear to be from well-known domains at first glance like amaz0n.com.

4. Don’t post just to post

Social media is an amazing tool, but it can also make you vulnerable to dedicated and determined attackers. Avoid posting about your vacation until you get back so others won’t see you’re away and might be vulnerable to attack or even real-life home invasion. Posting personal information on social media could also give ammunition to attackers sending out phishing emails.

Protect yourself by simply being mindful of what you post.

Reading Time: 3 minutes

Malware attacks are growing more and more numerous. They find most success against those with little protection, but they are also overwhelming endpoint security measures using various methods that are always evolving and improving, just like endpoint security measures themselves.

Learning how to challenge this growing threat means understanding what attackers are actually doing and how. Here are 6 ways attackers are using malware to bypass or otherwise overcome endpoint protection security.

1. Script-based attacks

Typical endpoint protection security will defend against breaches primarily when new files are introduced into a system, like when new software is installed. Script-based attacks, however (also known as “fileless” attacks) make use of existing software like PowerShell and other computer components, circumventing this crucial point of security. These kinds of attacks have a higher success rate than almost any other, and are among the most difficult to spot. The key is to identify uncommon operations being executed by common applications.

2. Hosting malicious sites on popular infrastructure

Phishing attacks have always relied on deception for success, and one of the best tricks (and one of the simplest) used by attackers is to host malware on infrastructure that people tend to trust or that can’t be blacklisted by traditional security methods at all. Google cloud is one such example, and attackers are even using platforms like GitHub for their nefarious purposes. Command-and-control servers can also be hosted on these legitimate platforms, even benefiting from their built-in encryption features. Just like with script-based attacks, defense in this case means being able to spot unusual activity. Here, it is usually masked as normal communication but happens at unusual times.

3. Poisoning legitimate applications and utilities

Successful breaches, if gone undetected, can often lead to further threats. Attackers who manage to gain access to a business, for example, can then access all the third-party apps and tools used by employees, installing backdoors and other malicious code there. Open-source code is especially vulnerable to this, since attackers can hide nefarious code within legitimate bug fixes or software improvements that get reviewed and accepted.

4. Sandbox evasion

Think your sandbox keeps you safe? Well, it certainly helps, but a decent hacker can find a way around this protection as well. Malware can be engineered to be quite dynamic, only activating outside the sandbox or when interacting with a real person, for example. Any delay in detonation within the sandbox can also be a liability, allowing malware to spread elsewhere before it’s destroyed.

5. Unpatched vulnerabilities

Sometimes, it’s just hard to keep up. Much of cybersecurity requires ongoing care and attention in the form of software patches and updates that include fixes to vulnerabilities. But not everybody is on top of their patches, and the result is countless machines operating on unpatched software that includes all the old vulnerabilities. Malware doesn’t need to bypass something that isn’t there – it can shoot straight and get direct access.

6. Taking down the security agents

There are a lot of endpoint security agents out there. Most machines are protected from multiple sources. But, unfortunately, even the security agents meant to protect can be taken down. Each agent may cover and protect a different area, but they also often overlap with one another in an inefficient manner. What’s more, any security agents installed on an already compromised machine can be taken down from within. If patches and updates to these agents aren’t constantly being installed, there is a window of opportunity for the right attacker at the right time.
Hackers and attackers are working hard to be at the top of their game. We have to do the same, and that starts by looking at the 6 potential risk areas above.

Reading Time: 3 minutes

Everyone has been talking about artificial intelligence since the mid-90s, if not earlier, but AI is only just now starting to develop as a breakthrough technology with foundations in reality. While it’s only now coming onto the scene in a significant way, it’s already safe to compare AI to the internet and smartphones in terms of its transformative potential.

AI has potential applications and uses in just about every industry and activity you can think of. With time, we may even find ourselves having complex relationship with AI. But let’s not get ahead of ourselves. For now, we’ll settle for making basic AI tools work for us.

In the cybersecurity industry, putting AI to work represents a cosmic leap forward in digital safety – at least in theory. Some cybersecurity AI tools are already in use and they’re only getting more sophisticated with time. AI could represent a quantum leap for the good guys in the arms race against hackers, allowing for tighter security provided by fewer personnel.

Smart firewalls

The most obvious advancement that AI offers to cybersecurity experts that could be prevalent in the near future is smart firewalls. These important defenses currently require manual management, but AI-enhanced firewalls bring things to a whole other level, removing a significant amount of human input from the equation.

By giving firewalls the gift of machine learning, they will be able to deal with most tasks related to event monitoring and incident response currently handled by humans. Not only does this remove the need for constant attention from a trained human, it also reduces (in fact, it almost eliminates) the factor of human error.

These firewalls will recognize threats more reliably and much quicker than humans by recognizing patterns in web requests and blocking the bad ones automatically. And it’s not just firewalls; this same principle could be applied to cybersecurity in a number of different ways, ushering in a whole new era of security that hackers would struggle to get around.

AI could also put experts an extra step ahead by giving them unprecedented information on cyber threats and how they originate. In fact, the technology to accomplish this is already in existence. Bots and other AI tools are already scanning publicly-available data online and analyzing it in meaningful ways. This will surely be adapted for use in cybersecurity in the near future.

No need for passwords

Though slightly more futuristic, AI may soon make passwords obsolete altogether. Passwords are one of the main ways users are able to protect their information online today, but they are cumbersome, annoying and often vulnerable to attack, exposing entire systems to the right (or wrong) cyber threat.

Various forms of AI could be brought together to identify users in better ways. Passwords are like the key to your house: anyone can get in as long as they have it. But facial recognition, fingerprints and speech analysis could provide a better, more secure way to access your accounts and information online.

Similar AI tools could be used to track your activity online and send alerts whenever there is a serious deviation from regular behavior that may constitute a threat. In short, AI promises that you’ll need to be less alert than today and yet you’ll still be more secure.

The biggest challenge of AI technology is cost. Small businesses and organizations are the prime target for cyberattacks today because hackers know they are the least likely to have robust defenses in place. They are also the least likely to be able to afford advanced AI solutions. In time, the technology is likely to become cheaper and more accessible, but until then, smaller businesses focused on growth and survival in a competitive global market may be left behind.

Is AI the future of cybersecurity? Almost certainly. AI is set to transform the world in countless ways and cybersecurity is no exception. The road to get there may not be smooth, however, and traditional solutions are going to be a commonplace necessity for many entities for years to come.

Reading Time: 2 minutes

Healthcare is perhaps the most vulnerable industry to cyber threats at this time. The value of medical documents on the black market has helped paint a large target on healthcare infrastructure, several unique factors in the industry have made efficient cybersecurity particularly challenging and the consequences of cyberattacks are more serious in the healthcare industry than anywhere else.

Unless significant action is taken, it does not appear that this situation will be rectified anytime soon. And yet, like everything else, cyber threats are always evolving and changing. While the healthcare system is likely to remain at risk in the near future, the type of risks it faces are in flux. Anybody trying to help tackle these serious issues should be keeping their eyes on these cybersecurity trends currently changing the nature of the threats to healthcare.

A lack of boundaries between personal and business activity

Doctors and other practitioners are increasingly, and understandably, succumbing to pressure to use every tool available at work, even personal ones. Tablets, smartphones and laptops from home are being brought into the workplace and connected to networks and systems there. On one hand, this can help save clinics and hospitals on the cost of providing needed devices and it can even make practitioners more efficient at their jobs, but the price is great insecurity in cyberspace, as each device can act as an access point to sensitive information on whatever systems they connect to.

What’s more, personal emails are being used for work related tasks and vice-versa. This mixture of activity makes it increasingly difficult to keep all activity secured and healthcare employees are often entirely unaware of the risks and how to mitigate them.

Even better phishing attacks

Phishing attacks are on the rise and they’re getting more and more sophisticated, fed by your everyday activity online. In the same way companies like Facebook and Google are able to show you targeted advertisements based on your searches and other online activity, phishing attacks are using the same principle to become more and more targeted.

The result is that they can often outsmart email spam filters and convince the untrained eye to open them. These increasingly effective phishing attacks are hitting the healthcare industry as well, where workers often aren’t trained to spot sophisticated attacks and are distracted by other complex tasks at work.

More stolen identities

Identity theft has always been a serious concern in cyberspace, but it’s only gotten worse as more information is collected and hackers adapt more sophisticated tools to access personal data. The healthcare industry is bearing the brunt of this trend as well, since medical records are worth far more on the black market then social security numbers and credit cards.

Part of the solution to these troubling trends is increased education and awareness, so that practitioners and other healthcare workers are more likely to spot an attempted attack and report it. But they also can’t be expected to spend their days preventing cyberattacks when they need to focus on their real specialty: saving lives. The industry must invest in better tools, experts and developing new systems and methods of cybersecurity that can protect critical healthcare infrastructure.

Reading Time: 3 minutes

The healthcare industry is struggling, and not just with high costs or a shortage of practitioners. Healthcare has a cybersecurity problem. Reports and studies indicate that the healthcare industry is currently bearing the brunt of ransomware attacks while U.S. authorities in 2017 stated that cybersecurity in healthcare was in “critical condition.”

While cyberthreats to national power grids, financial institutions and even individual businesses are certainly troublesome and dangerous, the vulnerabilities in healthcare don’t just result in financial loss or political fallout; they could even result in the death of patients. So why aren’t things getting better? The constant small-scale attacks on healthcare systems that are usually prevented may go unnoticed, but there have also been several high-profile cases that have stressed the need for improvement, so what’s the holdup?

Well, just as the consequences of poor cybersecurity in healthcare are unique, so too are the challenges that must be overcome to make improvements. Here are some of the key risks and problems that have to be tackled:

  • Privacy vs. Safety – It’s not that healthcare institutions don’t have cybersecurity measures in place, many of them do. But, more often than not, they’re only focusing on half of the problem. Strict regulations on the privacy of patient data have many institutions implementing robust systems of defense to keep personal data safe. The same cannot be said for protecting the connected devices and networks in clinics themselves that help doctors treat patients. Regulation in this area is lax and/or vague, partly because of some of the other challenges in this list.
  • Everything is connected – Modern medicine relies on a countless number of separate, yet connected medical devices. Did you know that even pacemakers can be hacked? This proliferation of connected, but non-unified devices make it difficult for clinics and hospitals to keep everything updated with the latest security measures or to monitor everything for signs of an attack. What’s more, medical devices are expensive. Even compromised devices are not easily replaceable. And what happens if an outdated or compromised device is the only possible tool available to save a life?
  • Focused on the patients – All practitioners are highly trained, but not in cybersecurity, which they often see as an administrative issue. No, they specialize in patient care and generally rely on others to give them the tools they need to work. Why does that matter? Because even hospitals with robust cybersecurity measures in place rely on doctors to update devices and spot suspicious cyber activity. All too often, practitioners aren’t trained in either of these skills.
  • Personal devices – More and more doctors and nurses are being encouraged to bring their own personal devices to work as necessary. That includes personal smartphones, tablets, computers and other devices. This lowers administrative costs for the hospital and can make practitioners more flexible in their work, but every unsecured device that connects to any larger network is a vulnerable point, one that often isn’t accounted for.
  • Black market economics – Medical records sell for big bucks on the black market, painting a huge target on healthcare institutions. While these may sell for $50 apiece, a social security number or credit card number may only be worth $1. A hacker with money on the mind and a buyer is going to hit a poorly-guarded medical facility for data before trying anywhere else.

Finally, the industry needs to acknowledge the consequences of inaction. The worst-case scenario sees a massive attack taking down computers and devices at multiple hospitals at the same time, disrupting urgent operations or leading to mistaken, potentially fatal, diagnoses. But even what may seem to be a relatively minor attack could be disastrous. Even if an attack manages to simply disrupt the workflow in a clinic or hospital for a few hours, statistics show that death rates increase during that time period, the same way they increase when a marathon stops traffic and cuts down response time.

Many institutions have some form of protection in place. But an increased investment in training staff by cybersecurity experts will help guide institutions down a safer and more secure path. The only other option is an insecure future.

Reading Time: 2 minutes

The power of big data is evident today in a wide range of industries and businesses, but nowhere are the implications bigger than in healthcare. After all, the healthcare industry isn’t primarily about profit, it’s about something far more important: saving lives. And big data is making healthcare providers far more efficient at doing just that.

Coupled with developing technology, big data is one critical factor that appears set to give the world better healthcare than we could have ever dreamed of just a few decades ago. Healthcare data not only helps track diseases and treatment, it can also help individuals track specific health conditions. Provided with such data, individuals may soon be able to anticipate certain illnesses before even experiencing any symptoms.

Good news, right? Of course. This tech boom in healthcare will inevitably result in longer, healthier lives for more people. But, as with other industries, this increasing dependency on tech has one vulnerability: cyberthreats.

There are few other industries that present such big targets to hackers and even governments. Healthcare data generally includes important and/or useful information about a population that could be used in countless nefarious ways. The WannaCry cyberattack on the UK’s healthcare system in 2017 wound up costing the government there roughly 92 million pounds. Perhaps worst of all, the attack temporarily shut down thousands of computers and healthcare facilities that depend on technological tools to treat patients.

This high-profile attack showed what’s at stake in healthcare cybersecurity. The NHS was using outdated systems and generally was not practicing the highest levels of caution. While businesses in other industries are driven to maintain a high standard of security by a potential loss in profits, the stakes for healthcare companies are much higher – life and death, in fact.

But it’s not just high-profile attacks like WannaCry that are threatening the healthcare industry. In 2017, it was found that the healthcare industry bore the brunt of ransomware attacks – a full 34% of them. Indeed, it seems that healthcare is one of the industries currently most vulnerable to cyberthreats, and where the consequences are the most serious.

We’ll discuss how to rectify this trend in more detail in other posts. But, needless to say, healthcare companies and national systems must continuously invest in updating technologically and regularly testing their own defenses for vulnerabilities that could be exploited. Yes, malicious attackers are getting more and more sophisticated, but there’s no reason the good guys can’t stay one step ahead, especially with lives on the line.

Reading Time: 3 minutes

Everyday in the life of a startup is a hectic one. There’s just so much to do that a lot gets forgotten. If you’ve started a business before, you’re probably familiar at least with the long list of tasks ahead of you. Someone with less experience, however, may not even be aware of some things that need to be dealt with.

One common mistake is starting aggressive fundraising before ensuring compliance with important standards and regulations in your industry. At these early stages of your business, it’s easy to put off compliance or even see it as a nuisance eating up your time, but it really should be higher up on your list of priorities.

What is compliance?

Every business is legally bound to any number of government regulations that stipulate best practice in a given industry. These regulations are often meant to protect consumers and foster confidence. Then there are industry standards, which generally aren’t legally binding, but are critical for any growing business nonetheless.

The mistake often comes in thinking it’ll be easy to stay on the good side of these standards and regulations. It isn’t. Compliance with these documents often requires technical and legal expertise to understand complex clauses and cover all your bases. But the work that goes into compliance is well worth it. Sometimes a minor mistake could cause a major problem.

Why compliance is important early on

Another common mistake is imagining that compliance is best dealt with later in development, when you’ve got more resources to spare and start trying to reach a larger audience, making your more vulnerable. But running a business is often like riding a bike: you have to master the fundamentals before trying to do flips or riding without hands.

Compliance is crucial for investors. True, you might still be able to raise some funds with nothing more than a great concept and quality product, but crossing your T’s and dotting your I’s with compliance shows that you have more than just a fancy idea – you’ve also got a functioning responsible organization on your hands that investors can trust their money with.

In fact, many investors are likely to ask you point blank if you’re compliant with a few of the most important standards and regulations like ISO 27001 and PCI DSS. Non-compliance in these areas could lose you important sources of funding. If you’re selling your small startup, on the other hand, buyers are going to expect you do your due diligence and meet certain cybersecurity standards.

What’s more, the perception that your business is more vulnerable the larger it gets isn’t entirely true. Yes, there are more eyes on you and you become a bigger target for lawsuits, cyber attacks and all the other things standards and regulations aim to prevent, but you’re also more likely to have the reserves to weather such a storm as a larger business entity.

Small businesses are the most vulnerable technologically and everybody knows it, making you an easy target. Small businesses are also the most vulnerable financially, meaning that one bit of trouble could be the end.

Standards and regulations are meant to protect you from all of that, acting as a secure foundation for you to grow without constantly worrying about cyber vulnerabilities and legal trouble. Wouldn’t you rather have that out of the way early on (preferably before fundraising)?

Reading Time: 3 minutes

We tend to put off preventative measures whenever possible. Even when we know better, we often put ourselves in reactionary position against threats rather than taking a proactive, grab-life-by-the-horns approach. As an entrepreneur, it’s easy to understand how this happens: You’re swamped with other projects critical to your development and you’re probably trying to save cash where you can, waiting to take on some issues until they just can’t be put off any longer.

But when it comes to cybersecurity, that point may already be too late. If you adopt a reactionary stance to cyberthreats, you’re likely to find yourself in hot water with nothing to shield you from the consequences. Whatever plans you had in mind moving forward must then be sidelined as you try to weather the storm.

So, why let things get so out of hand? The vast majority of cyberthreats can be stopped before they begin simply by investing in cybersecurity services before you find yourself targeted in any way. Here are some of the different disasters that can be prevented by tackling cybersecurity early on:

Infrastructure damage

The most obvious is damage to the foundation of your business: its infrastructure. This could be an attack on your website, the destruction of important databases or even a virus that manages to corrupt all the computers in your workplace. This kind of cyber disaster essentially stops your development cold and forces you to take a 90-degree turn.

What went wrong? What is the extent of the damage? Can your hard work be recovered or will you have to spend time putting it all back together again? These are all questions you frantically ask yourself as it becomes abundantly clear that putting off any serious cybersecurity measures has cost you too much in your most precious commodity: time.

Financial damage

But cyberattacks and damages cost you in another significant way: your cash flow. The most important thing for any growing business is its bottom line – that’s why it’s called the bottom line. Cyberthreats not only incur costs to repair whatever damage was done; there is also mitigation to think about, those desperate attempts to minimize damage when damage has already been done.
On top of it all, any cyberattack causes significant disruption to your business operations, which inevitably has a direct impact on your sales and clientele. The question then becomes: for how long? If operations are miraculously compromised for just a day or two, you’re one of the lucky ones.

Reputational damage

In today’s market, much rides on being perceived as a dependable and secure business. The general public is more wary than ever of companies mishandling their data and most business clients will choose to work with the most reliable companies and products over ones with a less-secure innovation.

People across the globe are becoming exceedingly dependent on certain technologies and services, making it crucial that those technologies and services are safe. Being hit in an attack, even once, can have a detrimental impact on your reputation. This impact gets even worse if it becomes clear that you could have done more to prevent the attack, including cybersecurity measures and complying with safety standards and regulations.

Legal damage

In cases where your business wasn’t the only entity to suffer damage or you’re found to be non compliant with safety standards and regulations, you could find yourself in deep legal trouble on top of everything else. This may include expensive lawsuits or even government intervention in some instances.

Out of all these disasters, the legal one is perhaps the most feared by entrepreneurs, as it eats up resources for an indefinite period of time. Legal proceedings could take several months to reach a conclusion in the best of circumstances. Often times, a cyberattack will result in all of the disasters listed above to one degree or another. The key to mitigating this risk is not reaction, but preemption.

Reading Time: 3 minutes

Information security is a top priority for anyone dealing with any kind of data these days. The general public has become more aware of this issue with public cases of attacks like that on Target in 2013 and privacy is valued by internet users more than ever. There are many ways to build up your security and protect the data under your control, but that security should begin with becoming ISO 27001 compliant.

ISO 27001 details the best business practices and system structures to guarantee you a solid level of information security, which can of course be expanded upon as your organization sees fit. Not only does this recognized industry standard give you solid footing in the security arena, it helps you build a trustworthy reputation and keeps you competitive against other companies that may or may not be offering the same level of security.

What is it?

ISO 27001 is a security standard published by the International Organization for Standardization (ISO), headquartered in Geneva. As the world’s largest developer of voluntary international standards, the organization includes 163 nation-state members, has established over 20,000 standards and was one of the first organizations granted general consultative status with the UN Economic and Social Council.

While ISO 27001 is not binding or legally required for anybody, its globally recognized status gives it weight and legitimacy among business and institutions across member nations. The standard unifies various security controls used by different companies and organizations into one comprehensive framework that represents the best of these practices in one package.
Specifically, ISO 27001 stipulates that a company’s management take certain steps towards security including rigorous risk assessment and the implementation of certain security controls.

Why it matters

To put it lightly, you don’t want to be caught unprepared on the security front. Damages and cleanup from any significant breach can be enough to drag you down and hold you back while depressing trust and investment in your project. One sure way to guarantee that you’re on the right track is to become ISO 27001 compliant.

Especially in the business-business environment, and even with investors, you may be asked if you are ISO 27001 compliant. These clients and investors want to know they can trust you to protect your own business and take seriously the data you’re entrusted with. Becoming compliant usually means hiring experts to lead you through the process.

How to become compliant

These experts first examine current operations to find out what’s missing before constructing a comprehensive plan to move forward. The different points of this plan can vary greatly from company to company as each presents its own challenges depending on the relevant product and company culture.

Depending on the size of the company, full compliance may take 4-5 months to achieve and require 70-100 hours of investment from you and some of your employees. These include senior managers, HR, IT, your CISO and CFO. Even if you employ an expert internally who is able to make sure you follow the stipulations of ISO 27001 in practice, an external organization is required to perform an audit to provide you with a certificate of compliance.

Once you’re compliant, the future is yours! You can move forward with confidence that others can trust you and that you actually are in fact well protected.

Reading Time: 3 minutes

Depending on the size of your business and the product or service you provide, there are several kinds of regulations and standards you want to be in complete compliance with to both protect and guide your growth. Many of these will differ from business to business, but one of the most common standards that companies need to take into consideration is PCI DSS.

If your company stores, processes or transmits credit card information (common activities for any business using data to its advantage), compliance with PCI DSS borders on being an absolute necessity. In fact, it truly is a necessity required by law in some jurisdictions, making it a solid bridge between standard and regulation.

What is it?

But what is PCI DSS? For new entrepreneurs in particular, these kinds of technical hurdles can feel slightly overwhelming. And, after all, you have a grand vision you’re trying to implement for your product – one that probably has nothing to do with PCI DSS compliance. But whether you planned for it or not, PCI DSS is one of the “minor” details you have to take care of to turn your vision into a reality. So, here we go.

PCI DSS, or Payment Card Industry Data Security Standard, was originally developed when Visa, MasterCard, American Express, Discover and JCB decided to merge their security standard protocols into one for the entire industry, in order to reduce credit card fraud. The earliest version of this vision was released in 2004 by the PCI SSC (Payment Card Industry Security Standards Council), a body jointly established by the major credit card companies.

Their efforts to establish a safer environment for credit card users was successful and developed quickly. These days, compliance or non-compliance with PCI DSS has become a commonly-cited indicator of how safe it is for a company to perform credit card transactions.

Why it matters

Depending on your business and clientele, there’s a good chance that most of your customers won’t be investigating whether or not you’re PCI DSS compliant before making a purchase with you, but that’s trusting to chance – a chance that’s best not to take. Part of PCI DSS compliance is about maintaining a reputation for safety, especially as the general public becomes ever more aware of the consequences and implications of data security failures. All it takes is the right (or in this case wrong) person to discover that you aren’t compliant with this common industry standard to start throwing doubt on your organization.

This could impact not only your customer base, but your business partnerships as well, and believe or not, that’s not even the biggest reason PCI DSS compliance matters. What happens when (knock on wood) data is compromised and it is revealed that your business wasn’t protecting itself properly? What happens is big lawsuits and expensive legal proceedings that are nothing more than a barrier to your progress and growth towards your vision.

Compliance with a standard like PCI DSS has a positive impetus as well. Not only can you prevent calamity this way, you can build trust, keep yourself protected, maintain your competitiveness with others that are compliant and even let it guide some of your decisions. PCI DSS doesn’t only protect credit card users; it can also be seen as a group of best practices that you’d be smart to follow anyway.

How to become compliant

Another best practice is to consult compliance experts, usually from a qualified security assessor approved by the PCI SSC, who can guide you on a thorough process to achieving compliance. PCI DSS includes 350 separate requirements that need to be met. Each one can be a challenge to one business or another and compliance experts are in the best position to help you figure out the ins and outs of each.

The process of making your operations compliant is methodical and professional, including a comprehensive risk assessment process and penetration tests before ending with a full PCI audit. While time and investment depend greatly on the size of a company, the full process may take roughly 6-8 months and require the availability of your information security officer and infrastructure and application employees.
In the end, you are certified as compliant at one of four levels defined by the number of credit card transactions you perform annually.

You’re doing the right thing by educating yourself on the topic of PCI DSS compliance. It’s not something you want to go without, and you don’t need to. There’s a clear and established path to compliance that will make your business stronger and more resilient. All that’s left is to get started.

Reading Time: 2 minutes

Every company is different, and therefore has different needs when it comes to compliance. What do you need to comply with and what’s the best way to do it? That mostly depends on what industry you’re in, what kind of product or service you offer and even to some degree the character of your business.

Having said that, there are two established standards that almost every business should know something about. Ideally, you shouldn’t only be aware of them, you should be certified in both to form a foundation of trust for the work you do. We’re talking of course about ISO 27001 and PCI DSS.

ISO 27001

Ever wondered how customers, clients and government bodies could judge how well you protect the information that’s been entrusted to your business? Especially in this day in age, confidence that you can do so is crucial: your employees need to know that their personal information is kept safe, if you store any kind of private data from your customers, they need to feel confident that it won’t be stolen or given away, and in some cases, government needs to have some way of gauging whether or not you’re following recognized best practices.

ISO 27001 is the neon sign indicating to all these parties that you can be trusted to keep data safe by following industry standards accepted across the board as the fundamentals to information security. On a more practical level, compliance with ISO 27001 means consciously maintaining a data protection system informed by comprehensive risk assessment and reviewing management structure and behavior to facilitate security.

PCI DSS

It’s a mouthful, but PCI DSS (Payment Card Industry Data Security Standard) is critical to any operation that stores, processes or transmits credit card information. Originally designed to reduce credit card fraud, PCI DSS has grown in importance to become an indicator of how safe it is for your company to perform credit card transactions. In some jurisdictions, compliance with PCI DSS is even required by law.

Similar to ISO 27001, PCI DSS stresses the need for data protection in particular, since customers making credit card payments must trust you with their credit card information in the process. Firewalls, strong encryption and other practical steps are all detailed in the clauses of PCI DSS.

Complying with these kinds of standards might seem like a lot of extra effort at first glance, but in reality you’re doing yourself a favor as much as you’re doing one for your customers. Demonstrating the security of your company by meeting these two standards in particular can protect you from lawsuits and government intervention, but it can also prevent costly attacks on your business and make sure your growth can go unhindered by all kinds of negative external influences. ISO 27001 and PCI DSS protect you as much as they protect everyone else.

Reading Time: 3 minutes

A high level of competition in an ever-more globalized economy makes it tough for a business to stand out from the crowd and establish itself as an industry player. You have to be creative with marketing and management, and be backed up by an honestly great product. But before you can even begin to think about rising above the noise, you need a foundation to stand on.

Compliance is that foundation, meant to bring your operations in line with regulations and standards that solidify your reputation as a trustworthy brand and free you up to focus on growing your business instead of doing damage control. Simply put, compliance is that process of reviewing your business operations and then making sure they fulfill various legal conditions and industry best practices.

Regulations

Every business needs to deal with some, if not a lot of, regulation – and it’s easy to get frustrated. Of course you don’t want your customers, the environment or your own business to be unprotected, but regulation can slow down your progress towards realizing your goals and dreams, especially if you don’t fully understand them.

And no one would blame you for not having a good grasp on regulation; there are dozens you’re expected to comply with at once and each one is complicated in its own way. We also shouldn’t be too quick to judge legislators and regulators, however – it’s tough to translate the ideals and theory behind regulation into a practical framework that offers protection while also giving you the flexibility to succeed.

The consequences of failing to meet regulations, however, are not something you ever want to deal with. Lawsuits, fines, longer sale cycles and profit loss are just a few of the problems that could result – and catch you quite by surprise – if you aren’t keeping regulations in mind. Dealing with these kinds of issues repeatedly could be a death-blow for business. To make matters worse, regulations are occasionally updated and changed while new ones emerge regularly, requiring that you be on the ball and adapt along with it.

Standards

On the less legally-binding side of things, you want your business to meet industry standards and best practices like ISO 27001 and PCI DSS. But, if this isn’t a legal requirement, what’s the benefit of achieving compliance with standards like these?

Think of it this way: You are interviewing candidates for a new position in your company. One of them says he studied a relevant topic in university, but can’t produce a diploma. Do you trust him? Probably less than if you were able to hold that diploma in your hands.

But meeting industry standards is even more important, since they tell clients and potential business partners that are you conducting business in a responsible, safe and trustworthy manner. Do you want to maintain and grow those relationships? Then it’s best to get familiar with the relevant standards and practices.

But regulations and standards don’t just keep you out of trouble, they often outline the best way forward for your business to keep you solvent and growing. Instead of seeing regulations and standards as a drag, use them as a framework – guidelines to show you the way forward when you aren’t so sure of yourself.

Now you face the dilemma of how best to achieve compliance. How do you keep up with all the changes and finer points that you might misunderstand or miss altogether? Well, the answer is that you can’t shoulder all the responsibility yourself. If you want to protect yourself from disruption and use regulations and standards as a helpful tool to your own development, you need to include experts who know the ins and outs and can help you review your business to achieve full compliance. From there, you can only go up!

Reading Time: 3 minutes

We all like to prepare for things. Good research and preparation can help us understand what’s coming, making us that much better decision makers. You could even say that this process involves a bit of risk assessment itself, since we need to identify the inherent risks of an unknown situation and reduce the risk by learning more about it. But how do you know what to expect from cybersecurity risk assessment? Well, let us help you minimize the risk of the unknown with these 6 things that will help you understand exactly what you’re getting yourself into.

1. Risk assessment is the first step to protecting you in cyberspace

First of all, what is risk assessment exactly and how does it fit into the framework of a cybersecurity solution? Well, risk assessment is the launch pad – the first square on the board game that will bring smart, efficient security to your cyber presence. Before figuring out how to achieve greater security, you need to draw a map of the current situation.
What security measures are already in place? What are the most important elements of your cyber presence that must be secured no matter what? Where are risks most likely to come from and how high is the risk they pose? These are all questions that risk assessment aims to answer to start you on your journey.

2. Risk assessment is a methodical process

And it’s conducted by experts, who are called experts for a reason. Risk to your business is not assessed on the hunch or whim of someone who knows a bit about computers. Instead, these professionals follow a methodical process of protocols, lists, numbers and diligent consideration based on experience.

3. Risk assessment is guided by well-known standards and practices

Cybersecurity is too important to trust everyone to approach it however they want, and businesses like yours need to have confidence that risk assessment is being conducted in the most responsible manner possible. That’s why it’s best to adhere to industry standards and practices. Not only do these frameworks help guide and define the boundaries of an effective cybersecurity process, they also signal to you that the best practices are being used.

Standards like ISO 31010 and ISO 27005 are a good place to start. To meet these two important standards, cybersecurity organizations must manage their affairs following certain good practice guidelines and follow a series of steps in every risk assessment process.

4. Risk assessment is mostly based on interviews

Cybersecurity isn’t about going out with guns blazing and taking on hackers like you might see in a modern spy flick. Before diving into exciting technical elements like penetration testing, everything starts with risk assessment, and that means interviews. The majority of the risk assessment process is focused on speaking to key individuals in your company, each of whom may have a piece to the puzzle that use your current security status.

Gathering this information is crucial to obtaining an overview of the situation and getting leads on what may have been overlooked.

5. Risk assessment is not a side project

These kinds of interviews may seem somewhat intimidating for some employees, but risk assessment isn’t a passive process to be sidelined. You need to make a conscious effort to get your entire team on board, especially by informing everyone of the project and its purposes so they feel comfortable sharing and collaborating.

And just as you need to make this special effort with your employees, the entire risk assessment process requires that you take it seriously. That may mean investing time, resources and attention, but trust us, it’s worth it.

6. Risk assessment doesn’t protect you on its own

Risk assessment is crucial to your protection in cyberspace, but this process won’t get the job done all on its own. When you embark on a journey, you first need to draw up a map (risk assessment). Without it, you could get lost. But you also have the entire journey to travel! So, it’s time to plan ahead. Now that you have a good idea of what risk assessment can do for you, start thinking about what comes after – like penetration testing.

Reading Time: 3 minutes

We assess risks all the time in our daily lives. Is that knife sharp enough to cut me? Is my child safe with the babysitter? Are there cars coming, or can I cross the street? Most of these decisions can be made automatically, instinctually without too much conscious thought going into them. And yet, our brains are going through a methodical process, whether we’re aware of it or not.

Things like cybersecurity aren’t quite so intuitive. That’s why experts have a conscious, methodical framework – or a kind of protocol if you’d prefer – for how to go about risk assessment in cyberspace. The goal is to come out the other end of risk assessment with a clear map that highlights the most likely incoming threats, who and/or what they might target and how best to counter them. Here’s how it works:

1. Defining the scope of the project

First things first, and the first thing in risk assessment is to get the lay of the land. Risk assessment experts need to get to know your business and what’s most important to you while laying the groundwork for the rest of their work. Someone has to draw a map first before it can be used.

This process begins with interviewing key personnel including your chief information security officer (if you have one) and department managers if necessary. Next up is defining critical assets, or establishing which networks, processes or databases are most important to your security and stability. Budget may affect the number of assets you’re able to target, but regardless, setting clear priorities will help clarify the process and keep everyone on track. A similar set of priorities are then given to critical business processes as well.

2. Identifying threats and vulnerabilities

Next, experts consider what threats and vulnerabilities might be putting the identified critical assets at risk. Again, key members of your team are interviewed to get a more in-depth understanding of the security issues surrounding the assets. Then the maps come out. Threats and vulnerabilities are mapped out for a comprehensive overview of the existing security situation.

Then any existing security controls are accounted for and threats then deemed to be irrelevant are removed from the map.

3. Analyzing current controls

Experts then take a closer look at those same security controls in an effort to understand the safeguards you have in place. But that’s not all. The second part of analyzing established controls is analyzing the potential consequences in a situation in which they fail.

This careful thought process is important to calculate risk and understand what’s at stake. Experts look at figures like asset value and the impact on your business of the processes that need to be protected while considering potential scenarios in which damage could be caused.

4. Calculate the risks and report

Finally, it’s time to take everything that’s been learned and calculate the real risk to the assets defined in step 1. What are the worst scenarios that absolutely must be prevented? How likely are those scenarios to occur? But most importantly, this phase answers the crucial question: How can that likelihood be decreased? What steps can be taken to grant a greater level of security?

Critically, this is all gathered in a final report that sums up the findings and records the situation for future reference. But the process doesn’t end here. Risk assessment only give experts a roadmap to move forward with to provide you with comprehensive security.

Reading Time: 2 minutes

Lots of activities in life are risky. Everything from driving to investing in a startup involves some form of risk, but as the saying goes: No pain, no gain. The trick is learning to mitigate – or manage – these risks to reduce the chances of disaster. We can mitigate risks by training and educating ourselves to avoid mistakes and carefully analyzing a situation before diving in head first.
The very first step to protecting ourselves against the potential harm of any kind is to undergo the process of risk assessment. For tasks like driving and even investing, risk assessment is often performed instinctually, but in the cyber world, risk assessment requires a clear and methodical sense of purpose.

Assessing cyber risks

Risk assessments as part of cybersecurity is all about identifying what kinds of threats a business is most likely to face and where they might come from. This comprehensive process provides a snapshot of the current status of a company’s information security, risk maps, and common threats and serves multiple purposes:

  • Helps security experts get familiar with an organization and its structure
  • Provides a basic platform of knowledge that informs future security strategies
  • Gives of the gift of efficiency a business doesn’t blindly spend on security measures that may not be the most urgent or necessary

How do cyber experts know what to look for during the risk assessment process? Like in most other fields and industries, cybersecurity also has its standards and protocol that help everyone know where they stand. During risk assessment, experts look first at ISO 31010 and ISO 27005 to make sure they’ve covered all their bases. Then they can get creative and dive in deeper if necessary.

Understanding what threats you face or are most likely to face enhances your ability to manage the risks inherent to operating a business that’s connected to cyberspace. We do the same thing when getting a driver’s license: getting to know the basic functions of a car and where that blind spot in the mirrors are.

Why it matters

Obviously, it’s always a smart move to manage risk. But for cybersecurity, it’s never been more crucial. Taking the step of consulting with security experts and performing risk assessment can make the difference between unhindered progress and a crippling attack that puts your business out of commission and in survival mode.

As competition online reaches fever pitch, the stakes are higher than ever. Those with malicious intent are developing more sophisticated ways to cause disruption and, as high-profile cases in the media attest to, new kinds of threats are emerging all the time. Risk assessment is all about not being caught off guard. So keep your gloves up and keep yourself protected using all the means at your disposal.

Reading Time: 3 minutes

When you want to take the safety of your networks into your own hands, you need to look for “cyberservices”. But what does that actually mean? Expectations can ruin relationships and set you up for failure, but knowing what to expect can let you know exactly what you’re getting yourself into. So, what can you expect to get as a part of these “cyberservices”?

Cyberservices vs. Cybersecurity

It’s easy to think that cyberservices and cybersecurity are synonymous. They are in fact closely intertwined, but not quite the same thing. Cybersecurity is one of the things you get as a result of cyberservices. It is also a broad term to describe some of the tasks that are included in cyberservices. But cyberservices often include more than a vague guarantee of cybersecurity. So, what are the details? What can you expect when you see the term “cyberservices”?

· Risk assessment – This is the backbone of all cyberservices on which you can build true cybersecurity. Experts start with risk assessment to identify security risks and develop a strategy to move forward in building a robust defense.

· Penetration testing (PT) – One result of risk assessment and the next step in establishing security is penetration testing. PT experts essentially take the place of cybercriminals and use their skills to attack your systems. But don’t worry, the goal is to keep you safe rather than harm you or your business. By assaulting the networks you want to keep safe as if they were malicious hackers, PT experts can identify any existing vulnerabilities in your systems and help you fix them.

· Security design review – Staying safe isn’t only about guessing what hackers might attempt and closing those holes, it’s about reviewing the very structure of your applications and networks to guarantee that they meet a certain standard of security. The architecture of your systems is studied on a broad level and then much deeper, reviewing the security layers of each component. Ideally, security design review should be performed before the official launch or release of an app to try and ensure security before anyone has the opportunity to take advantage of a vulnerability. This means it should also come before any penetration testing, since PT can catch anything that was missed or overlooked in the security design review.

· Compliance – One element you might not think about in connection to cyber is compliance. National and regional governments often implement detailed regulation on the cyber activities of a business to protect consumers and support fair practices. Business also seek to be compliant with various standards of conduct that send a signal of strength and stability. Cyberservices can include helping your business successfully navigate this network of rules and guidelines. It’s just another way of keeping you and your assets safe.

· Other – On a more technical level, cyberservices might also include APT simulation,code review, SDLC, FW rulebase review, security tools professional services, Win/Linux hardening and vulnerability scans, depending on the specific needs of your business. Ongoing consultation services are also important to staying safe and combating new threats that are always emerging as cyberattacks become more and more sophisticated. With so much to cover, it’s also possible to get CISO (Chief Information Security Officer) as a service. It’s always a good idea to have someone on the team that is in charge of security and has relevant knowledge on the subject, even if it’s just for a few days or weeks.

The cyberservice philosophy

You may have noticed a trend running through all of these elements. You can’t miss it: Cyberservices mean safety. The actual tools put in practice to serve your business might vary according to circumstances, but the goal and outcome are the same: security for cyber threats.
Cybersecurity has quickly become one of the most important concerns for any entrepreneur to worry about. Your business almost certainly relies on a connected, online presence or storing data on an internal network. While these activities and operations bring great opportunities and benefits to your business, they also bring the threat of attack that, in the best of circumstances, could be immensely expensive to rectify. Cyberservices help you stay ahead of these threats and protect the prosperity of your business.

Reading Time: 2 minutes

Why penetration testing is so important for your business

The vast majority of businesses with any sort of online presence or electronic network are waking up to the urgency of maintaining security in cyberspace. Abilities developed by hackers in recent years have even put small-medium-size business in their scopes, even if the cyber stories you hear about in the media focus on high-profile companies and government institutions being targeted.

While some sophisticated hackers focus their efforts on larger companies and institutions to make a social statement or just to cause disruption on the largest scale possible, others go for easier prey: smaller entities with less protection. For these smaller businesses, the disruption caused by a cyberattack can be just as damaging, if not more than for large entities.

That means everyone needs to keep their systems safe. Profits and customers are at stake and just one successful attack could set you back months while you scramble in damage-control mode. And the best tool businesses have to defend themselves is to preempt attackers with penetration testing.

Penetration tests safely simulate a gauntlet of different attacks on your networks and online connections with the goal of finding security flaws before any hackers have the opportunity to take advantage of them and cause you harm.

Reviewing your code just doesn’t cut it

But why penetration testing? What makes this method so effective at keeping you protected? Penetration tests bring several advantages and benefits to the table. The bottom line is that reviewing your code visually to try and spot vulnerabilities just doesn’t cut it. Reviewing code this way is notoriously difficult and long lines of code interacting with one another can behave in unpredicted ways, leaving hidden back doors unlocked to attackers.

Penetration testing gives you the ability to get in the mind of the hackers and think like they do. When the military draws up war plans and formulates strategies, they simulate the whole thing with massive exercises. Some of the troops play the part of the enemy and a full-blown simulation is enacted while every possible scenario is considered and acted out so the generals know best how to prepare themselves. The same is true of penetration testing.

Without careful penetration testing, you leave your business open to any attackers with the ability to locate and take advantage of vulnerabilities in your systems. That could mean losing customer data and therefore public trust; you could have technology or even money stolen right from under your nose; and the network your computers rely on could be brought to a complete standstill along with your business operations.

In any of these scenarios, you face major setbacks that could be very difficult to recover from. Penetration testing is all about putting you ahead of the threats you face and making sure you can continue to prosper free of worry.

Reading Time: 3 minutes

All the kinds of pen testing you should know about

If you’re here, you’re probably turning your attention to your company’s cybersecurity. Welcome, and good job – you’re doing the right thing. Cybersecurity is a major issue for every business to confront these days and it’s an increasingly complex topic, requiring input from industry professionals who understand the kinds of threats posed to companies with any kind of electronic network.

But what do such experts do to keep you safe? The first step is diagnosing the problem – in other words, finding the vulnerabilities in your systems, and that means penetration testing, or pen testing. By safely simulating an attack on your systems, pen testers are able to infiltrate your operations and show you how they did it so the vulnerability they took advantage of can be fixed. Here are the different kinds of pen testing you should be aware of:

Network services

This type of pen test can be both internal and external, looking for vulnerabilities in your networks, systems, hosts and network devices like routers that hackers could infiltrate to extract data or even take control of for their own purposes. Think your clients’ data is safe in your network? Network services pen tests will tell you for sure, by examining things like:

  • Firewall configuration
  • Stateful analysis
  • Firewall bypass
  • IPS evasion
  • DNS attacks

A big part of keeping your network safe is examining your wireless connections. A password on your Wi-Fi often isn’t enough to keep out a sophisticated hacker. That’s why experts look into the use of wireless devices at your office to see how they could be used to hack into your cyber infrastructure and cause damage. Wireless protocols, wireless access points and administrative credentials are all checked in this process.

Web application

Web application pen tests go deeper than the network services tests, looking for security flaws in web-based applications. Expect this test to take longer due to its complexity. But the time spent is well worth it as web application tests dive into important components like ActiveX, Silverlight and Java Applets.

This type of testing can also look at issues within your workspace. What if your laptop fell into the wrong hands or your personal computer was successfully hacked from outside? Suddenly, a lack of security at your own workstation turns into a security liability for the entire company. Web browsers on your computer and installed software are scanned to make sure there are no backdoors from your device to infiltrate the company’s infrastructure.

Native mobile app testing

There are also all kinds of clever ways to tests those high-performance mobile apps that store lots of sensitive information. A vulnerable financial app could leave credit card information or bank account details exposed to hackers without doing your due diligence. For an app like that, a serious breach could be the end of the line.

A word about black, white and gray box testing

As you educate yourself about your company’s cybersecurity, you’re also likely to come across the terms black box penetration testing, white box penetration testing and gray box penetration testing. These are more general terms that refer to how much knowledge a hacker has of your systems and therefore what conditions a tester needs to simulate.

In black box testing, it’s assumed that the hacker knows next to nothing of your cyber infrastructure. A full-on attack is launched at your entire system to try and locate a weakness. It’s good old-fashioned trial and error. In white box testing, testers simulate a situation in which a hacker has full knowledge and access to key elements like the source code and software architecture of a web application. Gray box testing sits somewhere in the middle, assuming that a hacker has obtained partial knowledge of your systems and how they work. Considering which angle to approach pen testing is important to locate any threats that a hacker could find and exploit.

It’s often best to periodically do a full sweep, making sure that all of these systems are as safe as can be and keeping you protected from whatever new tools and methods hackers may have come up with. Whatever the case may be, security is always a top priority.

Reading Time: 2 minutes

Who knows more about security than those who are able to breach it? The thief who gets the jewel from the museum must have utilized some flaw in the security system that no one recognized before and the hacker that steals data or plants a virus does so thanks to a cyber vulnerability that slipped through the cracks.

While thievery and hacking are harmful to any business that falls victim to a security vulnerability, the one upside they produce is bringing that same vulnerability out into the open. It’s an odd cycle: Without thieves and hackers, you wouldn’t need cybersecurity, but falling prey to them makes you aware of the threats you face. Once your system has been hacked one way, it’s up to you to do your due diligence and analyze the vulnerabilities they took advantage of. After fixing them, any other hacker that comes along will need to find a new approach to slow you down.

That’s why, in a roundabout way, hackers and thieves are performing penetration tests. By breaking into your system, they reveal the flaws that you might have missed, and the result is stronger security for the future. But not everyone capable of breaking into your system means to do you harm. Why allow dangerous individuals to break into your system when you could authorize experts and professionals to penetrate your operations with the purpose of locating vulnerabilities and helping you resolve them?

Now we’ve arrived at the essence of penetration testing, otherwise called pen testing. True pen testing isn’t just an action, it’s an intention. While thieves and hackers want to harm you, pen testers want to help you stay ahead of threats technologically. To meet this goal, they use all the tools in their cyber arsenal to see if and how they can break into your system – not to steal or cause harm, but to come up with ways to make your system safer.

That’s why pen testers like those at GRSee don’t just hack into your system and prove that you have a vulnerability, they show you what they did and how they got in before recommending ways to fix the issues that were found.

What better way to beat the hackers than to think like them and use their weapons against them? As long as cyber assets continue to grow in importance, ill-intentioned individuals will try to find vulnerabilities to benefit from. The best way to get ahead of them is to simulate an attack on your system before a real one can take place.

Reading Time: 3 minutes

As with every other major technology developed by mankind, it didn’t take us long to demonstrate how the digital world could be used for nefarious means. Cyberspace was conceived of as a sort of utopian, open, free space for instant global communication – and that ideal is still alive in the minds of many users and entrepreneurs. But the last 30+ years have shown us that even the greatest of utopias need a defense force to protect it.

You reap what you creep

Did you own a computer in the 70s? Probably not. Did you know what the internet was? Definitely not, because it was called ARPANET back then: the earliest evolutionary ancestor of our interconnected lives. But while you remained in a state of blissful ignorance, it wasn’t only the internet that was being put together; a foundation for the digital virus was being laid.

Today, we fear internet-borne viruses like the plague and the threat of hackers disabling important infrastructure like electrical grids is very real. But it didn’t start out with such harmful intent. In fact, it was downright innocent behavior that created history’s first worm, called “Creeper”. It was nothing more than simple code written by BBN Technologies engineer Bob Thomas that reached computers connected to ARPANET (of which there were only a few) and playfully displayed the words “I’m the creeper: catch me if you can!” on the screen.

But the world’s first worm gave rise the world’s first cybersecurity mechanism, a slightly more sophisticated code from Bob’s colleague Ray Tomlinson that moved between computers on ARPANET, copied itself in the process and did nothing more than deleting Creeper. This countermeasure would forevermore be known as “Reaper”.

Early internet vulnerabilities

Creeper and Reaper had set a theoretical precedent for cyber threats and cybersecurity, but the digital space still wasn’t outright dangerous, as highlighted by the “Morris Worm” in 1989 – the first major case of a denial-of-service (DoS) attack. Robert Morris, the author of the new generation worm, argued in court that his code was only designed as a way to measure the size of the internet at the time. Whatever his intentions, the worm slowed infected computers and infected them multiple times until they became inoperable.

The Morris worm may have infected a whole 10% of computers connected to the internet and clean up was estimated to have cost anywhere from $100,000 to $10,000,000. Cybersecurity was caught unprepared and removing the worm required the entire internet to be shut down for several days on a regional basis. Industry experts, with both positive and negative intentions, were waking up to the power of cyber threats.

Cybersecurity on the backfoot

It would take a while for cybersecurity measures to catch up to the threats of viruses. In the same why firefighters are on duty to put out fires where they pop up, the Morris worm taught everyone that the internet needed its own emergency response team. CERTs (Computer Emergency Response Teams) were established to fill this role, but the early 90s saw them reacting to threats rather than trying to prevent them.

Antivirus software finally hit the market in the middle of the decade, offering a simple preventative solution to most basic viruses that could be installed on any computer. At that point, the internet had become saturated with viruses created by less-than-savory players in the industry who knew they could get away with simple harmful activity. While antivirus programs helped put an end to this proliferation, they also triggered an arms race.

As the capabilities of hackers and viruses became more and more sophisticated, awareness of potential threats and investment in protection increased. Things went well for over a decade until a series of complex attacks in recent years seemed to show that at least a few of those with malicious intent had gotten a step ahead of antivirus and security experts.

Target was hit, along with the British healthcare system and a number of other large institutions that employed the largest security companies using the most sophisticated defense techniques. But the good guys have learned from these incidents and stepped up their game even further. Will any network ever be 100% secure? Possibly not, but the consequences of ignoring cybersecurity are too big to ignore and large, complex attacks only highlight the need for businesses in the digital space to work closely with cyber experts who continuously keep themselves up to date with developments in the industry and keep the hackers on their toes.

Reading Time: 3 minutes

Running a business means focusing on growth. You want to bring your products and services to as many people as possible because you believe in what you do; you want to increase profits to hire more workers and expand operations, so you invest your efforts in PR and customer care. These activities make sense and, performed correctly, directly contribute to your prosperity.
Ideally, you should be free to focus on these kinds of initiatives that directly support growth. But without a solid behind-the-scenes backbone of security, compliance and risk management, even great momentary success can be painfully reversed in the blink of an eye. GRSee addresses these concerns for you, so you can pursue other tasks safe in the knowledge that none of these three critical areas are being ignored.

Your freedom, our focus

While you dive into all the other business activities you need to pursue to thrive, GRSee handles three elements that are even built into our name. GRSee stands for GRC, or Governance, Risk management and Compliance. Without solid footing in these three areas, your business could face future losses to legal problems encountered when trying to adhere to new and complex regulations or cyber-attacks and other related threats. It’s best to put these concerns to rest before encountering any real mishaps.


Let’s take a closer look at what we do every day to ensure that businesses like yours are safe, compliant and built to weather any storm:

  1. Compliance – GRSee aims to bring your business into full compliance with security standards and related information and data regulations. ISO 27001 directly addresses the overall security of your systems and governance while PCI DSS is a standard that must be met by any business accepting card payments. Meanwhile, Europe’s GDPR helps protect user data and the CCPA aims to do the same in California.
  2. Cyber security – In our connected world, even the best business concepts can be brought down by ignorance of potential cyber threats. Depending on who you are and what you do, these threats could come from individual hackers looking to steel or cause trouble just for fun, politically motivated groups that aim to disrupt or corrupt your efforts, or even advanced and well-coordinated governments around the world. Maintaining cyber security has never been more important for a business or its customers.

GRSee offers a wide range of cyber services and a team of experts with over 20 years’ experience in the field. With penetration testing and Advanced Persistent Threat Simulation, we simulate attacks on your computer system, application infrastructure or otherwise to ensure that defenses are up to snuff and to reveal any vulnerabilities that need paying attention to. We also review the entire architecture of your digital infrastructure to identify potential weaknesses that could be exploited.

  1. Risk management – This is closely related to our cyber security work. Our experts provide ongoing analyses and assessments of the risks your business faces and aims to help you keep operations in line with global information security standards. Meeting them tells everyone else that your business is safe.

To this end, we also give businesses the opportunity to adopt one of our experts as their CISO (Chief Information Security Officer), who takes charge of security operations and acts as an ongoing advisor and consultant for all cyber security issues as well as formulating and overseeing tailor-made long-term security strategies.
We can tackle all of these issues with you, making sure your business is following the best practices that boost confidence and reduce the number of unforeseen but completely avoidable roadblocks you might encounter on the road to success. Based in California, New York and Israel, we already provide service to global brands like 888, Fiverr and Amdocs. In this way, our work doesn’t only make you free to focus on other areas of business, our involvement also contributes in more direct ways to your growth and prosperity.

Reading Time: 2 minutes

Kudos to you for taking credit card data security seriously! You’re likely feeling good about taking that big step to properly secure your customer’s credit card data by becoming PCI DSS accredited. And you should! However, did you know that compliance alone does not necessarily guarantee data security? Here are five things to look out for to ensure the credit card data is truly secure and that you don’t find yourself caught in one of these common pitfalls.

1. Failing to review firewall rules and perform penetration segmentation tests every half year

According to the PCI DSS standard, service providers must review firewall rules and perform penetration segmentation tests every half year. Though most companies remember to do the PTs leading up to the audit at the end of the year, they often fail to do the proper checks mid-way through the year. Mark it in your calendar so you don’t forget these important steps in your PCI compliance!

2. Failing to Manage Vulnerabilities

As part of the PCI DSS standard, vulnerability checks need to be performed on a quarterly basis. Additionally, any vulnerabilities that are found need to be remediated during the same quarter. Failure to do so leaves credit card data vulnerable and increases the chances of a security breach. Unlike the initial certification which requires a vulnerability check during the last quartey only, when being recertified, checks are required on a quarterly basis.

3. Improper Scoping

When it comes to PCI the ‘scope’ is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support & secure the Cardholder Data Environment must also be included in the scope of PCI DSS. Examples include antivirus, patch management, vulnerability scanners and the like.

4. Storing SAD (Sensitive Authentication Data) After Authorization

During the payment process, service providers collect Sensitive Authentication Data (SAD) to authorize the payment. However according to PCI Regulations, you are only allowed to use SAD strictly to process the payment and may not store the data after completing the authorization.

5. Addressing PCI DSS Compliance During Audit Period Only

PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.

Reading Time: 2 minutes

Have you been thinking about having your organization ISO 27001 certified but not sure if it’s really “worth the hassle?” For those less familiar with ISO 27001: 2013, it is the global information security standard that delineates the best practices to manage information security risk.

Below are 4 items to consider before making your final decision.

1. It’s good business!

Being accredited by ISO 27001 gives you a competitive edge and is proof to existing and future customers that you are taking a proactive approach to protecting their data from information security threats. Winning or losing a tender can weigh heavily on whether or not you have this certification. Being ISO 27001 certified expedites the sales cycle, rather than stalling it due to compliance requirements that have not been met. Lastly, access to global markets may also be dependent on whether you are certified, due to ISO 27001 requirements in some countries.

2. Manage risks to safeguard data & intellectual property

Maintaining data privacy and other assets is a top priority for most organizations, especially for those that are holding private client information. ISO 27001 has set up the most systematic approach to identify, store, access and manage this data safely. By utilizing the ISO 27001 method of safeguarding data, the organization greatly reduces the severity of threats on its information.

3. Avoid financial losses and penalties associated with a data breach

Are you worried about how much ISO 27001 accreditation is going to cost you? Well, opting not to get accredited can cost you a lot more in the long run! You need to weigh the cost of compliance against the cost of potential fees associated with fixing a data breach as well as possible interruption of business.

4. Improve your processes

Companies are growing and changing fast and before you know it roles and responsibilities relating to data and other assets get blurred. As part of the process of ISO 27001, definition of roles and responsibilities are clearly spelled out thereby strengthening the organizational structure of your organization and allowing for clear and concise steps going forward.

Being ISO 27001 certified forces your organization to take a hard look at what’s working and what’s not when it comes to information security and create a clear and concise roadmap to improve processes going forward . The benefits of this process extend not only to the information security of the organization, but also opens up doors for increased revenue going forward.

Reading Time: 2 minutes

New Year’s Resolutions. We all have them. They often sound something like this:

“This year I’m going to eat less, exercise more, and be a better spouse/parent/employee/person…” and the list goes on. Sometimes we follow through for a week, or even a month. But usually we don’t stick to it for very long.

Well here is a resolution that you can and should be making and sticking to in 2019 for both your personal and professional safety and benefit. It is time to take cybersecurity seriously. With the Identity Theft Resource Center (ITRC) reporting 1,027 breaches which includes 57,667,911 records compromised as of November 2, 2018, the statistics are pretty baffling.

Personal Security

Enable 2FA (Two Factor Authentication) whenever possible – This requires a name and password + an additional type of verification needed in order to access private info. This usually simple step of for ex: verification via your cell phone can greatly decreases the chance of a personal breach.

Manage passwords safely – Guess what?! Using your sweetheart’s name and birthdate for all your passwords while perhaps cute is not the smartest (or safest) way to keep your personal data safe. To really keep your information safe, you need to create unique passwords for each of your applications, e-mail, accounts etc. There are many password tools out there that can help keep all of your passwords safely in a single location.

Organizational Security

Risk Assessment – Are you able to make heads or tails as to where your organization is standing from a security standpoint? How well are your data and assets protected? Do we have the right policies and procedures in place to prevent a breach? Performing a risk assessment will provide your organization with an overview of your current security posture so you can then create a security roadmap and prioritize accordingly.

Penetration Testing – There are two major reasons that your organization will benefit from doing penetration testing:

1) Having a penetration test performed on your environment (aka ethical hacking), allows you to see how a potential attacker sees your organization and its vulnerabilities. With security breaches making headlines throughout 2018, now would be a good time for you to check!

2) You are looking to offer your product/services to companies A, B, & C. In most cases, the companies you’ll want to do business with require mandatory penetration testing. Be prepared today so you can sign new customers tomorrow!

Here’s to a safe and productive 2019!

Reading Time: 3 minutes

If your company is approaching new markets overseas, cybersecurity should be a primary concern. Regulatory environments, compliance, and privacy laws differ significantly from country to country and protecting your data, as well as that of your customers, are of great importance.

Being prepared in advance will help you enter your new market quickly so you can hit the ground running.

Risk management: it’s a game-changer

Risk management is crucial, whether you are in a compliance-heavy industry or not. Having a good understanding of the regulatory environment in the countries you are doing business in is a good place to start.

Penetration testing (PT)

Assessing your risk is an important first step towards compliance. Penetration testing, sometimes known as a pen test, is a way to determine your risk through authorized hacking. Pen tests are conducted to find exploitable weaknesses in your system so that you can be better prepared for any potential threats.

The results of your PT will help you to address any security issues before you pursue the appropriate certifications.

Here are some of the essential credentials and standards you should be aware of when taking your company international:

ISO 27001 certification

ISO is an organization that deals with international standards. ISO 27001 is specifically geared to information security management and is recognized as a worldwide protocol to help companies manage risk to their data assets. ISO 27001 certification is a best-practices approach that shows your company is managing their data security in line with the highest international protocols.

PCI DSS compliance

PCI is a standard for securing the data surrounding online payments. It applies to all companies that process and store payment data for their customers and vendors and also covers third-party vendors who might also have access to this data. If you accept payments online with any type of payment card, PCI DSS standards apply to you.

GDPR compliance

The General Data Protection Regulation (GDPR) becomes law in May of 2018. This regulation protects the personal data of all EU citizens and businesses and any company that does business with EU people or entities must comply.

HIPAA compliance

The Healthcare Insurance Portability and Accountability Act (HIPAA) applies specifically to personal healthcare and medical data. If you store protected health information for your employees, you must be HIPAA compliant. This includes healthcare providers, healthcare insurance providers, and companies that handle third-party billing or data processing for any of the above.

Don’t let non-compliance be a show-stopper

Compliance with international standards is essential to your business continuity. In most cases, until you comply and show a certification, all contracts, deals or any other relations with partners or customers will be on hold.

Here are some of the methods you can use to ensure compliance and data safety:

Penetration testing (PT)

GRSee uses proven methods to discover vulnerabilities in your system through our own Application Penetration Test model.

IT Security Questionnaires

OWASP CISO Survey

The Open Web Application Security Project (OWASP) questionnaire asks a range of questions to help you determine your level of risk. Most of those questionnaires are based on the ISO 27001 standard, so if you are already in compliance with ISO, it will save you a lot of work. keep in mind, however, that your answers are simply a snapshot in time, so revisiting the questions periodically is always a good idea.

To help you manage the survey, GRSee offers CISO (chief information security officer) as a service. The CISO we assign will be in charge of answering the questionnaires and will provide solutions to any issues that are identified, functioning in a capacity that best suits your needs.

Bottom line, if your company is going international, you need to be prepared to answer to international compliance standards. GRSee Consulting is dedicated to supporting your compliance from every possible angle with specialized expertise and SaaS solutions you can depend on. Call today to schedule your cybersecurity audit.

Reading Time: 5 minutes

The GDPR becomes law in May of 2018. If your company does business with any EU citizen or entity, you need to be prepared for this new law, which is designed to protect and strengthen the privacy for all individuals residing in the European community.

The law applies to any business or public-sector entity that retains the personal or payment data of EU citizens. Under the law, companies will be required to be able to directly access this information for correction or deletion purposes and customers whose data is being held will have the option to “be forgotten” – meaning, if one of your customers asks for their data to be deleted, you must comply.

This is only one aspect of this very complex law, but it is a significant one. As a company looking to become compliant, it will be necessary to develop a workflow that makes it easy to accomplish these requests.

For many, this means a digital transformation will be necessary if indeed you have not yet initiated such as process. Modernization of data storage and security is absolutely crucial, especially for SMBs or enterprise, as the sheer volume of stored data will necessitate a capable data classification system in order to allow admins to isolate, manipulate, and delete data when needed.

KEY ELEMENTS OF THE GDPR

While this is by no means a complete guide to GDPR compliance, we have put together an
overview that covers the key points:

1. Data flow mapping & analysis

In order to understand what kind of data your organization processes, it will be necessary to create a data flow map to show the flow of your data from one interaction point to the next – for instance, from the supplier to the shipper, to the customer, and so on. This is meant to identify
any potential unintended use for the data and therefore requires that you consider what parties may be using the information and for what purpose.

2. Data type analysis

Your data flow maps should include the type of information being collected and how it was obtained – for instance, through a web form, direct data entry, or over the phone. Data needs to be analyzed as to the risk it may pose so that adequate measures are put in place. Being able to classify the type of data you are storing is key to assessing risk.

3. Analysis of currently implemented controls

This phase examines the legal and risk controls that you have currently implemented from a legal, organizational, physical, and technical point of view. This is primarily to control any identified risks prior to any processing of any new data.

4. Identify scope – processor or controller

The extent to which your company is liable under the GDPR largely depends on whether you are a “controller” or a “processor” of data. A data processor handles data on behalf of the data controller and so is not subject to as many obligations where the data is concerned. Though the
data controller is largely responsible for the disposition of this data, the data processor may still be liable to a degree if they are storing data on their servers, for instance, or are providing any other 3rd party service (such as a shipper).that uses the data.

5. Review of privacy policies

Data controllers will need to be more specific in crafting their privacy policies. According to the GDPR, you must provide clear information on how you are using your customer’s data. This information must be:

  • Concise, easy to understand and easily accessible
  • Written in plain language that would allow even a child to understand it
  • Provided free of charge

6. Review of third parties’ policies

The privacy policies of any 3rd party your company does business with should be thoroughly reviewed to ensure that their policies comply with GDPR regulations. This is meant to prevent unauthorized use of customer data. Article 28 of the regulation outlines in great detail how processor-controller contractual relationships should be worded.

7. Privacy review in SDLC

In addition to all the customer-facing data issues covered by the GDPR, the law also affects software development lifecycle and processes for any IT company that seeks to do business with or provide information systems for the EU. The GDPR has technical and functional implications that require a high degree of planning in the initial phases of SDLC. The earlier in the process that these items are addressed, the less complicated and costly it will be in the long run.

8. Reviewing core GDPR issues

  1. The Right to be forgotten: Article 17 of the GDPR states that customers whose data is being held have the right to ask for it to be removed.
  2. Data roaming: This issue affects the transfer of data on the open internet, as may happen in a mobile computing environment.
  3. User’s consent: users must consent to their data being used. This may take several forms, depending on how your organization used this data.
  4. Data destruction: data destruction poses a significant risk, especially when dealing with a hard copy (paper documents). If you use an asset disposal service (classified as a data processor under the GDPR) you must ensure they are compliant with GDPR regulations to reduce your risk.
  5. Review of special categories: this involves data that relates to a wide range of variables, including human resources and employee data, data relating to children, and health records for example. This area is quite complex, but it seeks to safeguard the privacy of the individuals whose data is being collected.
  6. Dispute resolution: article 65 of the GDPR sets forth the process for dispute resolution by the Board if the supervisory body finds any infringement.
  7. Cookie consent: the GDPR calls into question the current EU cookie consent laws. The GDPR sees cookies as a unique identifier, and so consent rules do apply. If cookie data is used for more than one purpose, there may be a need to establish separate consent for each use.

CREATION OF GDPR ALIGNMENT WORK PLAN

If you have not yet begun to map out your plan for GDPR alignment, GRSee can help. Though the law is multi-faceted and complex, as experienced auditors who have performed hundreds of compliance projects, including GDPR alignment projects, we have created an efficient and proven methodology that will get you up to speed quickly.

WHAT’S THE SMOKING GUN? FINES OF UP TO 20 MIL EUROS!

With so much at stake, it is imperative that your security practices need to be in place as soon as possible. Some of the mechanisms you can implement right away include privacy by design at the SDLC (development lifecycle) level, pseudo anonymization, opt-out mechanisms, redacting data, and destroying old or redundant data.

Boosting internal security is always a good idea as well, especially if you retain hard copies of any personal, payment, or other sensitive information that needs to be protected. Locked cabinets and file rooms are a good start, but establishing a secure digital storage solution is also important. Furthermore, for those who are ISO 27001 compliant, you’ve already fulfilled some of the requirements necessary for GDPR. For those not yet ISO compliant, it’s a great opportunity to kill two birds with one stone.

There’s never been a better time to start your digital transformation. Call GRSee today to set up a free consultation.

Reading Time: 3 minutes

To those of you who have been dealing with data governance and compliance issues since the Sarbanes-Oxley Act (SOX) appeared on the scene in 2002 – are you having flashbacks yet?
Once again, we are facing new, exceedingly strict regulations coming down the pike and once again, there are serious budgetary concerns around developing a compliance architecture. Many companies, in fact, still struggle with SOX compliance for various reasons. They adopt a reactive
rather than a proactive stance when issues come to light, which is, as we all know, an inefficient and costly way to do business.
While SOX applies to companies in the United States, the GDPR is focused on the EU. In both cases, however, there is an increasingly high degree of international overlap as companies continue to expand their global presence.
Bottom line, if you do any business whatsoever with EU citizens—even if you’re a B&B who occasionally has European visitors—you need to pay attention.
One major advantage we have heading into the GDPR is that these days, technology truly is on our side. That sign you’ve been looking for? This is surely it. If you have not yet begun your digital transformation, the time is now.

WHAT HAPPENS IF YOU DO NOTHING?

GDPR non-compliance has serious implications that will affect companies anywhere in the world who do business in Europe, or who do business with EU citizens. It’s a complex set of requirements meant to meet today’s increasing need for data protection against mounting cyber-threats as well as unauthorized use of personal data. This also extends to your marketing analytics as well as any online activities that involve collecting traceable personal identifiers.
The consequences of non-compliance are great: companies could face fines of up to €10-20M – certainly not small change. Depending on the type of breach at issue, you may also be subject to an audit, a review of your licensing, your certifications, and you could potentially face restrictions
on how you collect and process data in the future. If you are caught up in such an unfortunate situation, the damage to your company and your business reputation might be irreparable.

ACT NOW

There are so many layers of complexity in the GDPR that even the most seasoned CISO or other executive officer might be experiencing a few sleepless nights. Because of this, equally nuanced solutions are necessary. Above all, you want to avoid having to take a reactive stance in the instance that any of your systems or transactions are under scrutiny.
Even if you have an internal IT team, working with an external consultant who specializes in data protection and compliance is a good idea. Chances are, your team has their hands full with your day-to-day operations and they may not be particularly well-versed in data governance. Working with a highly specialized crew to establish your GDPR strategy will give you the peace of mind you need to move forward with confidence.

CONCLUSION

Preparing for the GDPR is a massive undertaking, but it doesn’t have to be painful. With GRSee’s proven GDPR methodologies which address data security & governance, combined with strategic policy restructuring, you can achieve compliance in far less time and for far less money than you
might think.
GRSee is America’s compliance specialist: schedule a free consultation today and find out how easy it is to get started.

Reading Time: 3 minutes

As the GDPR deadline of May 25, 2018 creeps closer, our thoughts turn to compliance and how to achieve it without losing any (more) hair in the process.

If you have been putting off making the necessary adjustments to your data security, privacy, and governance policies and procedures, keep in mind that the clock is ticking down rather quickly now. The good news is, by following a series of simple steps, you can clear that GDPR smoke screen and get back to doing what you do.

Here are five simple steps you can take to get you GDPR compliant with minimal pain.

1. Data flow mapping and analysis

Data classification is a major step towards GDPR compliance, but this can be particularly complex if your data is stored on physical servers, as any stored backup copies would also need to be accessible in case you needed to remove or edit a record. If you were still using tape backups, the undertaking would be virtually impossible, taking up countless IT hours for something that could be accomplished in a few keystrokes. You need to know how your data flows in and where it goes from there – including its interactions with 3rd party vendors such as shippers, email services, marketing platforms, and so on. With GRSee’s vast experience in governance risk & compliance projects, we have created methodologies that are efficient and has allowed us to successfully support your transformation.

2. Analysis of currently implemented controls

While you likely have some controls in place, each should be reviewed and considered in the context of the GDPR. This should be a step-by-step process in which you examine your data flow to see whether your existing controls are going to be adequate, if you merely need to make some adjustments, or start from scratch. This will include written policies as well as all applicable IT, hardware and software solutions.

3. Review of privacy policies

Privacy policies must be worded more precisely. You must now disclose exactly why you are collecting personal data and how it will be used, stored, and shared among your 3rd party processors. By proxy, this also mandates that you review your 3rd party vendors’ policies as well to ensure they are in compliance.

4. Review SDLC for privacy

Your software development cycle (SDLC), if this applies to you, is going to take a hit as well. The SDLC is affected substantially, in that GDPR requirements will need to be addressed in every stage of the software product lifecycle. This will be necessary in order to remain financially viable in production and avoid costly reworking later on. Problems can be avoided if these issues are addressed as early as possible in the process.

5. Creation of GDPR alignment work plan

Aligning your processes to support best practices in light of the GDPR is crucial. The earlier you begin to map out your transformation, the less tap dancing you will have to do when the law comes into effect on May 25, 2018. Preparation is the first step, followed by the implementation of effective procedures, and finally maintaining your protocols to assure ongoing accountability.

If you have not yet begun your digital transformation, the imminence of the GDPR may help you get started. Speak with GRSee to set up a free consultation.

Reading Time: 2 minutes

Myth: Only large companies required and can undergo PCI DSS certification

Fact: Incorrect. PCI DSS applies to all entities involved in payment card processing including merchants and other entities that store, process and/or transmit cardholder data. They all must comply with PCI DSS requirements. In fact, PCI DSS was developed to enhance the security of cardholder data, that is why any entity that holds cardholder data should comply with the standard.
Non-compliance could mean high risk for these entities because when there is a security breach to cardholder data and they are not PCI compliant, they could be subjected to penalties such fine and other sanctions from banks and credit card processors. They may also be subject to lawsuits and/or governmental prosecution because of failing to protect customer data.

Myth: Using certified PCI DSS cloud (SaaS, PaaS, IaaS) which is certified, automatically becomes PCI Complaint

Fact: Incorrect, while many companies/merchants now use cloud services they still have to comply themselves with PCI DSS even though they use services from certified PCI-compliant providers.
When you are using cloud services, you have to clearly define the responsibilities of your own and your cloud service provider to maintain the compliance to PCI DSS requirements. In order to do that, you should understand the details of the offered services. Your provider should clearly identify which requirements of PCI DSS are covered by its PCI compliance program and which ones are not. The provider then has to document those aspects of its service which are not covered and make an agreement with the client (i.e. your company) that those aspects are your responsibility to manage and assess.

Myth: Once achieve PCI DSS compliant, the next year you have nothing to do.

Fact: The achievement of PCI-compliant does not mean you have reached your final goals. You still need to maintain the policies, procedures, and good practices that are consistent with PCI DSS requirements. Moreover, validation of compliance should be performed annually.
Beyond PCI DSS compliance, the standard was developed to protect cardholder data, then it is important that you implement all controls (such as policies and daily operational security procedures) that are consistent with PCI DSS requirements in your daily business activities. Only by continuously and consistently executing all these security controls including development and implementation of a security awareness program to make all relevant parties and personnel aware of the importance of cardholder data security, the objectives of PCI DSS can be achieved.

Reading Time: 4 minutes

That Will Energize You to Comply with The Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that comes up as an answer from card issuing banks and branded card networks (i.e. Visa, MasterCard, Discover, American Express, etc.) to strengthen the protection of cardholder data after the major card breaching, back in 2005, when 40 million cards were compromised.

That was a correct action to regain the trust from cardholders so they can still feel comfortable when using their cards to pay their transactions.

To successfully implement the standard, every organization that has obligation to comply, need to understand what benefits they will gain by being PCI-compliant. By keeping these benefits in mind, the objective of protecting cardholder data can be achieved successfully and much easier, because they know the benefits that they will get.

Actually, to comply is both obligation and investment for any merchant or organization that processes, stores and transmits cardholder data, and their investment will return in the form of tangible and intangible benefits, as follows:

  1. Security improvement – decrease the risk of security breaches
    Like any other compliance programs, many organizations may have a question in their mind before they put efforts on a journey towards compliance: is this standard providing real impact and value if we implement it or just for the sake of compliance? This question is very important to address and should be answered seriously.
    For organizations that comply with PCI DSS requirements, there is a real value that they will get. A study conducted by Verizon stated that PCI compliant organizations are more likely to successfully resist a cardholder data breach significantly up to fifty percent.
    This means the PCI DSS with 12 requirements are an adequate set of security controls to protect cardholder data if we can implement them properly.
  2. Get peace of mind of you and your customers
    So, you will feel safe and your customers feel safe too. This is the result that you will get as you’ll be much less likely to suffer cardholder data breaches.
    You feel confident that you have done anything you should do to protect cardholder data. Your customers feel safe too, they believe that they provide their confidential data to a trusted company, that is you.
  3. Improve customer relationship
    According to a study conducted by Quirk’s Marketing Research Review in 2014 stated that 69% of consumers would be less inclined to do business with a breached organization. As an organization that complies with PCI DSS, you should be able to decrease the data breach significantly. This means you will have a better relationship with the customer. They will see you as a company that has a strong commitment to protect their data.
  4. Increasing profit
    This is a direct impact on the peaceful feeling that your customers get when they have businesses with a trusted company/merchant that comply with PCI DSS.
    In its turn, this will grow the loyalty of the customers to your company and they will obviously be your free great marketing agents as they will tell their friends and relatives about your good and safe services and recommend them.
    You’ll keep existing customers with more transactions and also get new customers. More customers, more transactions, more profit. Isn’t that what you really want?
  5. Avoid costly fines. The risk is much costly than the cost to comply
    Any company or merchant may understand the benefits of PCI compliant. They may also understand that it is their obligations to comply with the standard. But as a business entity, they always consider and think about cost and benefit in any decision they make.
    Well yes of course, in order to comply they should spend some money. The amount of this investment depends on how large your company handles card transactions per year. But when it comes to cost we should compare the cost to comply with the standard and the cost if we don’t comply.
    If a cardholder data breach happens (and it is possible to happen) any involved entity will be investigated. If say a merchant involved and in the time of breaching, it didn’t comply with PCI then they will get a costly fine. The acquiring bank may have to pay a fine of $5,000 to $100,000 per month to the payment brands for PCI compliance violations. The banks will most likely pass this fine down to the merchant eventually. And as stated above, the implementation of PCI requirements properly will decrease the data breaching. This is a real benefit for the company because its possibility of receiving fine will be decreased as well.
  6. Company Image building
    Most customers may not understand the details of the standard but your compliance will make them believe that you have a strong commitment to protecting their cardholder data.
  7. Sustain Your Business
    Any merchant even with one transaction of credit cards has to comply with the standard if it doesn’t comply they will be at high risk. Think the worst case: you are subject to fines and you may also face lawsuits because failing to protect cardholder data. You will lose some money and your reputation is damaged. This may put your business in danger. So, to be PCI compliant is a must for any organization that store, process and transmit cardholder data in order to sustain their existence in this business.

When Organizations understand those above benefits, they will see that to be PCI-compliant is not just because they have to, but also because they need to in order to sustain their business, gain benefits and manage the risk they may have.

Reading Time: 5 minutes

This is Why Scoping, Segmentation & Tokenization Are the Key Success Factors Towards PCI DSS Compliance

So, what are the reasons organizations fail PCI Audit?

In December 2013, credit and debit card data breaching that happened to an American discount retailer, Target, that affected 40 million shoppers who went to the store in the three weeks after Thanksgiving. This incident shows us how actual and real the threat that many organizations such as merchants are facing today. The needs to protect cardholder data
And this is the primary objective of PCI DSS.

While being compliant to PCI DSS requirements is very important but many organizations still find it’s not easy to comply.
This article covers some issues that cause PCI audit failures so we can take a lesson and do it better when we prepare to comply with the standard.

  1. RIGHT SCOPE
    Scoping of PCI DSS assessment is very important. Scoping defines the certification boundaries. Successful PCI DSS compliance heavily depends on the correct identification of the scope of assessment. The right scope will make you much easier to comply and at the same time reduce the cost of compliance.
    If your scope of PCI DSS assessment is too narrow you could potentially put cardholder data in danger, but if too broad it will make your effort harder and costlier and adds unnecessary cost to achieving PCI compliance.
    The PCI DSS categorizes system components as being either in-scope or out of the scope of assessment. Open PCI DSS Scoping Toolkit has a good method to clearly categorize each system component that will help us define the scope of PCI DSS assessment.
    The toolkit defines three categories of system components, so we can categorize each component based on this. Then we can define which system components are the most important to protect, and which are less or not too important to protect.
    Every system component within an organization can be categorized into one and only one of the following:

    • Category 1 – System components that process, store or transmit cardholder
      data or are not isolated or restricted through controlled access from other Category 1 system components.
    • Category 2 – System components that have controlled access to a Category 1
      system component.
    • Category 3 – System components that are isolated from all Category 1 system
      components.

      Figure 1. System Component Categorization (source: Open PCI DSS Scoping Toolkit)

      After categorizing system components, we can define which components in-scope and which ones are out-scope of a PCI assessment, as shown by the following tables.

      Figure 2. Mapping System Components Categories and Scoping of Assessment (source: Open PCI DSS Scoping Toolkit)

       

  2. IMPLEMENT SEGMENTATION PROPERLY
    Not implementing network segmentation is one of the biggest reason why an organization fails to comply with PCC DSS.
    We can minimize the scope using network segmentation. Segmentation means separating system components or devices that store, process or transmit cardholder data with the other components, keeping PCI-protected payment information away from less important data. We consolidate cardholder data into fewer locations and more controlled environment (i.e. CDE or Cardholder Data Environment).
    According to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
    So, it’s clear that segmentation can be very useful to reduce the scope of PCI DSS assessment and reduce the cost of the PCI DSS assessment.
    Without segmentation, for example, card-processing systems will be mixed with back office systems. This arrangement could cause the entire network in the scope for PCI DSS compliance. This will increase the amount of work to comply the standard which can increase the possibility to fail to comply the standard.
    We can implement segmentation by using several technologies, as follows:

    • Tokenization
      Tokenization can be done to reduce the scope of assessment. Tokens are used to replace sensitive data such as primary account number (PAN) data or credit card numbers.
      Credit card tokenization randomly generate a value to replace credit card data. Because tokens are randomly assigned, it’s impossible to compromise or reverse-engineer a token. The only way to see which credit card values associated to which tokens is through a token vault that is usually managed by a third party.
      By using tokens instead of PAN data or credit card numbers, merchants never see customer credit card information. They see only tokens, which are useless information for them.
      PCI DSS states that, “Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment.”
      This means that tokenization can reduce the number of system components that should be assessed because the system components no longer stores or process cardholder data, only tokens. This will reduce the scope of assessment and finally reduce the cost for compliance.
      The tokenization systems components such as card vault and de-tokenization are part of the cardholder data environment (CDE) and therefore in scope for PCI requirements. In the situation which the card vault is handled by a vendor, it will be out of scope of the business that taking the payment cards.
      Organizations that use tokenization provided by third party, must ensure their tokenization vendor has been approved through the PCI SSC, and that they protect tokenization systems and processes with strong security controls.
    • Implement strict access control
      According to PCI DSS Guidance for PCI DSS Scoping and Network Segmentation, in order for a system to be considered out of scope, controls must be implemented to give a reasonable assurance that the out-of-scope system cannot be used to compromise an in-scope system component, because the in-scope system could be used to gain access to the CDE or impact security of the CDE.
      Examples of controls that could be applied to prevent out-of-scope systems being used to compromise the in-scope systems, are as follows:

      • Host-based firewall and/or intrusion detection and prevention system (IDS/IPS) on in-scope systems that block connection attempts from out-of-scope systems.
      • Physical access controls that allow only designated users to access in-scope systems.
      • Logical access controls that permit only designated users to login to in-scope systems.
      • Multi-factor authentication on in-scope systems, such as two-factor authentication (2FA)
      • Restricting administrative access privileges to designated users and systems/networks.
      • Actively monitoring for suspicious network or system behavior that could indicate an out-of-scope system attempting to gain access to an in-scope system component or the CDE.
    • Access rule via proper firewall and router setting
      We can use firewall and router rules to ensure that there is separation between network components or device such as public servers, corporate LAN, and CDE (Cardholder Data Environment). For example, we can set rule to make no traffic that originated from the corporate LAN is allowed into CDE.
      Remember that all controls to establish segmentation (such as firewall setting that limits connections to specific ports or services on specific systems) should be included in PCI DSS assessment to validate their effectiveness.
  3. REMEMBER THIS GUIDELINE
    The PCI compliance may be less expensive and much less frustration if we use the above strategies and follow this guidance:

    • Do it wisely, do what you need and only what you need.
      For example, access to CDE should be given based on business needs only.
    • Consider business constraints.
    • Consider ALL business processes.
      The strength of your security is equal to your weakest link. A company may implement tokenization, but at the same time, if its employees leave out the voice recording system or fax system unattended, your tokenization will be useless.

Carefully considering the strategies and guidelines in this article will enhance your chance to successfully comply PCI DSS.