You may have heard more about the SEC Form 8-K recently due to changes that went into effect on Dec 16, 2023. From the SEC’s press release.

Technical vulnerabilities are areas of weakness in your source code or infrastructure that attackers could potentially exploit. It’s important for your business to address its technical vulnerabilities to protect itself from these types of threats, in addition to gaining or maintaining compliance with SOC 2 and ISO 27001. ‍ For many of these standards, you’re required to have vulnerability scanners running to ensure you’re continuously monitoring for new threats.

SOC 2 is an information security standard was created by the American Institute of Chartered Public Accountants (AICPA), as a way to provide assurance of an organisation’s management of data. SOC 2 compliance provides a framework to assess against five Trust Service Criteria (TSCs) – but more on those later. There are two types of SOC 2 compliance: Type I and Type II.

Welcome back to our ongoing series on the Payment Card Industry Data Security Standard (PCI DSS). In our previous posts, we’ve covered the various requirements of this critical security standard. Today, we’re going to delve into Requirement 4, which focuses on protecting cardholder data with strong cryptography during transmission over open, public networks.

The Securities and Exchange Commission (SEC) in the United States approved their cyber rules on July 2023, originally proposed in March 2022 for public comments (SEC, 2022; 2023). This has sparked many conversations about how the board of directors and executive management should think about cybersecurity and to what extent public disclosures should be made about cybersecurity incidents and risks. Most notable among them is the requirement that material cyber incidents be reported within four days.

As global data privacy and cybersecurity regulations continue to increase, the pressure for organizations to manage compliance risk grows. The first step in your journey to better compliance risk management is compliance risk assessment. With risk management methodologies, a compliance risk assessment analyzes how an organization might not meet its regulatory compliance obligations.

Corporate compliance is not a new idea; for many years, organizations everywhere have had to comply with certain rules and standards to reduce risks and vulnerabilities. Those rules might be defined internally by the company’s compliance team or by an external party such as a regulatory agency — but either way, they are rules that the company must follow. An effective compliance function assures that the organization complies with both internal and external rules.

In our exploration of PCI DSS v4.0’s changes, we’ve reached the heart of the matter – Requirement 3: Protect Stored Account Data. While the previous two requirements focused on network and access control, Requirement 3 tackles the crucial issue of securing sensitive cardholder information once it’s captured and stored.

This blog is part of a series about how to use Vanta and AWS to simplify your organization’s cloud security. To learn more about how to use Vanta and AWS, watch our Coffee and Compliance on-demand webinar. ‍ Amazon Web Services, or AWS, is one of the most popular cloud providers for organizations today — providing one of the most flexible and secure cloud environments available.

It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform. The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track.