Because of additional regulations and standards pertaining to information security, including Payment Card Industry Data Security Standard (PCI-DSS), the General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and ISO 27001, organizations are putting more emphasis on compliance as well as the auditing of their cybersecurity policies and cybersecurity controls.

This blog was written by a third party author. A security risk assessment is a formal method for evaluating an organization's cybersecurity risk posture. Comprehensive security risk assessments take stock in business objectives, existing security controls, and the risk environment in which the business operates. When done well, the assessment identifies security gaps in existing controls as compared with industry best practices.

There is a story from years ago about a warehouse network of computers that was separated from the main network. Those machines were running older OSes. But since they weren’t connected to the company network, didn’t hold company data, and only ran the warehouse machines, they were deemed secure. One day, the sysadmin noticed that all of those computers had a glitch at the same time. He remotely rebooted and went back to his desk. But they all glitched again. What happened?

Compliance testing, also known as conformance testing, is a periodic, independent, and objective assessment of compliance-related processes and/or controls. The goal of compliance testing is to determine whether the elements, processes, and controls of your compliance program are designed appropriately and operating as designed. Compliance testing follows an established process and plan as well as a risk-based approach.

Each month, Reciprocity highlights companies that have earned compliance certifications for information security frameworks. Here’s our August 2020 roundup of compliance news from around the United States, and around the world.

During an internal International Organization for Standardization (ISO) audit, your company assesses its quality management system (QMS) to determine if it complies with ISO 9001. Companies use the ISO 9001 standard to demonstrate that they can consistently provide products and services that meet customer needs and regulatory requirements. Organizations also use ISO 9001 to demonstrate that they are continually improving their products, services, and processes.

Information security should be at the heart of every system launched. In accordance with the Federal Information Security Management Act (FISMA), an information technology system is granted an Authority to Operate (ATO) after passing a risk-based cybersecurity assessment.

If your company is a service organization and your customers trust you with their data, you may need to pass a SOC 2 (System and Organization Controls 2) audit. Compliance and certification are the goals of a SOC 2 audit. Because the integrity, confidentiality, and privacy of your customers’ data are on the line, they’ll want you to prove that you have the internal controls in place to protect that data. The SOC 2 compliance audit gives them that assurance.

For organizations that manufacture any type of product, overall quality and customer satisfaction are extremely critical. This is particularly important for companies that manufacture complex products, such as vehicles or medical devices. Note that vehicle manufacturers, particularly in the United States but also in other countries, have established their own quality standards for third party suppliers.

Cybersecurity risk management is the practice of prioritizing cybersecurity defensive measures based on the potential adverse impact of the threats they're designed to address. Establishing a risk management approach to cybersecurity investment acknowledges that no organization can completely eliminate every system vulnerability or block every cyber-attack.