Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

February 2020

What is the SIG Questionnaire?

The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains. SIG was developed by Shared Assessments and is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security, and business resiliency. The SIG questionnaire was created by Shared Assessments.

What is HECVAT (Higher Education Community Vendor Assessment Toolkit)?

The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework.

What are the OWASP Top Ten?

The OWASP Top 10 is a regularly-updated report outlining the top 10 list of security concerns for web application security. The report is put together by a team of security experts around the world. OWASP refers to the Top 10 as an 'awareness document' and they recommend all companies incorporate the report's findings into the cybersecurity processes.

What is Data Loss Prevention (DLP)?

Data loss prevention (DLP) is a set of processes and technologies that ensure sensitive data is not lost, misused or exposed to unauthorized users by end-users or misconfiguration. Most data loss prevention solutions rely on data classification. This means that sensitive data is grouped into different buckets, e.g. regulated, confidential, financial data, intellectual property, and business-critical data.

What is Cross-Site Scripting (XSS)?

Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. The impact of XSS can range from a small nuisance to significant cybersecurity risk, depending on the sensitivity of data handled by the vulnerable website, and the nature of any mitigations implemented.

What is a Whaling Attack?

A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information. The reason whaling attacks target high-ranking employees is because they hold power in companies and often have complete access to sensitive data.

HIPAA Privacy Rule Summary and Compliance Tips

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of patients' rights and certain health information. Its standards address the use and disclosure of individuals' health information, known as protected health information or PHI by organizations subject to the Privacy Rule, as well as standards for an individual's rights to understand and control how their health data is used.

Why is Third-Party Risk Management Important?

Globalization and increasing regulatory pressure means more organizations need to examine their third-party vendors, service providers and supply chain in order to assess the level of risk, inform decisions and comply with laws. Failure to adequately assess third-party and fourth-party risk exposes organizations to reputational risk, operational risk, cyber risk, government inquiry, monetary penalties and criminal liability, Ignorance is no longer a valid defense.

How to Manage Third-Party Risk

Engaging with third-party vendors for the provision of goods and services isn't new. The level of digital transformation, paired with the number of third-party relationships and business partners the average organization has is. Third-party risk management programs need to evolve the manage this ever evolving type of risk exposure. Enterprise-wide organizations rely on third and fourth-party vendors. And many of them have access to sensitive data.

What is the Florida Information Protection Act (FIPA)? Compliance Tips

The Florida Information Protection Act of 2014 (FIPA) came into effect July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information. FIPA modified Florida's existing data breach notification law and applies to commercial and government entities.

What Is Email Security? And What Are Best Practices?

Email security refers to various cybersecurity measures to secure the access and content of an email account or service. Proper email security can protect sensitive information in email communications, prevent phishing attacks, spear phishing and email spoofing and protect against unauthorized access, loss or compromise of one or more email addresses.