Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

September 2021

Third-Party Risk Management Regulations Every Organization Should Know

Modern organizations operate in a complex business landscape. Increasingly, they rely on a plethora of third-party partners, vendors, and subcontractors to generate value, boost competitiveness, and strengthen their bottom line. And yet, these same third parties also create numerous risks that can disrupt the organization’s operations, affect its financial standing, and damage its reputation.

Data Risk Management in the Gig Economy

A huge swath of the U.S. workforce doesn’t actually hold a full-time job. As many as 40 percent of Americans work in the so-called “gig economy” — driving for ride-share services, selling handicrafts online, pet-sitting, managing a social media account for a local company, and so forth. Typically, a technology company (Uber, Etsy, Rover, AirBnB; the list is endless) matches those workers with customers who have a need.

Top 10 Risks Faced By the Manufacturing Industry

The global economy is more connected than ever, generating significant benefits for companies and industries operating worldwide. Nobody, however, is exempt from threats that drive supply chain and manufacturing risk. There is no doubt that the manufacturing industry is beset by numerous risks that affect the company and its human assets.

Steps to a Successful ISO 27001 Risk Assessment Procedure

ISO/IEC 27001 is an international set of standards that provide the requirements to set up an Information Security Management System (ISMS). Implementing ISO 27001 enables organizations to better manage and secure their information assets, including intellectual property, financials, employee details, customer data, and information entrusted by third parties. Furthermore, companies can prove that they are less vulnerable to IT security incidents or data breaches by achieving ISO compliance.

What To Do When Your Cloud System Crashes

Most organizations today rely on the cloud to store or manage at least some of their data and applications. If your business is considering (or already using) a cloud environment, it’s important that you know what to do if your cloud system crashes or experiences an outage. In this guide, we cover the basics of cloud computing and then outline some steps you can take in the event of a cloud crash or outage.

How to Assure Your Compliance Strategy Evolves Over Time

Compliance is a constant issue that affects businesses in multiple ways every day. Not only must your compliance program address individual acts of misconduct; the program must assure that your organization follows laws, rules, and regulations overtime — every day, day after day, in perpetuity.

How to Map HIPAA to ISO 27001

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law meant to protect sensitive electronic protected health information (ePHI). Every healthcare organization (“covered entity”) must comply with its two fundamental rules. In 2013, the U.S. Department of Health and Human Services (HHS) passed the HIPAA Omnibus Final Rule, which expanded compliance requirements to the business associates that also handle ePHI on behalf of covered entities.

Conducting Penetration Testing for Your Corporate Security

Understanding your organization’s cybersecurity posture is becoming more important every day. So how do you know how secure your IT infrastructure really is? One way to get a glimpse into your organization’s security is penetration testing: pretending (or hiring someone to pretend) to be a hacker, attempting to infiltrate your organization’s physical and cyber systems however possible.

NIST's New Draft for Ransomware Risk Management

Cyberattacks against businesses of all sizes are at all-time highs. Data from 2021 and projections for the future of cybersecurity suggest that the frequency and intensity of these attacks will only continue to grow. At the forefront of most cyberattacks in 2020 was ransomware, a type of malicious malware attack where attackers encrypt your organization’s data and demand payment in exchange for a decryption key to restore access.

What is a Network Vulnerability Assessment?

A network vulnerability assessment is the reviewing and analyzing of an organization’s network infrastructure to find cybersecurity vulnerabilities and network security loopholes. The assessment can be carried out either manually or by using vulnerability analysis software — although the latter is preferred because it’s less susceptible to human error and usually delivers more accurate results.

What is an Audit Universe?

An audit universe is a document that details all the audit activities to be carried out by the internal audit function. It consists of multiple and distinct auditable entities, processes, and activities, which can be considered “auditable units.” The number of these auditable units varies depending on the organization’s size, business complexity, and operational scale. In some cases they can run into the hundreds or even thousands.

What is Regulatory Compliance?

Regulations have long existed to govern how organizations collect and use information online, as well as what cybersecurity precautions organizations should take while conducting business online. As digital transformation of business processes has accelerated in the last few years, however, that means ever more organizations — large and small — must comply with all those regulations.

What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to prevent medical fraud and to assure the security of protected health information (PHI), such as names, Social Security numbers, medical records, financial information, electronic health transactions and code sets. The law is managed by the U.S. Department of Health & Human Services (HHS).

Back to Basics: Making a Start with GRC

Companies list governance, risk, and compliance (GRC) as a top priority, but “doing GRC” isn’t easy. It takes time, effort and a strategy – and starting is usually the hardest part. So, in the first of our Back to Basics blogs, we’re going to focus on where every compliance and risk practitioner should start when building a GRC program: selecting the compliance frameworks which will form the foundation of your GRC program…

Developing Your Key Risk Indicators (KRIs)

Organizations today live in a dynamic environment. Risks to your business activities are everywhere, including among the relationships you have with other parties. From choosing supply chains to engaging in new partnerships, third-party risks have always been part of the risk assessments that organizations perform (or should perform, at least). Unfortunately, with the advent of cloud services and automation, third-party risks are now one of the most common threats that the modern enterprise faces.

How Internal Cybersecurity Threats Affect Your Cyber Risk Plan

In 2016, an article in the Harvard Business Review called out organizations that focused on external cybersecurity threats while ignoring the threats originating from within — and rightly so. Today, about 66 percent of organizations believe that malicious insider attacks are more likely than external attacks. This points to a growing (and welcome) awareness of internal cybersecurity threats.

Tips for Patching Security Vulnerabilities

Given the countless cyber threats facing organizations these days, security has become one of the most pressing issues on the executive mind. Yet when we talk about cybersecurity, we rarely focus on security vulnerabilities and how patching those vulnerabilities is crucial for a cybersecurity program. So what is vulnerability patching, exactly? A vulnerability is a flaw that cybercriminals can exploit to gain unauthorized access or to perform unauthorized actions on a computer system.

Key Targets for Fileless Malware

Cybersecurity threats have proliferated for years, and that shows no sign of stopping. One estimate, for example, is that damages due to cybercrime will hit $10.5 trillion by 2025. One especially pernicious threat gaining new popularity: fileless malware. Fileless malware attacks are particularly dangerous because, unlike traditional malware, they involve no files to scan — and therefore are harder to detect by conventional endpoint protection tools.

What is a Data-Centric Architecture for Security?

As cyber threats and data breaches proliferate, organizations need a better way to protect their sensitive data. One specific need: effective and efficient data security models. A security model includes procedures to validate security policies and to implement vital business processes and workflows in your security program. A security model also specifies the data structures and techniques required to enforce security policies.

What is a Vendor Risk Management Program?

As your company grows, outsourcing certain tasks will likely become necessary. Whether procuring materials from outside manufacturers or contracting freelancers to help your marketing efforts, third- and even fourth-party vendors have become critical relationships in any developing business. Opening your organization to third parties has many benefits. It also exposes your company to new risks you may not have considered.

Key Principles of Operational Risk Management

Operational risk is any risk stemming from your company’s business processes that could result in loss. This loss is not always financial; things like reputational risk also fall under this category. Operational risk management (ORM) is the art of protecting your company from these potential risks and minimizing any losses that may occur. ORM began in financial institutions and became streamlined and codified over the years via the Basel Committee on Banking Supervision (BCBS).

What are the Four Factors of a HIPAA Breach Risk Assessment?

Modern technology allows the easy collection and distribution of personally identifiable information — and concerns about the unintended distribution of that personal data have led to a wave of data privacy laws around the world. The U.S. Health Insurance Portability and Accountability Act (HIPAA) is one such law, and imposes strict rules on how hospitals, healthcare businesses, and other “covered entities” handle personal health information (PHI).