Vendor Due-Diligence: NIST 800-53 vs. NIST 800-171

Organizations may benefit from greater understanding of the difference between and appropriate use of NIST 800-53 vs. NIST 800-171, especially when it comes to understanding which framework is required by law or applicable under vendor due diligence. Marketplace Confusion: Vendor Due-Diligence Often Drives Implementation The proliferation of NIST 800-53 “Security and Privacy Controls for Federal Information[…]

How to Choose a SOC 2 Audit Firm (with Vendor Scorecard Template)

Selecting the right partner to assist with SOC 2 compliance (or anything else) can be challenging. If you are trying to sort through the marketplace to select a vendor here are a few considerations. You can also download our free vendor selection template here. 1| Experience Assess resumes of the individuals who will be performing[…]

New York Cybersecurity Regulations – Path to Compliance (Whitepaper)

Written March 1, 2017, the New York Financial Services Cybersecurity Regulations have been developed to address significant cybersecurity threats to the financial services industry. The regulations prescribe certain standards for a financial service company’s (“regulated entity” or “Covered Entity”) cybersecurity program for the purpose of promoting protection of customer information and protecting regulated information systems.[…]

Simplify Compliance by Creating One Set of Controls to Manage Risk (Unified Control Framework)

Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements. We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to[…]

Petya Ransomware & Mitigation Steps

They Petya Ransomeware outbreak is the second such global attack in the last couple of month. The malware is spreading using same Microsoft Windows vulnerability that was exploited by the recent WannaCry ransomware event. Symantec confirmed that Petya uses the “Eternal Blue” exploit. Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but if you have put off installing the patch[…]

How to Effectively Communicate Your Security and Compliance Story to Prospective Clients and Business Partners

I read an article last week about Wal-Mart forcing some of their vendors off Amazon’s cloud. Wal-Mart has an incredible amount of leverage over their vendors so my guess is that most SaaS providers probably went along with Wal-Mart’s request. This type of thing isn’t uncommon in the world of vendor management. I have personally[…]

What SOC 2 Updates to COSO 2013 Mean for You (Whitepaper)

Beginning December 15, 2018, (with optional adoption beginning April 2017) all SOC 2 reports will be required to utilize the updated Trust Services Criteria. The updated trust services criteria are an update to align with the seventeen COSO 2013 framework principles. If you would like to download the complete whitepaper please send us a note.[…]