Blog

It's common knowledge that enterprise organizations need effective security, privacy and compliance programs to survive and grow. There are a ...

In an era of cost-cutting, downsizing and generally insufficient budgets for everything, we are often asked, what is the one, main thing to do ...

With the advent of quantum computing, a new threat has been added to the information security mix. The threat is today’s secure cryptography may ...

Possibly one of the biggest and most anticipated changes introduced with PCI DSS v4.0 is the Customized Approach. The PCI SSC is pushing the ...

A SOC 2 Type 2 audit is an evaluation of risk for buyers and, a vehicle for communicating trust between two parties. But is it right for your ...

Risk in general is the likelihood and the possible impact of something bad happening in the near future. A risk assessment is an introspective ...

What's new with State Privacy Laws? There are now ten comprehensive privacy laws enacted in the United States. The new 2023 laws include those ...

In this interview with Truvantis CEO Andy Cottrell, Aaron Wheeler discusses conducting tabletop exercises and how his clients derive value. What ...

In this interview with Truvantis CEO Andy Cottrell, Jenny Hill discusses the challenges and evolution of security programs she sees across ...

The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...

The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...

William gets to the point of what a pen test should do for your business and how to avoid costly mistakes.

The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide ...

As technology advances and the reliance on digital systems grows, the risk of data breaches in the health-tech sector has increased ...

What's new with State Privacy Laws? There are now ten comprehensive privacy laws enacted in the United States. The new 2023 laws include those ...

Ok, so you had a data breach. What do you do next? Some experts warn that it's not a matter of 'if' but 'when' your information management ...

NOTE: PCI DSS compliance with it is mandated by the contracts merchants sign with the card brands (Visa, MasterCard, etc.) and the banks that ...

We interviewed Rick Folkerts, Principle Security Analyst at Truvantis.Rick is a specialist in governance risk and compliance, including data ...

In today's digital age, businesses increasingly rely on technology, making them more vulnerable to cyber-attacks. One of the most dangerous ...

Cybersecurity and privacy risks remain among the top threats facing business organizations today. Increasingly, boards are leaning on the CISO ...

"I think this is a colossal failure in asset-liability risk management,"-Mark T. Williams, a former bank examiner for the Federal Reserve, ...

HealthTech is among the most well-funded and rapidly growing industries. However, the medical sector is one of the most challenging areas for ...

When it comes to cybersecurity, privacy & compliance, the road forward is often unclear. The recently amendedFTC Safeguards Rule (Title 16 ...

When it comes to cybersecurity, privacy & compliance, the road forward is often unclear. A proper risk assessment is a fundamental start to ...

Many Organizations are Finding Value in Continuous Compliance In 2023, many organizations are considering cybersecurity and privacy as business ...

How your defense-in-depth strategy protected you from the LastPass data breach Most of us like using password managers for the security and user ...

When it comes to a security risk assessment, it's often unclear what you'll receive. Providers use meaningless and misused buzzwords, and there ...

Nowadays, the perpetrators of ransomware have gotten more clever in their methods, using complex strategies such as double extortion, in which ...

Along with the benefits of capabilities and growth, mergers and acquisitions add new risks to your attack surface. Managing M&A risk should ...

The concept of 'Zero Trust, ' which essentially presumes conventional perimeter protections don't exist, has been in cybersecurity for many ...

Congratulations, product development was successful, and you have the utmost confidence in the capabilities of your new product or service. ...

Many find the holidays season exciting because they can relax, spend time with family and friends, and celebrate traditions. Additionally, most ...

In today's data-driven economy, an organization's data is its most valuable asset. The landscape of privacy regulations is vast and continuously ...

The ISO 27001 standard provides requirements for establishing, implementing, maintaining and continually improving your Information Security ...

Without a doubt, the increased frequency and intensified scale of ransomware attacks are becoming a significant issue for tens of thousands of ...

Most industry-recognized security frameworks, including HITRUST, CIS Controls and PCI DSS, stipulate penetration testing requirements as part of ...

In a corporation, the board is ultimately accountable to the shareholders for managing risks, including cybersecurity and privacy risk. ...

Everyone is aware Cybersecurity is a necessity. And regardless of how mature or lacking your current cybersecurity program is, the constantly ...

Privacy regulations boil down to protecting information. In other words, privacy is about the security of data. The various privacy rights can ...

According to the Anti-Phishing Working Group (APWG), an international coalition of counter-cybercrime responders, phishing attacks climbed to a ...

Given the complexity and cost of security, privacy and compliance efforts, a comprehensive risk management program is the best overall approach. ...

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a widely recognized security framework that HITRUST developed ...

The ROI on Pen Testing varies widely depending on the vendor you choose. Here are some tips for making a smart choice. Penetration testing also ...

Privacy regulations boil down to protecting information. In other words, privacy is about the security of data. In today’s data-driven economy, ...

Internet of things (IoT) devices are prevalent in our home and business lives. Embedded devices have revolutionized manufacturing, industrial, ...

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a widely recognized security framework that HITRUST developed ...

The California Privacy Protection Agency (CPPA) Board held a public meeting on August 24-25 at the Elihu M. Harris State Office 1515 Clay St. ...

Headlines: Experts agree remote workers and BYOD have permanently changed the threat landscape. Quantum computing is emerging as an ...

Topic: The Compliance Equals Security Disconnect “Use the tools at your disposal correctly, stay current on threats, monitor your security ...

You likely need a risk assessment for compliance. PCI DSS 4.0, SOC2, ISO 27001, NIST, HIPAA, and other standards require a risk assessment as a ...

In the news recently, more hijinks from our infamous foes, North Korean state-sponsored attackers; The evolving gang of thugs who brought us ...

The American Data Privacy Protection Act currently making its way to the House floor is not just another privacy bill destined for failure. On ...

The Payment Card Industry Data Security Standard (PCI DSS) compliance can be expensive for financial institutions and transaction processors ...

Privacy and security were historically two separate disciplines. However, over the years, the two have grown closer together. Moreover, as the ...

ISO27001 is the certifiable ISO standard that describes how to manage an Information Security Management System (ISMS) securely. 27001 is ...

All organizations face the challenges of new cybersecurity and privacy laws, a sharp increase in cybersecurity litigation, and the ceaseless ...

"Compliance is NOT Security" You hear this common lament from security professionals, "Compliance is not security." This remark has always ...

Independent penetration testing provides critical objective insights about vulnerabilities in organizational defenses and mitigating controls. ...

Penetration testing uses creative, blended attacks like real-world adversaries to find weaknesses in tested systems. By simulating real-world ...

Out of the box, most operating systems are configured insecurely. OS hardening minimizes an operating system's exposure to threats by properly ...

The fact that each state in the U.S. seems to have specific privacy laws with no central comprehensive federal law makes it difficult to know ...

The California Privacy Protection Agency Board held a public meeting on June 8 in Oakland, CA to further the CPRA rulemaking process. The agenda ...

You can achieve Information security by complying with an adequate set of security policies, standards, and procedures. Of course, there is no ...

The complex legal landscape surrounding privacy, including biometrics, continues to evolve at the state level. Arduous legislation has led to ...

One of the best ways to demonstrate the suitability of your Information Security Management System (ISMS) to your organization, customers, and ...

The Data Protection Officer (DPO) is a role required by the EU General Data Protection Regulation (GDPR). If your organization is subject to ...

In today's interconnected world, application programming interfaces (APIs) have rapidly become predominant tools for sharing data and providing ...

Red Teams are often confused with penetration testers due to their overlap in practices and skills, but we believe they are not the same. ...

The California Privacy Rights Act (CPRA) evolution continues with lively public debate in May, where much of the focus is on data collection and ...

One of the best ways to demonstrate the suitability of your Information Security Management System (ISMS) to your organization, customers, and ...

The California Privacy Protection Agency (CPPA) is holding pre-rulemaking stakeholder sessions via zoom this week Wed May 4 –6. The sessions are ...

Achieving SOC 2 compliance is a competitive advantage, and many times, it is critical to make a sale. SOC 2 reports are often used throughout ...

The PCI Data Security Standard (PCI DSS) is a global standard of technical and operational requirements for merchants and service providers who ...

Not every business can internally support the staffing and resources necessary to independently develop robust cybersecurity and privacy ...

Purple teams are a controversial topic among cybersecurity professionals. There seems to be industry confusion regarding the definitions of ...

Sometimes the best defense is a good offense.  In cybersecurity, you need to think like real-world attackers.  Security practitioners do this ...

As the world grows more interconnected through social media and digital communications, relevant information available to attackers grows ...

Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) published the official PCI DSS version 4.0. Over the next few ...

Wireless access points can be easy targets for a cybercriminal to breach your system. Whether installed by stealth or just innocently by shadow ...

Truvantis Forms Strategic Partnership to Address Expanding Cybersecurity Risks Guidepost Solutions LLC, a global leader in domestic and ...

Maybe you've been asked to provide a SOC 2 report as part of the sales cycle, or you anticipate you will need SOC 2 compliance at some point. ...

According to the IBM Cost of a Data Breach Report 2021: Average data breach costs rose 10% between 2020 and 2021, from $3.86 million to $4.24 ...

During a public board meeting on February 17, 2022, the California Privacy Protection Agency (CPPA) indicated it would likely miss the July 1, ...

Businesses must comply with a mixture of international, industry-specific and state-mandated cybersecurity regulations and require their vendors ...

Cloud technologies enable companies to build and run scalable applications in dynamic public, private, and hybrid environments. Containers, ...

Pen testing has traditionally focused on realistic simulated attacks on your network, operating systems and applications. In today's ...

When it comes to handling payment cardholder data, PCI DSS has many rules about what you must and must not do when it comes to handling payment ...

The PCI Security Standards Council's redefined truncation rules are a mess.

If your company stores, processes, or transmits cardholder data, you need PCI DSS compliance. According to the Verizon 2020 Payment Security ...

Red Team vs. Penetration Test vs. Vulnerability Assessment - Seven characteristics that set these services apart and why it matters to you.

Most experts agree that the Chief Information Security Officer (CISO) role is a business necessity in today's cyber - risky environment . ...

Privacy, cybersecurity, and Compliance are distinct practices with distinct goals. The three disciplines work together to build trust and ...

A System and Organization Controls 2 (SOC 2) compliant report is an industry-recognized standard for demonstrating the efficacy of information ...

In today's cyber-risky environment, most experts agree that the role of a Chief Information Security Officer (CISO) is a business necessity. ...

Three Types of Data Privacy Tools for 2022 Organizations are under extreme pressure to mitigate emerging risks and keep pace with changing ...

Responsibility vs. Accountability for Oversight of Cybersecurity The need to manage cybersecurity and privacy risk is generally accepted. In ...

What does SOC mean and why does it matter? How did a CPA organization come to audit information systems for cybersecurity and privacy controls? ...

Everyone knows there are threats out there hell-bent on destroying our organizations. Innovative businesses everywhere are taking a risk-based ...

New EU data privacy laws impact companies in 2022. In June 2021, the European Commission adopted a new set of standard contractual clauses ...

The Type 2 audit measures your organizations’ ability to maintain security, availability, processing integrity, privacy, and confidentiality ...

Disasters, heroics, funny stories, and impacts to business success Nate Hartman describes a six-month stint as an acting CISO or virtual CISO ...

The SOC 2 Trust Services Criteria (TSCs) for information technology, is a framework for designing, implementing and evaluating information ...

Apache Log4j Vulnerabilities vs. GRC On December 10, Apache released details about a Log4j-core vulnerability nicknamed "Log4Shell". It is ...

System and Organizational Controls 2 (SOC 2) is sometimes known as Service Organization Controls. Maintained by the American Institute of ...

In 2021 cybersecurity professionals faced the same vulnerabilities and attacks as decades before, just more nefarious, persistent, and ...

Facing the challenges of new cybersecurity and privacy laws, a sharp increase in cybersecurity litigation, and the ceaseless evolution of ...

What's new with State Privacy Laws? CPRA applies to all data collected as of Jan 1, 2022. In 2018 California became the first US state to give ...

Ransomware is still a major threat. In fact, the Tactics, Techniques and Procedures (TTP's) of ransomware gangs have evolved so much that it has ...

Many new data privacy laws are emerging. Businesses must continually prove privacy compliance. Review current data privacy laws and get advice ...

At the heart of your disaster recovery plan, organizations often disregard data backup and recovery systems when it comes to pen testing and ...

Scope is an important shaping tool that, when leveraged properly, can help enhance engagement outcomes during penetration testing, red team and ...

The first quarter of the year 2022 should be an exciting time for everyone working with PCI DSS. The PCI Security Standards Council is scheduled ...

As a company interested or required to become PCI DSS compliant, there is a list of key controls you must have in place, and appropriate ...

Application Program Interfaces (APIs) have changed in nature in recent years and are increasingly (and sometimes inadvertently) being made ...

CSO Online, which knows plenty about what goes into ensuring security, makes a strong case for hiring a virtual Chief Information Security ...

Modern organizations must collect and store sensitive personal and payment data to process payments, compile analytics, and enable users to get ...

PCI is a strong security Framework. If you are a business owner, you have probably heard about the PCI DSS (Payment Card Industry Data Security ...

January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced ...

Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps. ...

PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”

Information security and privacy programs are generally about managing risk, but they can also impact your sales team by either slowing down or ...

PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, ...

If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the ...

The case of the Marriott hack is, at once, an alarming prospect for the chain’s previous guests and an invaluable case study for any ...

Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people ...

The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup ...

Though the use of security risk assessments is widespread, often because they are mandated by compliance standards, there are a number of false ...

It’s finally time for the security risk assessment you’ve been pushing off… You may have been delaying because you believe risk assessments ...

You just received the results from your security risk assessment, but now what? It’s not uncommon for companies to perform this analysis only to ...

When it comes to conducting security risk assessments, it can be difficult knowing where to get started. Even after identifying your scope and ...

You need someone to manage your business’ security program, and while this is a necessity, you have options for how you choose to protect your ...

You’re busy at work, focused on meeting daily deadlines and on achieving your overall mission. But while you’re laser-focused on your day-to-day ...

Sales are complicated. You’re not just articulating the facts about your product or service, you are also navigating emotions and perception to ...

Under mounting pressure to keep up with an ever-changing body of regulations and increased demands for transparency, The American Institute of ...

Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols ...

Pentesting the People; social engineering is an easy vulnerability When it comes to penetration testing of an enterprise, you instantly think ...

In May 2018, the PCI Security Standards Council, the authors of the PCI DSS standard, issued a new version of that standard - version 3.2.1. ...

As an aspiring penetration tester, it is not always the extensive rootkits or the backdoor metasploit exploits that you need to focus on with ...

A growing trend in the world of Cyber Security is companies outsourcing of some or all of their Information Security teams. This can be just a ...

Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure ...

I constantly hear that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught ...

Everybody - Immediately Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place ...