The Cross-Sector Cybersecurity Performance Goals (CPGs) are a new baseline released jointly by CISA, NIST, and the interagency community, with a goal of providing consistency across all critical infrastructure. The primary webpage for these goals gives us a great understanding of what they are (and are not). It is worth delving into those specifics to understand where the CPGs apply, and how they...

Have you ever walked up to an ATM after another person finished with the machine only to find they left it on a prompt screen asking, “Do you want to perform another transaction?” I have. Of course, I did the right thing and closed out their session before beginning my own transaction. That was a mistake an individual made by careless error which could have cost them hundreds of their own currency...

Compliance is an essential aspect of every organization, and in business terms, it entails ensuring that organizations of all sizes, and their personnel, comply with national and international regulations, such as GDPR, HIPAA, and SOX. When guaranteeing compliance, many firms frequently overlook security. Gary Hibberd states that compliance with laws or regulations is only the starting point for...

If you’re not aware already, then be prepared for change, because a new version of ISO27001 was published in October 2022 ! It’s all very exciting! The last change to the standard was in 2017. The changes made back then were fundamentally cosmetic, with a few minor tweaks to wording. The changes barely caused a ripple and, even today, organisations are still certified to ISO27001:2013, meaning...

The NIST Cybersecurity Framework was meant to be a dynamic document that is continuously revised, enhanced, and updated. These upgrades allow the Framework to keep up with technological and threat developments, incorporate lessons learned, and transform best practices into standard procedures. NIST created the Framework in 2014 and updated it with CSF 1.1 in April 2018 . The National Institute of...

In the past, teams incorporated security testing far after the development stage of the Software Development Lifecycle (SDLC) . Security testing would influence whether the application would to proceed to production, or get passed back to the developers for remediation. This process caused delays while teams worked on remediation or, worse yet, it increased security risks when teams released...

Cybersecurity funding in corporate environments has always been a source of anxiety for those who seek to keep organizations safe. When we examine the cybersecurity readiness of many state, local, and territorial governments, this funding struggle is taken to new heights of scarcity. Fortunately, a new program has been created by the Department of Homeland Security (DHS) to improve this shortfall...

What is File Integrity Monitoring? The IT ecosystems of enterprises are highly dynamic. Typically, organizations react to this volatility by investing in asset discovery and Security Configuration Management (SCM). These core controls enable businesses to compile an inventory of authorized devices and monitor the configurations of those assets. In addition to managing changes to their...

For most modern businesses, there’s a divide between Information Technology (IT) and Operational Technology (OT). The difference between these equally integral facets of digital manufacturing is a subject currently under debate. Ultimately, information technology deals with information and data. In contrast, operational technology handles the physical processes necessary to use that information...

It is always said that security is never a one-size-fits-all solution. This is true not only because of the apparent infinite varieties of equipment in each individual organization, but also, and perhaps more importantly, the different ways that every organization views security. Some spend lots of time focusing on physical security, especially those with industrial control systems ( ICS ). Others...

The increasing popularity of online payment systems results from the world’s gradual transition to a cashless and contactless digital economy — an economy, projected in a recent Huawei white paper, to be worth $23 trillion by 2025. With digital commerce emerging as the largest segment in the projected $8.49 trillion global digital payments market in 2022, it’s not surprising that businesses are...

In March 2022, the Payment Card Industry Data Security Standard (PCI DSS) was updated with a number of new and modified requirements . Since their last update in 2018, there has been a rapid increase in the use of cloud technologies, contactless payments have become the norm, and the COVID-19 pandemic spurred a massive growth in e-commerce and online payments. At the same time, cybercriminals have...

The new PCI DSS Standard, version 4.0 , contains all the steps, best practices, and explanations required for full compliance. In fact, even an organization that does not process cardholder data could follow the PCI Standard to implement a robust cybersecurity program for any of its important data. In our series about how the new standard differs from the previous version, we examined some of the...

As we continue our review of the 12 Requirements of PCI DSS version 4.0 , one has to stop and consider, is it possible to have a favorite section of a standard? After all, most guidance documents, as well as regulations are seen as tedious distractions from the importance of getting the job done. However, depending on a person’s position and function in an organization, it is possible to “geek out...

In Part 1 of this series , we reviewed the first four sections of the new PCI standards. As we continue our examination of PCI DSS version 4.0, we will consider what organizations will need to do in order to successfully transition and satisfy this update. Requirements 5 through 9 are organized under two categories: Maintain a Vulnerability Management Program Requirement 5: Protect All Systems and...

The Payment Card Industry Security Standards Council has released its first update to their Data Security Standard (PCI DSS) since 2018. The new standard, version 4.0, is set to generally go into effect by 2024, but there are suggested updates that are not going to be required until a year after that. This, of course, creates a couple of problems for those who want to phase in the new standard...

Cybersecurity has, since its inception, been a corporate-based problem. Whether it is a public, or private corporation, these entities were the primary targets of most cybercrime. In recent years, the industrial sector has increasingly become the target of attack for malicious actors. The reasons include newly internet-connected devices that were once air-gapped , and the immaturity of...

The lack of healthcare cybersecurity is one of the most significant threats to the sanctity of the global healthcare industry. This is made evident by the fact that in 2020 more than 18 million patient records were affected by successful cyber-attacks on the U.S. healthcare system. Health professionals should not take this issue lightly, as financial assets and intellectual property are at risk...

Penetration testing is something that more companies and organizations should be considering a necessary expense. I say this because over the years the cost of data breaches and other forms of malicious intrusions and disruptions are getting costlier. Per IBM Security’s “Cost of a Data Breach Report 2021 ,” the average cost of a breach has increased 10% year over year, with the healthcare sector...

It’s not often we can say this, but 2022 is shaping up to be an exciting time in information governance, especially for those interested in compliance and compliance frameworks. We started the year in eager anticipation of the new version of the international standard for information security management systems, ISO 27001:2022, soon to be followed by version 4.0 of the PCI DSS standard. Although...