Compliance
Compliance with corporate, government and industry standards and regulations is critical to meet business goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws, standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more.
Top Stories
-
Tip
19 Nov 2024
Biometric privacy and security challenges to know
Fingerprints and facial scans can make identity access more convenient than passwords, but biometric tools present significant ethical and legal challenges. Continue Reading
-
Tip
12 Nov 2024
EDR vs. XDR vs. MDR: Key differences and benefits
One of the most important goals of cybersecurity professionals is to quickly identify potential or in-progress cyberattacks. These three approaches can help. Continue Reading
-
Tip
28 Sep 2017
What a data protection officer can offer enterprises subject to GDPR
The EU GDPR requires that organizations appoint a data protection officer, but is that really necessary for security? Expert Francoise Gilbert examines the compliance requirement. Continue Reading
-
Podcast
06 Sep 2017
Risk & Repeat: Payment card security a growing concern
In this week's Risk & Repeat podcast, SearchSecurity editors discuss new research from Verizon on payment card security and the effectiveness of PCI DSS compliance for enterprises. Continue Reading
-
Answer
04 Sep 2017
What should you do when third-party compliance is failing?
Third-party compliance is a necessary part of securing your organization's data. Expert Matthew Pascucci discusses what to do if you suspect a business partner isn't compliant. Continue Reading
-
News
01 Sep 2017
Enterprise compliance with PCI DSS is up, says Verizon
News roundup: More than half of enterprises are in compliance with PCI DSS, according to a Verizon report. Plus, Turla is on the attack again with a new campaign, and more. Continue Reading
-
Feature
28 Aug 2017
Electronic voting systems in the U.S. need post-election audits
Colorado will implement a new system for auditing electronic voting systems. Post-election audits have been proven to help, but are they enough to boost public trust in the systems? Continue Reading
-
Tip
24 Aug 2017
The difference between security assessments and security audits
Security audits vs. security assessments solve different needs. Organizations may use security audits to check their security stature while security assessments might be the better tool to use. Expert Ernie Hayden explains the differences. Continue Reading
-
Answer
02 Aug 2017
Can a PCI Internal Security Assessor validate level 1 merchants?
A PCI Internal Security Assessor might not be the best bet to validate the compliance of a level 1 service provider. Expert Matthew Pascucci explains why and the alternative. Continue Reading
-
Feature
27 Jul 2017
The GDPR right to be forgotten: Don't forget it
Nexsan's Gary Watson explains that the GDPR right to be forgotten will be an important piece of the compliance picture and means deleting data securely, completely and provably when customers ask for it. Continue Reading
-
Feature
25 Jul 2017
Protecting Patient Information
In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data breaches in healthcare. Continue Reading
-
Feature
25 Jul 2017
Mobile Security and Privacy
In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity in terms of mathematics. Continue Reading
-
Podcast
02 Jun 2017
Risk & Repeat: GDPR compliance clock is ticking
In this week's Risk & Repeat podcast, SearchSecurity editors discuss GDPR compliance and how the EU law will affect enterprise data privacy and security across the globe. Continue Reading
-
Answer
01 Jun 2017
How does a privacy impact assessment affect enterprise security?
A privacy impact assessment can help enterprises determine where their data is at risk of exposure. Expert Matthew Pascucci explains how and when to conduct these assessments. Continue Reading
-
News
31 May 2017
GDPR breach notification rule could complicate compliance
Don't forget the huge fines: When it comes to the new 72-hour GDPR breach notification rule, the cost of compliance must be weighed against harsh GDPR penalties. Continue Reading
-
News
30 May 2017
EU GDPR compliance puts focus on data tracking, encryption
The EU's General Data Protection Regulation is less than a year away. Experts explain why data tracking, encryption and other measures are crucial for GDPR compliance. Continue Reading
-
News
24 May 2017
GDPR compliance help is on the way for Microsoft cloud customers
With GDPR compliance set to be mandatory in one year, Microsoft will help get its cloud customers ready for the new data protection regulation. Continue Reading
-
News
24 May 2017
Q&A: GDPR compliance tips from CSPi's Gary Southwell
With one year left, it's time to prioritize GDPR compliance; Gary Southwell, CSPi's general manager, offers advice for protecting personal data under the EU's new privacy regulation. Continue Reading
-
News
23 May 2017
Q&A: Time to get GDPR compliant, CSPi's Gary Southwell says
Companies doing business in EU face challenge to get GDPR compliant as enforcement of the strict new General Data Protection Regulation is just one year away. Continue Reading
-
Answer
08 May 2017
How should companies prepare for EU GDPR compliance?
Companies that don't meet GDPR compliance standards by May 2018 will be fined. Expert Matthew Pascucci looks at how Microsoft is preparing, and what other companies should do to comply with GDPR. Continue Reading
-
Opinion
01 May 2017
Q&A: GDPR compliance with Microsoft CPO Brendon Lynch
Failure to achieve compliance with the EU's General Data Protection Regulation in the next 12 months can trigger fines of up to 4% of a company's gross annual revenue. Continue Reading
-
News
27 Apr 2017
AWS promises to be GDPR compliant by May 2018 deadline
Amazon promises all AWS cloud services will be GDPR compliant before enforcement of the new EU data privacy regulation starts in 2018, offers customers assistance. Continue Reading
- 26 Apr 2017
-
News
07 Apr 2017
Windows 10 telemetry data collection details revealed
Microsoft exposes Windows 10 telemetry practices just a week before Creators Update; may allay privacy concerns over Windows 10 data collection. Continue Reading
-
News
05 Apr 2017
Internet security protocol bodies ISOC, OTA announce merger
The two leading internet security protocol bodies, Online Trust Alliance and Internet Society, merge to work for improved IoT security and online security. Continue Reading
-
Tip
23 Mar 2017
Is encryption one of the required HIPAA implementation specifications?
When it comes to encryption, the HIPAA implementation specifications are complicated. Expert Joseph Granneman explains whether it's required or addressable. Continue Reading
-
News
22 Feb 2017
Microsoft commits to GDPR compliance in the cloud by 2018 deadline
Microsoft vows GDPR compliance in all cloud services when enforcement of the new EU data privacy regulation begins in May 2018, but companies still must take action to avoid fines. Continue Reading
-
News
21 Feb 2017
Windows 10 privacy issues persist, says EU privacy watchdog
Windows 10 privacy issues remain as EU's top privacy watchdog group, the Article 29 Working Party, issues a second warning letter to Microsoft to simplify, clarify data collection. Continue Reading
-
News
26 Jan 2017
Microsoft defeats DOJ appeal in cloud data privacy case
Microsoft notches another win in its battle to protect cloud data privacy, as an appeals court quashes the DOJ appeal over a warrant for data stored in an Ireland data center. Continue Reading
-
News
13 Jan 2017
Microsoft privacy tools give users control over data collection
New Microsoft privacy tools will give users control over the data collected on the web and within Windows. Experts hope the tools will offer data privacy transparency. Continue Reading
-
Tip
10 Jan 2017
How to maintain digital privacy in an evolving world
Protecting a user's digital privacy across different technologies requires a plethora of tools. Expert Matthew Pascucci explores the different ways to protect sensitive data. Continue Reading
-
Definition
16 Nov 2016
PCI assessment
A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard. Continue Reading
-
Answer
11 Mar 2016
What are the latest SEC Risk Alert findings?
The latest SEC Risk Alert from the OCIE has important updates for financial services firms. Expert Mike Chapple reviews the report. Continue Reading
-
Answer
26 Jan 2016
Is the FedRAMP certification making a difference?
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple looks at the state of FedRAMP. Continue Reading
-
Feature
23 Nov 2015
'Going dark': Weighing the public safety costs of end-to-end encryption
'Going dark' -- or the FBI's inability to access data because of encryption -- could put public safety at risk, intelligence officials say. But tech companies argue that strong encryption is needed to protect corporate and customer data. Continue Reading
-
News
20 Nov 2015
Safe Harbor framework update in danger of capsizing
News roundup: Rights groups join critics of Safe Harbor framework update, OPM breach testimony pushback, FBI hiring part of cybersecurity issue for Justice Department. Plus: recycled malware, Microsoft's security push. Continue Reading
-
Tip
17 Nov 2015
Life after the Safe Harbor agreement: How to stay compliant
Now that the Safe Harbor agreement is invalid, U.S. and EU organizations need to find new ways to securely handle data so they can stay in business. Continue Reading
-
Tip
21 Jul 2015
PCI DSS 3.1 marks the end of SSL/early TLS encryption for retailers
The early arrival of PCI DSS 3.1 could leave organizations scrambling. The biggest change to the standard -- and the top priority for organizations -- is the end of SSL and early TLS. Continue Reading
-
Answer
02 Jul 2015
What do organizations need to know about privacy in a HIPAA audit?
A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits. Continue Reading
-
Tip
01 Jul 2015
A new trend in cybersecurity regulations could mean tougher compliance
State cybersecurity regulations may mean compliance will get more complicated, and that has experts worried. Learn what's causing this trend and what organizations should prepare for. Continue Reading
-
Answer
01 Apr 2015
Do HIPAA compliance requirements change during health crises?
Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains. Continue Reading
-
Tip
06 Mar 2015
What Apple Pay tokenization means for PCI DSS compliance
Tokenization is a key technology underlying Apple Pay, promising to boost payment data security. Mike Chapple examines how Apple Pay's tokenization system works, and whether it will provide any PCI DSS compliance relief. Continue Reading
-
Answer
14 Jan 2015
What's the best way to find enterprise compliance tools?
Looking for compliance tools? Expert Mike Chapple explains why the best place to start the search is within your own information security infrastructure. Continue Reading
-
Tip
07 Nov 2014
The 10 questions to ask during a mobile risk assessment
To both embrace the benefits of BYOD and shore up the security gaps created by it, ask these 10 questions when conducting a mobile risk assessment. Continue Reading
-
Tip
13 Aug 2014
FAQ: Were executives held accountable after the Target data breach?
Target Corp. has made major executive changes in the months following its massive 2013 data breach as the company strives to reassure customers and rework digital information security processes. Continue Reading
-
Definition
21 Jul 2014
Cloud Controls Matrix
The Cloud Controls Matrix is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider. Continue Reading
-
Tip
12 Nov 2013
PCI DSS version 3.0: The five most important changes for merchants
PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later. Continue Reading
-
Feature
03 Jun 2013
Are FedRAMP security controls enough?
Cloud service providers are working with authorized third-party auditors to meet FedRAMP security controls. The 3PAOs tell us how it’s going, so far. Continue Reading
-
Tip
18 Jun 2012
With JOBS Act, Sarbanes-Oxley compliance likely won't get easier
While SMBs may benefit from the JOBS Act, Sarbanes-Oxley compliance for enterprises may remain largely unchanged. Expert Mike Chapple explains why. Continue Reading
-
Tip
10 Feb 2012
SEC disclosure rules: Public company reporting requirements explained
Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules. Continue Reading
-
Answer
06 Sep 2011
Comparing certifications: ISO 27001 vs. SAS 70, SSAE 16
Learn about ISO 27001 vs. SAS 70, and why enterprises should pay attention to SSAE 16 over SAS 70. Continue Reading
-
Tip
27 Jan 2011
Cloud security standards provide assessment guidelines
The Cloud Security Alliance Cloud Controls Matrix helps cloud providers and customers to evaluate security controls. Continue Reading
-
Tip
04 Nov 2010
Are you in compliance with the ISO 31000 risk management standard?
The ISO 31000 risk management standard is becoming an important development tool for shaping existing and new programs. Learn if your programs are in compliance with the standard. Continue Reading
-
Tip
23 Aug 2010
PAN truncation and PCI DSS compliance
What do Visa's PAN truncation guidelines mean for merchants and their acquiring banks? Security experts Ed Moyle and Diana Kelley provide analysis. Continue Reading
-
Feature
28 May 2010
FAQ: An introduction to the ISO 31000 risk management standard
Learn more about ISO 31000:2009, a new risk management standard: It's plainly written, short, process-oriented and relevant reading for anyone dealing with risk. Continue Reading
-
News
18 May 2010
Should there be PCI security requirements for bank account data?
Gartner analyst wonders why no PCI-like standard exists for bank account information, which online criminals are targeting. Continue Reading
-
Tip
18 Feb 2010
Applying the ISO 27005 risk management standard
The ISO 27005 risk management methodology standard has weaknesses when it comes to risk measurement. "Fuzzy math" theory can help fill the gaps. Continue Reading
-
Tip
08 Feb 2010
Best practices and requirements for GLBA compliance
GLBA requirements to protect personal information have become more relevant than ever. In this tip, Paul Rohmeyer examines best practices for GLBA compliance. Continue Reading
-
Tip
22 Jan 2010
Lack of incident response plan leaves hole in compliance strategy
Without an incident response plan, businesses can tend to be reactive rather than proactive when data breaches occur. Here are some steps to follow. Continue Reading
-
Tip
09 Sep 2009
Does using ISO 27000 to comply with PCI DSS make for better security?
PCI DSS is under fire for not providing enough security in the process of securing credit card data. Using ISO 27000 to complement PCI may provide better compliance and security. Continue Reading
-
Tip
24 Aug 2009
PCI DSS compliance requires new vendor management strategy
Requirement 12.8 requires a better vendor management strategy for PCI DSS compliance. Continue Reading
-
Podcast
17 Jun 2009
Business model risk is a key part of your risk management strategy
Management consultants Amit Sen and John Vaughan discuss business model risk, a way to apply risk management policies to new or changed business processes. Continue Reading
-
Tip
15 Jun 2009
How to mitigate operational, compliance risk of outsourcing services
Companies must have an approach to evaluating partner risk, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider. Continue Reading
-
Blog Post
19 Mar 2009
How do you align an IT risk assessment with COBIT controls?
[One of our readers, compliance officer Ramon de Bruijn, wrote to the editors of SearchCompliance.com at [email protected] last month looking for some advice. Specifically, he asked "What ... Continue Reading
-
Answer
11 Mar 2009
How to avoid HIPAA Social Security number compliance violations
It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David Mortman explains how to avoid HIPAA SSN violations as an employer. Continue Reading
-
Tip
05 Feb 2009
What controls can compensate when segregation of duties isn't economically feasible?
Having a strong log management capability is a good way to start when security segregation isn't possible. Mike Rothman explains. Continue Reading
-
Tip
02 Dec 2008
PCI DSS 3.1 requirement best practices
Requirement 3.1 of the PCI Data Security Standard requires minimum cardholder data storage. In this tip, learn how to determine how much data your organization should store. Continue Reading
-
Answer
09 Jul 2008
Is the Orange Book still relevant for assessing security controls?
Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it. Continue Reading
-
Answer
10 Mar 2008
Does SOX provision email archiving?
Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention. Continue Reading
-
Tip
16 Jan 2008
PCI compliance after the TJX data breach
The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. Continue Reading
-
Quiz
16 Nov 2007
Quiz: PCI DSS compliance -- Two years later
A five-question multiple-choice quiz to test your understanding of the content presented by expert Diana Kelley in this lesson of SearchSecurity.com's Compliance School. Continue Reading
-
Feature
01 Mar 2003
IT security auditing: Best practices for conducting audits
Even if you hate security audits, it's in your best interest to make sure they're done right. Continue Reading