Compliance

Compliance with corporate, government and industry standards and regulations is critical to meet business goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws, standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more.

Top Stories

Tip 25 Jan 2023
Centralized services as a hedge against shadow IT's escalation

Proliferation of cloud, AI and integration tools has increased the deployment security risks of shadow IT and the need to centralize business functions and share support services. Continue Reading
Tip 19 Jan 2023
Building a shared services organization structure

Amid the shifting economic climate and new reality of hybrid workforces, there's no better time for companies to consolidate business functions and centralize support services. Continue Reading

Tip 23 Aug 2010

PAN truncation and PCI DSS compliance

What do Visa's PAN truncation guidelines mean for merchants and their acquiring banks? Security experts Ed Moyle and Diana Kelley provide analysis. Continue Reading
Feature 28 May 2010

FAQ: An introduction to the ISO 31000 risk management standard

Learn more about ISO 31000:2009, a new risk management standard: It's plainly written, short, process-oriented and relevant reading for anyone dealing with risk. Continue Reading
News 18 May 2010

Should there be PCI security requirements for bank account data?

Gartner analyst wonders why no PCI-like standard exists for bank account information, which online criminals are targeting. Continue Reading
Tip 18 Feb 2010

Applying the ISO 27005 risk management standard

The ISO 27005 risk management methodology standard has weaknesses when it comes to risk measurement. "Fuzzy math" theory can help fill the gaps. Continue Reading
Tip 08 Feb 2010

Best practices and requirements for GLBA compliance

GLBA requirements to protect personal information have become more relevant than ever. In this tip, Paul Rohmeyer examines best practices for GLBA compliance. Continue Reading
Tip 22 Jan 2010

Lack of incident response plan leaves hole in compliance strategy

Without an incident response plan, businesses can tend to be reactive rather than proactive when data breaches occur. Here are some steps to follow. Continue Reading
Tip 09 Sep 2009

Does using ISO 27000 to comply with PCI DSS make for better security?

PCI DSS is under fire for not providing enough security in the process of securing credit card data. Using ISO 27000 to complement PCI may provide better compliance and security. Continue Reading
Tip 24 Aug 2009

PCI DSS compliance requires new vendor management strategy

Requirement 12.8 requires a better vendor management strategy for PCI DSS compliance. Continue Reading
Podcast 17 Jun 2009

Business model risk is a key part of your risk management strategy

Management consultants Amit Sen and John Vaughan discuss business model risk, a way to apply risk management policies to new or changed business processes. Continue Reading
Tip 15 Jun 2009

How to mitigate operational, compliance risk of outsourcing services

Companies must have an approach to evaluating partner risk, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider. Continue Reading
Blog Post 19 Mar 2009

How do you align an IT risk assessment with COBIT controls?

[One of our readers, compliance officer Ramon de Bruijn, wrote to the editors of SearchCompliance.com at [email protected] last month looking for some advice. Specifically, he asked "What ... Continue Reading
Answer 11 Mar 2009

How to avoid HIPAA Social Security number compliance violations

It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David Mortman explains how to avoid HIPAA SSN violations as an employer. Continue Reading
Tip 05 Feb 2009

What controls can compensate when segregation of duties isn't economically feasible?

Having a strong log management capability is a good way to start when security segregation isn't possible. Mike Rothman explains. Continue Reading
Tip 02 Dec 2008

PCI DSS 3.1 requirement best practices

Requirement 3.1 of the PCI Data Security Standard requires minimum cardholder data storage. In this tip, learn how to determine how much data your organization should store. Continue Reading
Answer 09 Jul 2008

Is the Orange Book still relevant for assessing security controls?

Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it. Continue Reading
Answer 10 Mar 2008

Does SOX provision email archiving?

Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention. Continue Reading
Tip 16 Jan 2008

PCI compliance after the TJX data breach

The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. Continue Reading
Quiz 16 Nov 2007

Quiz: PCI DSS compliance -- Two years later

A five-question multiple-choice quiz to test your understanding of the content presented by expert Diana Kelley in this lesson of SearchSecurity.com's Compliance School. Continue Reading
Feature 01 Mar 2003

IT security auditing: Best practices for conducting audits

Even if you hate security audits, it's in your best interest to make sure they're done right. Continue Reading