Compliance

Compliance with corporate, government and industry standards and regulations is critical to meet business goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws, standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more.

Top Stories

Guest Post 30 Aug 2023
SEC cyber attack regulations prompt 10 questions for CISOs

New SEC regulations governing the disclosure of cyber attacks by public companies lead to 10 questions board members should ask their CISOs about managing cyber-risk. Continue Reading
Tip 16 Aug 2023
6 open source GRC tools compliance professionals should know

Organizations must meet a variety of regulatory compliance requirements today. Here's a look at six open source GRC tools and related resources that might help. Continue Reading

News 21 Feb 2017

Windows 10 privacy issues persist, says EU privacy watchdog

Windows 10 privacy issues remain as EU's top privacy watchdog group, the Article 29 Working Party, issues a second warning letter to Microsoft to simplify, clarify data collection. Continue Reading
News 26 Jan 2017

Microsoft defeats DOJ appeal in cloud data privacy case

Microsoft notches another win in its battle to protect cloud data privacy, as an appeals court quashes the DOJ appeal over a warrant for data stored in an Ireland data center. Continue Reading
News 13 Jan 2017

Microsoft privacy tools give users control over data collection

New Microsoft privacy tools will give users control over the data collected on the web and within Windows. Experts hope the tools will offer data privacy transparency. Continue Reading
Tip 10 Jan 2017

How to maintain digital privacy in an evolving world

Protecting a user's digital privacy across different technologies requires a plethora of tools. Expert Matthew Pascucci explores the different ways to protect sensitive data. Continue Reading
Answer 11 Mar 2016

What are the latest SEC Risk Alert findings?

The latest SEC Risk Alert from the OCIE has important updates for financial services firms. Expert Mike Chapple reviews the report. Continue Reading
Answer 26 Jan 2016

Is the FedRAMP certification making a difference?

There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple looks at the state of FedRAMP. Continue Reading
Feature 23 Nov 2015

'Going dark': Weighing the public safety costs of end-to-end encryption

'Going dark' -- or the FBI's inability to access data because of encryption -- could put public safety at risk, intelligence officials say. But tech companies argue that strong encryption is needed to protect corporate and customer data. Continue Reading
News 20 Nov 2015

Safe Harbor framework update in danger of capsizing

News roundup: Rights groups join critics of Safe Harbor framework update, OPM breach testimony pushback, FBI hiring part of cybersecurity issue for Justice Department. Plus: recycled malware, Microsoft's security push. Continue Reading
Tip 17 Nov 2015

Life after the Safe Harbor agreement: How to stay compliant

Now that the Safe Harbor agreement is invalid, U.S. and EU organizations need to find new ways to securely handle data so they can stay in business. Continue Reading
Tip 21 Jul 2015

PCI DSS 3.1 marks the end of SSL/early TLS encryption for retailers

The early arrival of PCI DSS 3.1 could leave organizations scrambling. The biggest change to the standard -- and the top priority for organizations -- is the end of SSL and early TLS. Continue Reading
Answer 02 Jul 2015

What do organizations need to know about privacy in a HIPAA audit?

A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits. Continue Reading
Tip 01 Jul 2015

A new trend in cybersecurity regulations could mean tougher compliance

State cybersecurity regulations may mean compliance will get more complicated, and that has experts worried. Learn what's causing this trend and what organizations should prepare for. Continue Reading
Answer 01 Apr 2015

Do HIPAA compliance requirements change during health crises?

Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains. Continue Reading
Tip 06 Mar 2015

What Apple Pay tokenization means for PCI DSS compliance

Tokenization is a key technology underlying Apple Pay, promising to boost payment data security. Mike Chapple examines how Apple Pay's tokenization system works, and whether it will provide any PCI DSS compliance relief. Continue Reading
Answer 14 Jan 2015

What's the best way to find enterprise compliance tools?

Looking for compliance tools? Expert Mike Chapple explains why the best place to start the search is within your own information security infrastructure. Continue Reading
Tip 07 Nov 2014

The 10 questions to ask during a mobile risk assessment

To both embrace the benefits of BYOD and shore up the security gaps created by it, ask these 10 questions when conducting a mobile risk assessment. Continue Reading
Tip 13 Aug 2014

FAQ: Were executives held accountable after the Target data breach?

Target Corp. has made major executive changes in the months following its massive 2013 data breach as the company strives to reassure customers and rework digital information security processes. Continue Reading
Tip 12 Nov 2013

PCI DSS version 3.0: The five most important changes for merchants

PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later. Continue Reading
Feature 03 Jun 2013

Are FedRAMP security controls enough?

Cloud service providers are working with authorized third-party auditors to meet FedRAMP security controls. The 3PAOs tell us how it’s going, so far. Continue Reading
Tip 18 Jun 2012

With JOBS Act, Sarbanes-Oxley compliance likely won't get easier

While SMBs may benefit from the JOBS Act, Sarbanes-Oxley compliance for enterprises may remain largely unchanged. Expert Mike Chapple explains why. Continue Reading
Tip 10 Feb 2012

SEC disclosure rules: Public company reporting requirements explained

Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules. Continue Reading
Answer 06 Sep 2011

Comparing certifications: ISO 27001 vs. SAS 70, SSAE 16

Learn about ISO 27001 vs. SAS 70, and why enterprises should pay attention to SSAE 16 over SAS 70. Continue Reading
Tip 27 Jan 2011

Cloud security standards provide assessment guidelines

The Cloud Security Alliance Cloud Controls Matrix helps cloud providers and customers to evaluate security controls. Continue Reading
Tip 04 Nov 2010

Are you in compliance with the ISO 31000 risk management standard?

The ISO 31000 risk management standard is becoming an important development tool for shaping existing and new programs. Learn if your programs are in compliance with the standard. Continue Reading
Tip 23 Aug 2010

PAN truncation and PCI DSS compliance

What do Visa's PAN truncation guidelines mean for merchants and their acquiring banks? Security experts Ed Moyle and Diana Kelley provide analysis. Continue Reading
Feature 28 May 2010

FAQ: An introduction to the ISO 31000 risk management standard

Learn more about ISO 31000:2009, a new risk management standard: It's plainly written, short, process-oriented and relevant reading for anyone dealing with risk. Continue Reading
News 18 May 2010

Should there be PCI security requirements for bank account data?

Gartner analyst wonders why no PCI-like standard exists for bank account information, which online criminals are targeting. Continue Reading
Tip 18 Feb 2010

Applying the ISO 27005 risk management standard

The ISO 27005 risk management methodology standard has weaknesses when it comes to risk measurement. "Fuzzy math" theory can help fill the gaps. Continue Reading
Tip 08 Feb 2010

Best practices and requirements for GLBA compliance

GLBA requirements to protect personal information have become more relevant than ever. In this tip, Paul Rohmeyer examines best practices for GLBA compliance. Continue Reading
Tip 22 Jan 2010

Lack of incident response plan leaves hole in compliance strategy

Without an incident response plan, businesses can tend to be reactive rather than proactive when data breaches occur. Here are some steps to follow. Continue Reading
Tip 09 Sep 2009

Does using ISO 27000 to comply with PCI DSS make for better security?

PCI DSS is under fire for not providing enough security in the process of securing credit card data. Using ISO 27000 to complement PCI may provide better compliance and security. Continue Reading
Tip 24 Aug 2009

PCI DSS compliance requires new vendor management strategy

Requirement 12.8 requires a better vendor management strategy for PCI DSS compliance. Continue Reading
Podcast 17 Jun 2009

Business model risk is a key part of your risk management strategy

Management consultants Amit Sen and John Vaughan discuss business model risk, a way to apply risk management policies to new or changed business processes. Continue Reading
Tip 15 Jun 2009

How to mitigate operational, compliance risk of outsourcing services

Companies must have an approach to evaluating partner risk, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider. Continue Reading
Blog Post 19 Mar 2009

How do you align an IT risk assessment with COBIT controls?

[One of our readers, compliance officer Ramon de Bruijn, wrote to the editors of SearchCompliance.com at [email protected] last month looking for some advice. Specifically, he asked "What ... Continue Reading
Answer 11 Mar 2009

How to avoid HIPAA Social Security number compliance violations

It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David Mortman explains how to avoid HIPAA SSN violations as an employer. Continue Reading
Tip 05 Feb 2009

What controls can compensate when segregation of duties isn't economically feasible?

Having a strong log management capability is a good way to start when security segregation isn't possible. Mike Rothman explains. Continue Reading
Tip 02 Dec 2008

PCI DSS 3.1 requirement best practices

Requirement 3.1 of the PCI Data Security Standard requires minimum cardholder data storage. In this tip, learn how to determine how much data your organization should store. Continue Reading
Answer 09 Jul 2008

Is the Orange Book still relevant for assessing security controls?

Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it. Continue Reading
Answer 10 Mar 2008

Does SOX provision email archiving?

Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention. Continue Reading
Tip 16 Jan 2008

PCI compliance after the TJX data breach

The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. Continue Reading
Quiz 16 Nov 2007

Quiz: PCI DSS compliance -- Two years later

A five-question multiple-choice quiz to test your understanding of the content presented by expert Diana Kelley in this lesson of SearchSecurity.com's Compliance School. Continue Reading
Feature 01 Mar 2003

IT security auditing: Best practices for conducting audits

Even if you hate security audits, it's in your best interest to make sure they're done right. Continue Reading