Security audit, compliance and standards
Get tips from the experts on security audits, compliance and standards. Advice is offered on data privacy and theft, audit planning and management, how to work with auditors, and compliance with standards, regulations and guidelines such as PCI DSS, GLBA, HIPPA, SOX, FISMA, ISO 17799 and COBIT.
Top Stories
-
Answer
12 Apr 2023
How to use a public key and private key in digital signatures
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures to manage electronic documents. Continue Reading
-
Answer
07 Apr 2023
Defining policy vs. standard vs. procedure vs. control
Infosec pros may have -- incorrectly -- heard the terms 'standard' and 'policy' used interchangeably. Examine the differences among a policy, standard, procedure and technical control. Continue Reading
-
Tip
21 Dec 2021
Top 10 IT security frameworks and standards explained
Several IT security frameworks and cybersecurity standards are available to help protect company data. Here's advice for choosing the right one for your organization. Continue Reading
-
Answer
22 Nov 2021
What are the most important email security protocols?
Email was designed without security considerations, but these top email security protocols add mechanisms to keep messaging safe from threats. Continue Reading
-
Tip
27 Oct 2021
5 IT security policy best practices
As businesses and technologies grow and evolve, it's important IT security policies do, too. Follow these five best practices to ensure policies are fresh and relevant. Continue Reading
-
Guest Post
20 Oct 2021
5 questions to ask when creating a ransomware recovery plan
These 'five W's of ransomware' will help organizations ask the right questions when creating a ransomware-specific disaster recovery plan. Continue Reading
-
News
15 Oct 2021
China wants more say in setting global technology standards
China wants a bigger seat at the global technology standards-setting table, and experts advise the U.S. to take a cautious yet optimistic approach to its growing interest. Continue Reading
-
Tip
12 Oct 2021
How to evaluate and select GRC vendors and tools
There is a variety of governance, risk and compliance software on the market. Learn about some of the available products and how best to evaluate GRC tools and vendors. Continue Reading
-
Quiz
30 Sep 2021
10 CIPP/US practice questions to test your privacy knowledge
Advance your privacy career by becoming a Certified Information Privacy Professional. Use these 10 practice questions from Wiley's IAPP CIPP/US study guide to prepare for the exam. Continue Reading
-
Feature
30 Sep 2021
How to prepare for the CIPP/US exam
The co-authors of a CIPP/US study guide offer advice on the IAPP certification, including career benefits, how to prepare and how the U.S. exam differs from other regions' exams. Continue Reading
-
Answer
27 Sep 2021
What is extortionware? How does it differ from ransomware?
Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. Continue Reading
-
Tip
21 Sep 2021
The benefits of an IT management response
Many organizations create management responses to traditional audit findings. But did you know organizations can do them after IT audits and assessments, too? Continue Reading
-
Guest Post
16 Sep 2021
7 tips for building a strong security culture
Cybersecurity isn't just IT's responsibility. Use these seven tips to build a security culture where employees and IT work together to keep their organization safe. Continue Reading
-
Tip
01 Sep 2021
Blockchain for identity management: Implications to consider
Blockchain has changed the way IAM authenticates digital identities. Consider these 14 implications when asking how and where IAM can benefit your organization. Continue Reading
-
News
25 Aug 2021
AWS launches Backup Audit Manager compliance tool
A new AWS Backup feature, the Audit Manager, tracks backup activities to help customers determine if they are meeting business and regulatory compliance requirements. Continue Reading
-
News
22 Jul 2021
US Senate mulling bill on data breach notifications
The Senate Intelligence Committee introduced a bill that would require federal agencies and companies providing critical infrastructure to report network breaches to DHS. Continue Reading
-
Tip
15 Jun 2021
What are cloud security frameworks and how are they useful?
Cloud security frameworks help CSPs and customers alike, providing easy-to-understand security baselines, validations and certifications. Continue Reading
-
Feature
07 Jun 2021
Hackers vs. lawyers: Security research stifled in key situations
The age-old debate between sharing information or covering legal liability is a growing issue in everything from bug bounties to disclosing ransomware attacks. Continue Reading
-
News
25 May 2021
Chaos in Maricopa County: The election audit explained
The controversy about an election audit of Maricopa County, Ariz., involves accusations of deleted databases, bamboo fibers and potentially ruined voting machines. Continue Reading
-
Podcast
25 May 2021
Risk & Repeat: Recapping RSA Conference 2021
Election security, nation-state threats and supply chain attacks were major topics at this year's RSA Conference, which was held as a virtual event. Continue Reading
-
Tip
09 Apr 2021
Exploring GRC automation benefits and challenges
Governance, risk and compliance is a crucial enterprise task but can be costly and time-consuming. This is where GRC automation fits in. Learn about its benefits and challenges. Continue Reading
-
Tip
24 Mar 2021
Collaboration tool security: How to avoid common risks
As the use of collaborations tools and platforms surges, new research from Metrigy emphasizes organizations need to focus on collaboration tool security to reduce risk. Continue Reading
-
Guest Post
04 Mar 2021
Rebuild security and compliance foundations with automation
Instead of patchwork security fixes, financial organizations need to embrace automation, create and deploy secure software and address implementation problems. Continue Reading
-
Guest Post
08 Jan 2021
7 cybersecurity priorities CISOs should focus on for 2021
For 2021, Vishal Salvi argues that CISOs should tie cybersecurity to business agendas better, invest in cloud security, implement IT hygiene, modernize security architecture and more. Continue Reading
-
Tip
25 Nov 2020
8 benefits of a security operations center
A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. Here are eight SOC benefits to consider. Continue Reading
-
News
12 Nov 2020
New Yugabyte release boosts distributed SQL database security
Yugabyte now has row-level geo-partitioning for its open source distributed SQL database, enhanced multi-region features and several new features to improve security. Continue Reading
-
Tip
30 Oct 2020
Updated FFIEC 'Business Continuity' handbook highlights planning
The FFIEC handbook on business continuity has been updated by the organization to place greater emphasis on planning, with more detailed information on testing and exercises. Continue Reading
-
Feature
29 Sep 2020
Oversee apps with these 3 application security testing tools
Unsecured applications can have dire consequences for enterprises. Discover how top app security testing tools on the market today protect apps and enhance developer productivity. Continue Reading
-
Tip
24 Aug 2020
ISO and FFIEC business continuity standards compared
Global standards aid the process of creating and updating a business continuity plan. The requirements of two popular standards can ensure that your BC team doesn't miss any steps. Continue Reading
-
Tip
28 Jul 2020
What the CCPA means for content security
Now that the CCPA is in full effect, businesses must adjust their processes to better protect content. Organizations should prioritize security to avoid fines. Continue Reading
-
Tip
07 Jul 2020
Navigate the DOD's Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification requires DOD contractors to achieve baseline security standards. Explore the five levels of certification and how to achieve them. Continue Reading
-
Tip
07 Jul 2020
Prep a compliance audit checklist that auditors want to see
Think your enterprise is ready for its compliance audit? Check off key points in this compliance audit preparation checklist to ensure it has all the resources needed to help auditors do their job. Continue Reading
-
Tip
06 Jul 2020
How IAM systems support compliance
IAM is a key component of any security strategy, but its role in regulatory compliance is just as crucial. Read up on features and processes to make IAM work for your enterprise. Continue Reading
-
Answer
21 May 2020
Should IT consider NIAP-certified products for MDM?
The average organization may not require military-grade security for its endpoint management platform, but IT pros should take note of which products meet that standard. Continue Reading
-
Feature
26 Mar 2020
CISA exam preparation requires learning ethics, standards, new vocab
The CISA certification is proof of an auditor's knowledge and skills. However, the exam isn't easy and requires some heavy learning -- especially when it comes to vocabulary. Continue Reading
-
Quiz
26 Mar 2020
CISA practice questions to prep for the exam
Ready to take the Certified Information Systems Auditor exam? Use these CISA practice questions to test your knowledge of the audit process job practice domain. Continue Reading
-
Tip
11 Mar 2020
Updating the data discovery process in the age of CCPA
Privacy regulations are changing the enterprise data discovery process. Now, automation is key for fulfilling data discovery mandates, including those for CCPA and GDPR. Continue Reading
-
Tip
21 Jan 2020
Improve data security in the modern enterprise
From growing attack surfaces to new regulations, these data security considerations must be on every company's radar. Continue Reading
-
Tip
16 Jan 2020
How to deal with the lack of IoT standards
With each IoT standards body creating its own architecture or framework, IT professionals have many options to sort through for any IoT deployment. Continue Reading
-
Tip
14 Jan 2020
HIPAA compliance checklist: The key to staying compliant in 2020
Putting together a HIPAA compliance program can be fraught with difficulty. Review best practices and a HIPAA compliance checklist to avoid common pitfalls and pass an audit. Continue Reading
-
Feature
17 Dec 2019
Data breach risk factors, response model, reporting and more
Dig into five data breach risk factors, and learn how the DRAMA data breach response model can help enterprises counter breaches in a timely and efficient manner. Continue Reading
-
Feature
10 Dec 2019
Best practices to help CISOs prepare for CCPA
With the CCPA taking effect in 2020, check out security chiefs' best practices to get ahead and stay ahead of impending data privacy and protection compliance regulations. Continue Reading
-
Tip
22 Nov 2019
The top 3 use cases for AI endpoint security tools
Endpoint attack surfaces are growing, and cybersecurity pros struggle to keep up. Consider the following use cases for AI endpoint security techniques in the enterprise. Continue Reading
-
Feature
18 Nov 2019
IAM-driven biometrics in security requires adjustments
IAM is foundational to cybersecurity, but the latest systems use biometrics and other personal data. Learn how to cope with the resulting compliance and privacy issues. Continue Reading
-
News
21 Aug 2019
Salesforce DNSSEC project aims to boost site security, speed, uptime
Salesforce, which juggles multiple DNS providers to serve customers while complying with global data-privacy regulations, spearheads new DNS models to enable deeper encryption. Continue Reading
-
Feature
02 Aug 2019
Why is third-party risk management essential to cybersecurity?
Attackers know third parties hold many of the keys to the enterprise network, so third-party risk management is crucial for security professionals. Continue Reading
-
Feature
01 Aug 2019
For board of directors, cybersecurity literacy is essential
For boards of directors to meet their business goals, CISOs need a seat at the table. Through her initiative BoardSuited, Joyce Brocaglia aims to pave the way. Continue Reading
-
News
06 Jun 2019
Why larger GDPR fines could be on the horizon
There haven't been many fines under the General Data Protection Regulation since the EU data privacy law went into effect a year ago. But experts warn that will likely change. Continue Reading
-
Feature
24 May 2019
Compliance rules usher in new era for personal data privacy policy
With the rollout of data privacy regulations, individual data rights and the right to be forgotten are forcing organizations to re-examine how they handle customer information. Continue Reading
-
Opinion
01 May 2019
Putting cybersecurity for healthcare on solid footing
CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center. Continue Reading
-
News
13 Mar 2019
Election security threats loom as presidential campaigns begin
Fragile electronic voting systems and the weaponization of social media continue to menace U.S. election systems as presidential candidates ramp up their 2020 campaigns. Continue Reading
-
Tip
20 Feb 2019
Key steps to put your zero-trust security plan into action
There are three key categories of vendor zero-trust products. Learn what they are, and how to evaluate and implement the one that's best for your company. Continue Reading
-
Buyer's Guide
20 Dec 2018
A guide to SIEM platforms, benefits and features
Evaluate the top SIEM platforms before making a buying decision. Explore how the top SIEM platform tools protect enterprises by collecting security event data for centralized analysis. Continue Reading
-
Feature
02 Oct 2018
Seven criteria for evaluating today's leading SIEM tools
Using criteria and comparison, expert Karen Scarfone examines the best SIEM software on the market to help you determine which one is right for your organization. Continue Reading
-
Answer
24 Aug 2018
What standards for business continuity aid in compliance?
Business continuity and disaster recovery compliance is a valuable asset and may require a deeper understanding of modern standards and changes your organization needs to make. Continue Reading
-
Feature
21 Aug 2018
SIEM evaluation criteria: Choosing the right SIEM products
Establishing solid SIEM evaluation criteria and applying them to an organization's business needs goes far when selecting the right SIEM products. Here are the questions to ask. Continue Reading
-
Feature
08 Aug 2018
SIEM benefits include efficient incident response, compliance
SIEM tools enable centralized reporting, which is just one of the many SIEM benefits. Others include real-time incident response, as well as insight for compliance reporting. Continue Reading
-
Feature
26 Jul 2018
A comprehensive guide to SIEM products
Expert Karen Scarfone examines security information and event management systems and explains why SIEM systems and SIEM products are crucial for enterprise security. Continue Reading
-
Tip
17 May 2018
How security operations centers work to benefit enterprises
One key support system for enterprises is security operations centers. Expert Ernie Hayden reviews the basic SOC framework and the purposes they can serve. Continue Reading
-
Answer
14 Mar 2018
What does the GDPR definition of personal data include?
The definition of personal data in the EU's GDPR data protection rules is broad enough to include any type of data that can be used to directly or indirectly identify a person. Continue Reading
-
News
09 Mar 2018
DHS cybersecurity audit scores below target security levels
A DHS cybersecurity audit for FISMA compliance by the Office of Inspector General rated the agency below target levels in three of five areas of information security. Continue Reading
-
Opinion
08 Mar 2018
The EU's GDPR will make us better storage managers
The European Union's General Data Protection Regulation has organizations worldwide rethinking storage management to their and their customers' benefit. Continue Reading
-
Tip
18 Jan 2018
Store medical images using hybrid cloud data storage
Hospitals that face an influx of medical imaging data can benefit from a hybrid cloud model to store data and enable disaster recovery services. Continue Reading
-
Tip
11 Jan 2018
Security compliance standards as a guide in endpoint plans
Consider security compliance regulations for your industry as a starting point and a guide for planning your specific approach to enterprise endpoint protection. Continue Reading
-
News
13 Dec 2017
Return of Bleichenbacher: ROBOT attack means trouble for TLS
A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago. Continue Reading
-
Buyer's Guide
30 Aug 2017
Selecting the best object-based storage platform for your needs
Object-based storage systems can provide the scalability needed to meet organizations' increasing unstructured data storage requirements. Learn how to pick the right platform. Continue Reading
-
Feature
28 Aug 2017
Electronic voting systems in the U.S. need post-election audits
Colorado will implement a new system for auditing electronic voting systems. Post-election audits have been proven to help, but are they enough to boost public trust in the systems? Continue Reading
-
Feature
28 Aug 2017
The leading object storage vendors offer broad range of options
Explore how the leading object storage systems can be accessed, how they integrate with the cloud, what data security they provide and the various deployment options they offer. Continue Reading
-
Tip
24 Aug 2017
The difference between security assessments and security audits
Security audits vs. security assessments solve different needs. Organizations may use security audits to check their security stature while security assessments might be the better tool to use. Expert Ernie Hayden explains the differences. Continue Reading
-
Feature
12 Jul 2017
Analyzing products from the leading object storage vendors
When evaluating the leading object-based storage systems, it is important to consider which product can best support your uses cases and unique site requirements. Continue Reading
-
Feature
12 Jun 2017
Know why patch management tools are required in the IT infrastructure
Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
-
Feature
07 Jun 2017
Questions to ask object storage vendors before evaluating products
Before investing in object storage architecture, it is vital to understand your options, including whether you should buy software, hardware or a combination of both. Continue Reading
-
Podcast
02 Jun 2017
Risk & Repeat: GDPR compliance clock is ticking
In this week's Risk & Repeat podcast, SearchSecurity editors discuss GDPR compliance and how the EU law will affect enterprise data privacy and security across the globe. Continue Reading
-
Feature
11 May 2017
Object storage systems ease data capacity and archival concerns
If your organization can identify with any of the object storage use cases noted here, it might be time to consider adding this technology to your storage portfolio. Continue Reading
-
Answer
21 Dec 2016
Should one cybersecurity mistake mean the end of a CEO's career?
In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward. Continue Reading
-
Tip
17 Jun 2016
How CMMI models compare and map to the COBIT framework
Following ISACA's recent acquisition of the CMMI Institute, expert Judith Myerson takes a closer look at COBIT and CMMI models and how they compare to one another. Continue Reading
-
Feature
09 Feb 2016
Comparing the top vulnerability management tools
Expert Ed Tittel compares how the top-rated vulnerability management tools measure up against each other so you can select the right one for your organization. Continue Reading
-
Answer
26 Jan 2016
Is the FedRAMP certification making a difference?
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple looks at the state of FedRAMP. Continue Reading
-
Feature
19 Jan 2016
Seven criteria for buying vulnerability management tools
Expert contributor Ed Tittel describes purchasing criteria for full-featured vulnerability management tools for small organizations to large enterprises. Continue Reading
-
Feature
18 Nov 2015
EMC RSA Security Analytics: SIEM product overview
Expert Karen Scarfone examines EMC RSA Security Analytics, a SIEM product for harvesting, analyzing and reporting on security log data across the enterprise. Continue Reading
-
Feature
18 Nov 2015
Splunk Enterprise: SIEM product overview
Expert Karen Scarfone examines Splunk Enterprise, a security information and event management (SIEM) product for collecting and analyzing event data to identify malicious activity. Continue Reading
-
Feature
18 Nov 2015
IBM Security QRadar: SIEM product overview
Expert Karen Scarfone takes a look at IBM Security QRadar, a security information and event management (SIEM) tool used for collecting and analyzing security log data. Continue Reading
-
Feature
04 Nov 2015
Comparing the top Web fraud detection systems
Expert Ed Tittel explores the features of the top Web fraud detection systems and compares critical purchasing criteria. Continue Reading
-
Tip
23 Oct 2015
How to manage BYOD security policies and stay compliant
The best BYOD security policies help enterprises stay compliant with security and privacy regulations. Here's what BYOD policies should include and how best to manage them. Continue Reading
-
Feature
20 Aug 2015
Introduction to Web fraud detection systems
Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce. Continue Reading
-
Tip
18 Jun 2012
With JOBS Act, Sarbanes-Oxley compliance likely won't get easier
While SMBs may benefit from the JOBS Act, Sarbanes-Oxley compliance for enterprises may remain largely unchanged. Expert Mike Chapple explains why. Continue Reading
-
News
16 Nov 2011
Cloud security among PCI Council 2012 special interest groups
The PCI Security Standards Council delineated a scope of special interest groups known as SIGS in order to help prioritize next years areas of focus. Continue Reading
-
Answer
06 Sep 2011
Comparing certifications: ISO 27001 vs. SAS 70, SSAE 16
Learn about ISO 27001 vs. SAS 70, and why enterprises should pay attention to SSAE 16 over SAS 70. Continue Reading
-
Tutorial
21 Jul 2011
Compliance and Cloud Security
This comprehensive guide to compliance and cloud security covers all the angles in order to help clarify security and compliance issues associated with cloud computing. Continue Reading
-
News
09 Sep 2010
N.C. firm charged with AML violations
A North Carolina-based firm with mostly foreign customers failed to identify and verify customer identities, officials say. Continue Reading
-
News
05 Jun 2009
Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management
Former SEC chairman Harvey Pitt has a blunt assessment of SOX as well as the current state of the regulatory system, calling it "badly broken." Continue Reading
-
News
14 Apr 2009
This May Day, banks wave the Red Flags
The Red Flags Rule, which mandates companies develop methods by which they will identify, detect and respond to identity theft incidents, is set to go into effect May 1. Continue Reading
-
News
14 Apr 2009
Protecting data in a merger and acquisition
Upheaval in the financial-services industry has put the spotlight on financial information security. Experts share ways to keep sensitive information secure during an M&A. Continue Reading
-
Answer
09 Jul 2008
Is the Orange Book still relevant for assessing security controls?
Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it. Continue Reading
-
News
12 May 2008
Compliance drives credit union to catch online bill payment fraudsters
Credit union services organization uses automated fraud detection system to protect its members. Continue Reading
-
Answer
10 Mar 2008
Does SOX provision email archiving?
Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention. Continue Reading