Security audit, compliance and standards

Get tips from the experts on security audits, compliance and standards. Advice is offered on data privacy and theft, audit planning and management, how to work with auditors, and compliance with standards, regulations and guidelines such as PCI DSS, GLBA, HIPPA, SOX, FISMA, ISO 17799 and COBIT.

Top Stories

Answer 12 Apr 2023
How to use a public key and private key in digital signatures

Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures to manage electronic documents. Continue Reading
Answer 07 Apr 2023
Defining policy vs. standard vs. procedure vs. control

Infosec pros may have -- incorrectly -- heard the terms 'standard' and 'policy' used interchangeably. Examine the differences among a policy, standard, procedure and technical control. Continue Reading

Tip 21 Dec 2021

Top 10 IT security frameworks and standards explained

Several IT security frameworks and cybersecurity standards are available to help protect company data. Here's advice for choosing the right one for your organization. Continue Reading
Answer 22 Nov 2021

What are the most important email security protocols?

Email was designed without security considerations, but these top email security protocols add mechanisms to keep messaging safe from threats. Continue Reading
Tip 27 Oct 2021

5 IT security policy best practices

As businesses and technologies grow and evolve, it's important IT security policies do, too. Follow these five best practices to ensure policies are fresh and relevant. Continue Reading
Guest Post 20 Oct 2021

5 questions to ask when creating a ransomware recovery plan

These 'five W's of ransomware' will help organizations ask the right questions when creating a ransomware-specific disaster recovery plan. Continue Reading
News 15 Oct 2021

China wants more say in setting global technology standards

China wants a bigger seat at the global technology standards-setting table, and experts advise the U.S. to take a cautious yet optimistic approach to its growing interest. Continue Reading
Tip 12 Oct 2021

How to evaluate and select GRC vendors and tools

There is a variety of governance, risk and compliance software on the market. Learn about some of the available products and how best to evaluate GRC tools and vendors. Continue Reading
Quiz 30 Sep 2021

10 CIPP/US practice questions to test your privacy knowledge

Advance your privacy career by becoming a Certified Information Privacy Professional. Use these 10 practice questions from Wiley's IAPP CIPP/US study guide to prepare for the exam. Continue Reading
Feature 30 Sep 2021

How to prepare for the CIPP/US exam

The co-authors of a CIPP/US study guide offer advice on the IAPP certification, including career benefits, how to prepare and how the U.S. exam differs from other regions' exams. Continue Reading
Answer 27 Sep 2021

What is extortionware? How does it differ from ransomware?

Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. Continue Reading
Tip 21 Sep 2021

The benefits of an IT management response

Many organizations create management responses to traditional audit findings. But did you know organizations can do them after IT audits and assessments, too? Continue Reading
Guest Post 16 Sep 2021

7 tips for building a strong security culture

Cybersecurity isn't just IT's responsibility. Use these seven tips to build a security culture where employees and IT work together to keep their organization safe. Continue Reading
Tip 01 Sep 2021

Blockchain for identity management: Implications to consider

Blockchain has changed the way IAM authenticates digital identities. Consider these 14 implications when asking how and where IAM can benefit your organization. Continue Reading
News 25 Aug 2021

AWS launches Backup Audit Manager compliance tool

A new AWS Backup feature, the Audit Manager, tracks backup activities to help customers determine if they are meeting business and regulatory compliance requirements. Continue Reading
News 22 Jul 2021

US Senate mulling bill on data breach notifications

The Senate Intelligence Committee introduced a bill that would require federal agencies and companies providing critical infrastructure to report network breaches to DHS. Continue Reading
Tip 15 Jun 2021

What are cloud security frameworks and how are they useful?

Cloud security frameworks help CSPs and customers alike, providing easy-to-understand security baselines, validations and certifications. Continue Reading
Feature 07 Jun 2021

Hackers vs. lawyers: Security research stifled in key situations

The age-old debate between sharing information or covering legal liability is a growing issue in everything from bug bounties to disclosing ransomware attacks. Continue Reading
News 25 May 2021

Chaos in Maricopa County: The election audit explained

The controversy about an election audit of Maricopa County, Ariz., involves accusations of deleted databases, bamboo fibers and potentially ruined voting machines. Continue Reading
Podcast 25 May 2021

Risk & Repeat: Recapping RSA Conference 2021

Election security, nation-state threats and supply chain attacks were major topics at this year's RSA Conference, which was held as a virtual event. Continue Reading
Tip 09 Apr 2021

Exploring GRC automation benefits and challenges

Governance, risk and compliance is a crucial enterprise task but can be costly and time-consuming. This is where GRC automation fits in. Learn about its benefits and challenges. Continue Reading
Tip 24 Mar 2021

Collaboration tool security: How to avoid common risks

As the use of collaborations tools and platforms surges, new research from Metrigy emphasizes organizations need to focus on collaboration tool security to reduce risk. Continue Reading
Guest Post 04 Mar 2021

Rebuild security and compliance foundations with automation

Instead of patchwork security fixes, financial organizations need to embrace automation, create and deploy secure software and address implementation problems. Continue Reading
Guest Post 08 Jan 2021

7 cybersecurity priorities CISOs should focus on for 2021

For 2021, Vishal Salvi argues that CISOs should tie cybersecurity to business agendas better, invest in cloud security, implement IT hygiene, modernize security architecture and more. Continue Reading
Tip 25 Nov 2020

8 benefits of a security operations center

A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. Here are eight SOC benefits to consider. Continue Reading
News 12 Nov 2020

New Yugabyte release boosts distributed SQL database security

Yugabyte now has row-level geo-partitioning for its open source distributed SQL database, enhanced multi-region features and several new features to improve security. Continue Reading
Tip 30 Oct 2020

Updated FFIEC 'Business Continuity' handbook highlights planning

The FFIEC handbook on business continuity has been updated by the organization to place greater emphasis on planning, with more detailed information on testing and exercises. Continue Reading
Feature 29 Sep 2020

Oversee apps with these 3 application security testing tools

Unsecured applications can have dire consequences for enterprises. Discover how top app security testing tools on the market today protect apps and enhance developer productivity. Continue Reading
Tip 24 Aug 2020

ISO and FFIEC business continuity standards compared

Global standards aid the process of creating and updating a business continuity plan. The requirements of two popular standards can ensure that your BC team doesn't miss any steps. Continue Reading
Tip 28 Jul 2020

What the CCPA means for content security

Now that the CCPA is in full effect, businesses must adjust their processes to better protect content. Organizations should prioritize security to avoid fines. Continue Reading
Tip 07 Jul 2020

Navigate the DOD's Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification requires DOD contractors to achieve baseline security standards. Explore the five levels of certification and how to achieve them. Continue Reading
Tip 07 Jul 2020

Prep a compliance audit checklist that auditors want to see

Think your enterprise is ready for its compliance audit? Check off key points in this compliance audit preparation checklist to ensure it has all the resources needed to help auditors do their job. Continue Reading
Tip 06 Jul 2020

How IAM systems support compliance

IAM is a key component of any security strategy, but its role in regulatory compliance is just as crucial. Read up on features and processes to make IAM work for your enterprise. Continue Reading
Answer 21 May 2020

Should IT consider NIAP-certified products for MDM?

The average organization may not require military-grade security for its endpoint management platform, but IT pros should take note of which products meet that standard. Continue Reading
Feature 26 Mar 2020

CISA exam preparation requires learning ethics, standards, new vocab

The CISA certification is proof of an auditor's knowledge and skills. However, the exam isn't easy and requires some heavy learning -- especially when it comes to vocabulary. Continue Reading
Quiz 26 Mar 2020

CISA practice questions to prep for the exam

Ready to take the Certified Information Systems Auditor exam? Use these CISA practice questions to test your knowledge of the audit process job practice domain. Continue Reading
Tip 11 Mar 2020

Updating the data discovery process in the age of CCPA

Privacy regulations are changing the enterprise data discovery process. Now, automation is key for fulfilling data discovery mandates, including those for CCPA and GDPR. Continue Reading
Tip 21 Jan 2020

Improve data security in the modern enterprise

From growing attack surfaces to new regulations, these data security considerations must be on every company's radar. Continue Reading
Tip 16 Jan 2020

How to deal with the lack of IoT standards

With each IoT standards body creating its own architecture or framework, IT professionals have many options to sort through for any IoT deployment. Continue Reading
Tip 14 Jan 2020

HIPAA compliance checklist: The key to staying compliant in 2020

Putting together a HIPAA compliance program can be fraught with difficulty. Review best practices and a HIPAA compliance checklist to avoid common pitfalls and pass an audit. Continue Reading
Feature 17 Dec 2019

Data breach risk factors, response model, reporting and more

Dig into five data breach risk factors, and learn how the DRAMA data breach response model can help enterprises counter breaches in a timely and efficient manner. Continue Reading
Feature 10 Dec 2019

Best practices to help CISOs prepare for CCPA

With the CCPA taking effect in 2020, check out security chiefs' best practices to get ahead and stay ahead of impending data privacy and protection compliance regulations. Continue Reading
Tip 22 Nov 2019

The top 3 use cases for AI endpoint security tools

Endpoint attack surfaces are growing, and cybersecurity pros struggle to keep up. Consider the following use cases for AI endpoint security techniques in the enterprise. Continue Reading
Feature 18 Nov 2019

IAM-driven biometrics in security requires adjustments

IAM is foundational to cybersecurity, but the latest systems use biometrics and other personal data. Learn how to cope with the resulting compliance and privacy issues. Continue Reading
News 21 Aug 2019

Salesforce DNSSEC project aims to boost site security, speed, uptime

Salesforce, which juggles multiple DNS providers to serve customers while complying with global data-privacy regulations, spearheads new DNS models to enable deeper encryption. Continue Reading
Feature 02 Aug 2019

Why is third-party risk management essential to cybersecurity?

Attackers know third parties hold many of the keys to the enterprise network, so third-party risk management is crucial for security professionals. Continue Reading
Feature 01 Aug 2019

For board of directors, cybersecurity literacy is essential

For boards of directors to meet their business goals, CISOs need a seat at the table. Through her initiative BoardSuited, Joyce Brocaglia aims to pave the way. Continue Reading
News 06 Jun 2019

Why larger GDPR fines could be on the horizon

There haven't been many fines under the General Data Protection Regulation since the EU data privacy law went into effect a year ago. But experts warn that will likely change. Continue Reading
Feature 24 May 2019

Compliance rules usher in new era for personal data privacy policy

With the rollout of data privacy regulations, individual data rights and the right to be forgotten are forcing organizations to re-examine how they handle customer information. Continue Reading
Opinion 01 May 2019

Putting cybersecurity for healthcare on solid footing

CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center. Continue Reading
News 13 Mar 2019

Election security threats loom as presidential campaigns begin

Fragile electronic voting systems and the weaponization of social media continue to menace U.S. election systems as presidential candidates ramp up their 2020 campaigns. Continue Reading
Tip 20 Feb 2019

Key steps to put your zero-trust security plan into action

There are three key categories of vendor zero-trust products. Learn what they are, and how to evaluate and implement the one that's best for your company. Continue Reading
Buyer's Guide 20 Dec 2018

A guide to SIEM platforms, benefits and features

Evaluate the top SIEM platforms before making a buying decision. Explore how the top SIEM platform tools protect enterprises by collecting security event data for centralized analysis. Continue Reading
Feature 02 Oct 2018

Seven criteria for evaluating today's leading SIEM tools

Using criteria and comparison, expert Karen Scarfone examines the best SIEM software on the market to help you determine which one is right for your organization. Continue Reading
Answer 24 Aug 2018

What standards for business continuity aid in compliance?

Business continuity and disaster recovery compliance is a valuable asset and may require a deeper understanding of modern standards and changes your organization needs to make. Continue Reading
Feature 21 Aug 2018

SIEM evaluation criteria: Choosing the right SIEM products

Establishing solid SIEM evaluation criteria and applying them to an organization's business needs goes far when selecting the right SIEM products. Here are the questions to ask. Continue Reading
Feature 08 Aug 2018

SIEM benefits include efficient incident response, compliance

SIEM tools enable centralized reporting, which is just one of the many SIEM benefits. Others include real-time incident response, as well as insight for compliance reporting. Continue Reading
Feature 26 Jul 2018

A comprehensive guide to SIEM products

Expert Karen Scarfone examines security information and event management systems and explains why SIEM systems and SIEM products are crucial for enterprise security. Continue Reading
Tip 17 May 2018

How security operations centers work to benefit enterprises

One key support system for enterprises is security operations centers. Expert Ernie Hayden reviews the basic SOC framework and the purposes they can serve. Continue Reading
Answer 14 Mar 2018

What does the GDPR definition of personal data include?

The definition of personal data in the EU's GDPR data protection rules is broad enough to include any type of data that can be used to directly or indirectly identify a person. Continue Reading
News 09 Mar 2018

DHS cybersecurity audit scores below target security levels

A DHS cybersecurity audit for FISMA compliance by the Office of Inspector General rated the agency below target levels in three of five areas of information security. Continue Reading
Opinion 08 Mar 2018

The EU's GDPR will make us better storage managers

The European Union's General Data Protection Regulation has organizations worldwide rethinking storage management to their and their customers' benefit. Continue Reading
Tip 18 Jan 2018

Store medical images using hybrid cloud data storage

Hospitals that face an influx of medical imaging data can benefit from a hybrid cloud model to store data and enable disaster recovery services. Continue Reading
Tip 11 Jan 2018

Security compliance standards as a guide in endpoint plans

Consider security compliance regulations for your industry as a starting point and a guide for planning your specific approach to enterprise endpoint protection. Continue Reading
News 13 Dec 2017

Return of Bleichenbacher: ROBOT attack means trouble for TLS

A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago. Continue Reading
Buyer's Guide 30 Aug 2017

Selecting the best object-based storage platform for your needs

Object-based storage systems can provide the scalability needed to meet organizations' increasing unstructured data storage requirements. Learn how to pick the right platform. Continue Reading
Feature 28 Aug 2017

Electronic voting systems in the U.S. need post-election audits

Colorado will implement a new system for auditing electronic voting systems. Post-election audits have been proven to help, but are they enough to boost public trust in the systems? Continue Reading
Feature 28 Aug 2017

The leading object storage vendors offer broad range of options

Explore how the leading object storage systems can be accessed, how they integrate with the cloud, what data security they provide and the various deployment options they offer. Continue Reading
Tip 24 Aug 2017

The difference between security assessments and security audits

Security audits vs. security assessments solve different needs. Organizations may use security audits to check their security stature while security assessments might be the better tool to use. Expert Ernie Hayden explains the differences. Continue Reading
Feature 12 Jul 2017

Analyzing products from the leading object storage vendors

When evaluating the leading object-based storage systems, it is important to consider which product can best support your uses cases and unique site requirements. Continue Reading
Feature 12 Jun 2017

Know why patch management tools are required in the IT infrastructure

Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
Feature 07 Jun 2017

Questions to ask object storage vendors before evaluating products

Before investing in object storage architecture, it is vital to understand your options, including whether you should buy software, hardware or a combination of both. Continue Reading
Podcast 02 Jun 2017

Risk & Repeat: GDPR compliance clock is ticking

In this week's Risk & Repeat podcast, SearchSecurity editors discuss GDPR compliance and how the EU law will affect enterprise data privacy and security across the globe. Continue Reading
Feature 11 May 2017

Object storage systems ease data capacity and archival concerns

If your organization can identify with any of the object storage use cases noted here, it might be time to consider adding this technology to your storage portfolio. Continue Reading
Answer 21 Dec 2016

Should one cybersecurity mistake mean the end of a CEO's career?

In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward. Continue Reading
Tip 17 Jun 2016

How CMMI models compare and map to the COBIT framework

Following ISACA's recent acquisition of the CMMI Institute, expert Judith Myerson takes a closer look at COBIT and CMMI models and how they compare to one another. Continue Reading
Feature 09 Feb 2016

Comparing the top vulnerability management tools

Expert Ed Tittel compares how the top-rated vulnerability management tools measure up against each other so you can select the right one for your organization. Continue Reading
Answer 26 Jan 2016

Is the FedRAMP certification making a difference?

There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple looks at the state of FedRAMP. Continue Reading
Feature 19 Jan 2016

Seven criteria for buying vulnerability management tools

Expert contributor Ed Tittel describes purchasing criteria for full-featured vulnerability management tools for small organizations to large enterprises. Continue Reading
Feature 18 Nov 2015

EMC RSA Security Analytics: SIEM product overview

Expert Karen Scarfone examines EMC RSA Security Analytics, a SIEM product for harvesting, analyzing and reporting on security log data across the enterprise. Continue Reading
Feature 18 Nov 2015

Splunk Enterprise: SIEM product overview

Expert Karen Scarfone examines Splunk Enterprise, a security information and event management (SIEM) product for collecting and analyzing event data to identify malicious activity. Continue Reading
Feature 18 Nov 2015

IBM Security QRadar: SIEM product overview

Expert Karen Scarfone takes a look at IBM Security QRadar, a security information and event management (SIEM) tool used for collecting and analyzing security log data. Continue Reading
Feature 04 Nov 2015

Comparing the top Web fraud detection systems

Expert Ed Tittel explores the features of the top Web fraud detection systems and compares critical purchasing criteria. Continue Reading
Tip 23 Oct 2015

How to manage BYOD security policies and stay compliant

The best BYOD security policies help enterprises stay compliant with security and privacy regulations. Here's what BYOD policies should include and how best to manage them. Continue Reading
Feature 20 Aug 2015

Introduction to Web fraud detection systems

Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce. Continue Reading
Tip 18 Jun 2012

With JOBS Act, Sarbanes-Oxley compliance likely won't get easier

While SMBs may benefit from the JOBS Act, Sarbanes-Oxley compliance for enterprises may remain largely unchanged. Expert Mike Chapple explains why. Continue Reading
News 16 Nov 2011

Cloud security among PCI Council 2012 special interest groups

The PCI Security Standards Council delineated a scope of special interest groups known as SIGS in order to help prioritize next years areas of focus. Continue Reading
Answer 06 Sep 2011

Comparing certifications: ISO 27001 vs. SAS 70, SSAE 16

Learn about ISO 27001 vs. SAS 70, and why enterprises should pay attention to SSAE 16 over SAS 70. Continue Reading
Tutorial 21 Jul 2011

Compliance and Cloud Security

This comprehensive guide to compliance and cloud security covers all the angles in order to help clarify security and compliance issues associated with cloud computing. Continue Reading
News 09 Sep 2010

N.C. firm charged with AML violations

A North Carolina-based firm with mostly foreign customers failed to identify and verify customer identities, officials say. Continue Reading
News 05 Jun 2009

Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management

Former SEC chairman Harvey Pitt has a blunt assessment of SOX as well as the current state of the regulatory system, calling it "badly broken." Continue Reading
News 14 Apr 2009

This May Day, banks wave the Red Flags

The Red Flags Rule, which mandates companies develop methods by which they will identify, detect and respond to identity theft incidents, is set to go into effect May 1. Continue Reading
News 14 Apr 2009

Protecting data in a merger and acquisition

Upheaval in the financial-services industry has put the spotlight on financial information security. Experts share ways to keep sensitive information secure during an M&A. Continue Reading
Answer 09 Jul 2008

Is the Orange Book still relevant for assessing security controls?

Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it. Continue Reading
News 12 May 2008

Compliance drives credit union to catch online bill payment fraudsters

Credit union services organization uses automated fraud detection system to protect its members. Continue Reading
Answer 10 Mar 2008

Does SOX provision email archiving?

Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention. Continue Reading