COSO Framework for Service Organizations and SOC Reporting (Part 1 of 3)
February 24, 2015, Jamie Kilcoyne, Managing Director Coalfire Controls
One of the most important reference tools that companies use to establish and evaluate their internal controls is the Committee of Sponsoring Organizations' (COSO) Internal Control - Integrated Framework. Initially published in 1992 (the 1992 Framework), the COSO framework has been the most widely used model for internal control for the past 20 years.
What does PCI DSS 3.1 and PA-DSS 3.1 mean for you and your organization
February 19, 2015, Matt Getzelman, PCI Practice Director
In the wake of the POODLE vulnerability identified by NIST and subsequent attacks, the PCI SSC has announced its intent to release the first revision of the PCI DSS 3.0 and PA-DSS 3.0 standards. The PCI DSS 3.1 and PA-DSS 3.1 standards will indicate that the SSL v3.0 protocol no longer meets the PCI SSC’s definition of “Strong Encryption” and this will have immediate impact to several existing requirements. However, one key point from the announcement should be highlighted:
Emerging Payment Technologies and Due Diligence: A Warning about “Silver Bullets”
February 09, 2015, Matt Getzelman, PCI Practice Director
2015 will be an exciting year for the payments industry, especially for merchants that now have a number of new payment technologies at their disposal. Emerging payment technologies such as Point-to-Point-Encryption (P2PE), Tokenization, EMV/Chip and Signature and Mobile Payment Acceptance are hitting the market globally and all of them can help reduce the risk of cardholder data compromise as well as potentially impact the compliance posture of merchants that choose to adopt them.
Anthem Data Breach - A Message from Coalfire's Healthcare Practice Director
February 05, 2015, Andrew Hicks, Director, Healthcare Practice Lead
Several weeks ago I had the opportunity to speak on a panel at a healthcare conference. In attendance were CIOs, CISOs, VPs of IT, and members of legal counsel. The individuals attending the session represented organizations ranging from small- to medium-sized business associates all the way up to large, multi-networked hospitals defined as covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
Their Claim to Fame – So-Called HIPAA-Compliance Experts and Tools
January 15, 2015, Andrew Hicks, Director, Healthcare Practice Lead
Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant? Well, at the end of the day that’s simply not possible because only you can make your organization HIPAA-compliant. I came up with a list of “red flags” that I typically see from vendors, contractors and the like.