In casual conversation, threats, vulnerabilities, and risks are often talked about interchangeably. The reality is that the three are quite different. Threats represent something that might happen. Vulnerabilities show that systems have inherent weaknesses attackers may exploit. Risks keep business owners up at night by shining a light on potential harm inherent in running an enterprise.

The Sarbanes-Oxley (SOX) Act was signed into law on July 30, 2002. The law drafted by congressmen Paul Sarbanes and Michael Oxley aimed to improve corporate financial governance and accountability while protecting shareholders from accounting errors and fraudulent activity. The real fuel for the SOX law came from the inappropriate financial conduct of three large companies Enron, Tyco, and WorldCom.

Risk management has become a veritable alphabet soup. The advent of the digital age is partly to blame. Virtually every organization is “going digital,” in a growing number of areas. Retail is now “e-tail”; manufacturing plants are increasingly automated; nearly every step of the hiring and contracting process happens online, from the application process to background checks to payroll and beyond.

The old adage warns “An ounce of prevention is worth a pound of cure.” The saying becomes even more pointed for threats that, unfortunately, do not yet have a cure. But the lessons of risk management offer a path forward, where prevention takes the form of avoiding, mitigating or reducing risks. As people and organizations confront COVID-19, the novel threat has inspired an array of new strategies to combat the pandemic.

A social compliance audit, also known as a social audit, is an effective way to determine if an organization is complying with socially responsible principles. Social compliance refers to how a company protects the health and safety as well as the rights of its employees, the community, and the environment where it operates in addition to the lives and communities of workers in its distribution chain and its supply chain.

Earlier this week, we shared the Reciprocity response to COVID-19. As the seriousness of this pandemic grows, our thoughts are with all of our employees, customers, and partners who are affected. We want to reiterate that our priority is to uphold our commitment to our customers. We know that many of you are concerned about the impact on your business operations, specifically supply chain issues you might be experiencing or anticipating.

First released in 1996, Control Objectives for Information and Related Technology (COBIT) is a framework developed by the Information Systems Audit and Control Association (ISACA) that can help you create and implement strategies around IT management and IT governance. The COBIT management framework helps you deal with the risks to enterprise IT and the impacts those risks can have on your company, business processes, and IT systems.

The retail industry is undergoing an incredible transformation as emerging technologies, omnichannel shopping, as well as digital and social media, compel organizations to figure out how to operate more efficiently and better accommodate customers. Leaders of companies in the retail industry understand the importance of the digital forces at work in the sector and are looking more closely at the inherent risks these digital forces present.

The Payment Card Industry Data Security Standard (PCI DSS) does a great job of outlining how an organization should go about protecting cardholder data. Most organizations take the best practices from the PCI council and implement a strong information security strategy bent on enforcing PCI standards, compliance requirements, and vulnerability management. What happens when an organization doesn’t follow the rules as they should or they suffer a data breach because of negligence?

System and Organization Controls for Service Organizations 2 (SOC 2) compliance isn’t mandatory. No industry requires a SOC 2 report. Nor is SOC 2 compliance law or regulation. But your service organization ought to consider investing in the technical audit required for a SOC 2 report. Not only do many companies expect SOC 2 compliance from their service providers, but having a SOC 2 report attesting to compliance confers added benefits, as well.

Congratulations, you have achieved PCI compliance! Now comes the hard part, staying compliant. Remember, it was a great deal of work to get your environment where it needed to be for the Payment Card Industry Data Security Standard (PCI DSS). Organizations spend a fair amount of money getting systems, networks, and people exactly where they need to be for cardholder data protection.