Congratulations, you have achieved PCI compliance! Now comes the hard part, staying compliant. Remember, it was a great deal of work to get your environment where it needed to be for the Payment Card Industry Data Security Standard (PCI DSS). Organizations spend a fair amount of money getting systems, networks, and people exactly where they need to be for cardholder data protection.

Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit. Inherent risk is the risk of a material misstatement in a company’s financial statements without considering internal controls.

If your organization has a presence in California or does business with California residents, then it probably needs to comply with the California Consumer Privacy Act (CCPA). CCPA compliance is no easy task but never fear: Using this checklist and our CCPA audit guide can help smooth the way.

The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework.

For decision making, “reactive” tends to be frowned upon in the business world. “Proactive” is the preferred mode and has been pretty much since the word was coined (in 1933).

A formal, written vendor or third-party risk management policy is the first step in developing your vendor risk management program, and essential to that program’s success. Vendor risk management encompasses third-party risks as well as that of your vendors’ vendors — fourth-party risks — and is an important component of any cybersecurity program.

When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organizations focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Organizations end up trusting the security of their network and data to an unknown and untested third-party. As we all know, a chain is only as strong as its weakest link.

A change is coming for privacy protection. Are you ready? For the past twenty years, most financial services businesses fell under the requirements of the Gramm-Leach-Bliley Act (GLB Act or GLBA). This law federally governed the collection and disclosure of customers’ personal financial information. However, on January 1st, 2020, a new privacy rule—the California Consumer Privacy Act (CCPA)—wentis going into effect.

Engaging with third-party vendors for the provision of goods and services isn't new. The level of digital transformation, paired with the number of third-party relationships and business partners the average organization has is. Third-party risk management programs need to evolve the manage this ever evolving type of risk exposure. Enterprise-wide organizations rely on third and fourth-party vendors. And many of them have access to sensitive data.