Home
Topics
Security Audit, Compliance and Standards

Ten years later: The legacy of SB 1386 compliance on...

A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.
Ten years later: The legacy of SB 1386 compliance on...
PCI e-commerce compliance guidelines for third-party...

Expert Mike Chapple details the PCI SSC's third-party processor rules and how to outsource card processing and stay PCI DSS compliant.
Harsher penalties for HIPAA violations altering comp...

More frequent audits and larger penalties for violating HIPAA are motivating enterprises to tame HIPAA compliance challenges, Gartner analysts say.

Security Audit, Compliance and Standards

ISO 17799
Gramm-Leach-Bliley Act (GLBA)
PCI Data Security Standard
HIPAA
Sarbanes-Oxley Act
IT Security Audits
Data Privacy and Protection
FFIEC Regulations and Guidelines
COBIT

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Does ISO 27001 certification mean HIPAA and HITECH compliance?

Mike Chapple clarifies the difference between ISO 27001 certification and HIPAA and HITECH compliance.Answer
Can ISO 27002 be used as a standalone guide for security management?

Learn the difference between ISO 27001 and ISO 27002, and how the latter can be used to build an infosec program.Answer
Perspectives: Lessons learned in BS 7799 certification
Getting started with an ISO implementation

Struggling to develop an ISO implementation plan? Expert Charles Denyer offers advice on getting started with an enterprise ISO implementation.Answer
What is ISO certified vs. ISO compliant?

Expert Charles Denyer explains the difference between an ISO 27002 certification report and an ISO 27002 compliant report.Answer
Comparing certifications: ISO 27001 vs. SAS 70, SSAE 16

Compliance expert Charles Denyer covers ISO 27001 vs. SAS 70, and why enterprises should pay attention to SSAE 16 over SAS 70.Answer
Should national information security standards be enforceable?

In this expert response, Ernie Hayden discusses the feasibility of creating nation information security standards that applied to all U.S. organizations deemed to have sensitive data.Ask the Expert
Benefits of ISO 27001 and ISO 27002 certification for your enterprise

If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask. Learn about the potential benefits of ISO 27001 and 27002 certification with this expert advice.Tip
Tony Spinelli: Prioritize Information Security over Compliance

Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.Feature
How to write a risk methodology that blends business, security needs

One security professional describes a homegrown risk methodology currently being used by a large university and a private corporation.Feature
VIEW MORE ON : ISO 17799

''Implement security and compliance in a risk management context''
Compliance Guide for Managers
Due diligence processes for cloud computing compliance

Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.Feature
GLBA compliance and emerging technologies

In order to meet GLBA requirements, companies must analyze the risks before moving customer information into new technologies like VoIP and cloud computing.Tip
Regulators issue standardized privacy notice form for GLBA compliance

Model form aims to make it easier for consumers to understand banks' privacy policies and help financial institutions meet GLBA requirementsArticle | 17 Nov 2009
Implement security and compliance in a risk management context

CFOs live in a world where risk management is the lingua franca. CISOs have to join the conversation.Feature
Getting compliance on the GRID

The Object Management Group is attempting to build a database that may one day serve as a clearinghouse for all the world's IT-related regulations. Some say it's impossible, but others say it's badly needed to keep companies secure and out of the legal crosshairs.Article | 17 Jan 2008
Insuring compliance: Nationwide tackles GLBA

GLBA requires all financial institutions to design, implement and maintain safeguards to protect customer information. This case study reveals Nationwide's biggest task for GLBA compliance.Tip
IBM to boost security spending, push PCI DSS program

IBM plans to invest $1.5 billion on security research in 2008. The company is also using recent acquisitions to introduce a PCI DSS program.Article | 01 Nov 2007
ISO 27001 could bridge the regulatory divide, expert says

Karen Worstell, former CISO at Microsoft and AT&T Wireless, recently joined the advisory board of Neupart A/S, a five-year-old European security risk management and awareness firm that just launched a North American office in the Seattle area. The company's specialty is promoting industry awareness of ISO 27001, a standard that defines the components of a security management plan to monitor, measure and control information security. As American businesses emerge from their Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley compliance projects, Neupart is hoping security pros are ready to take a fresh look at ISO 27001. In this Q&A, Worstell explains how ISO 27001 can be used to help companies comply with a variety of regulations and standards, and where her former employer, Microsoft, fits in.Interview | 11 Jul 2007
VIEW MORE ON : Gramm-Leach-Bliley Act (GLBA)

HIPAA Omnibus Rule, PPACA challenge enterprise compliance management

Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.News | 31 May 2013
Web application security testing: Is a pen test or code review better?

For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice.Answer
PCI DSS compliance: What to do when agents email credit card numbers

Emailing unencrypted credit card numbers is a violation of PCI DSS. Learn how to stop customer service agents from practicing this dangerous act.Answer
How to address PCI compliance in the cloud

Expert Mike Chapple offers advice on how to address PCI compliance when moving systems to the public cloud.Answer
Criteria for evaluating PCI consultants

PCI consultants can help organizations achieve PCI DSS compliance, but first you must choose the right one.Answer
Unencrypted credit card data storage: Why 70% of merchants do it

Mike Chapple offers four possible reasons why some merchants still store unencrypted credit card data after years of PCI DSS compliance requirements.Answer
Breaking down PCI SSC's Qualified Integrators and Resellers program

Mike Chapple breaks down PCI SSC's new Qualified Integrators and Resellers (QIR) program, explaining the compliances requirements for merchants.Answer
Understanding PCI mobile payment processing security guidelines

Mike Chapple discusses the new PCI Mobile Payment Acceptance Security Guidelines and the mobile payment processing implications for merchants.Tip
B-Sides: Akamai's Corman calls for new information security focus

At Security B-Sides 2013, Joshua Corman railed against PCI DSS and vendor profit measures, calling for a renewed information security focus on what really matters.News | 26 Feb 2013
Analysis: Inside the new PCI DSS risk assessment

Mike Chapple outlines the recommendations in the PCI DSS Risk Assessment Guidelines and explains how they can make a compliance program stronger.Tip
VIEW MORE ON : PCI Data Security Standard

HIPAA Omnibus Rule, PPACA challenge enterprise compliance management

Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.News | 31 May 2013
A HIPAA compliance checklist for corporate mergers and acquisitions

Learn about the important HIPAA compliance best practices that can help maintain compliance before and after a corporate merger or acquisition.Tip
HIPAA compliance training: How to prevent lost or stolen devices

Mike Chapple explains how enterprises can help lessen the impact of lost or stolen devices as part of HIPAA compliance training.Answer
Does ISO 27001 certification mean HIPAA and HITECH compliance?

Mike Chapple clarifies the difference between ISO 27001 certification and HIPAA and HITECH compliance.Answer
The HIPAA omnibus rule: How the changes affect IT security pros

The new HIPAA omnibus rule begins a new chapter in HIPAA compliance. Learn how the changes will affect IT security pros and how to comply.Tip
How do the HIPAA Security Final Rule and meaningful use rule differ?

Expert Mike Chapple discusses the HIPAA Security Final Rule and the meaningful use rule, including what each entails and how they differ.Answer
Windows Server 2012 security: Is it time to upgrade?

Expert Michael Cobb wades through the security features of Windows Server 2012 to find out what's new and beneficial in Microsoft's latest release.Tip
HITRUST C-TAS: Is it the new compliance mandate?

Mike Chapple discusses the new HITRUST C-TAS information-sharing consortium and clarifies whether it relates to the HIPAA compliance mandate.Answer
Tackle virtualization compliance by balancing business, security needs

Security and business cultures don't always mesh, but virtualization compliance requires balance between them. Eric Ogren explains in this tutorial.Video
HIPAA privacy records and guidelines: How to achieve compliance
VIEW MORE ON : HIPAA

Security requirements for Foreign Corrupt Practices Act compliance

Expert Mike Chapple explains the Foreign Corrupt Practices Act and the security controls required for compliance.Answer
SOX section 404: Improving security with executive communications
Prioritizing compliance and information security
Internal auditors and CISOs mitigate similar risks
SOX compliance burdens midmarket security teams
Layer 8: SOX security spending is an old, wrinkled tactic
With JOBS Act, Sarbanes-Oxley compliance likely won't get easier

While SMBs may benefit from the JOBS Act, Sarbanes-Oxley compliance for enterprises may remain largely unchanged. Expert Mike Chapple explains why.Tip
SOX compliance checklist: Five ways to refine a SOX compliance program

SOX compliance is still too burdensome for many enterprises. Expert Charles Denyer offers five ways to streamline a lagging SOX compliance program.Tip
Information security book excerpts and reviews

Visit the Information Security Bookshelf for book reviews and free chapter downloads.Information Security Book
Due diligence processes for cloud computing compliance

Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.Feature
VIEW MORE ON : Sarbanes-Oxley Act

How to use compliance automation to reduce compliance risk

Tony UcedaVelez offers tips for automating compliance tasks to reduce IT security and compliance risk while easing the pain of arduous compliance audits.Tip
Compliance and risk modeling

You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to structure security programs both for heightened security and clear compliance deliverables. The cover story tackles not only this shift in emphasis, but also the latest updates in key compliance frameworks, offering guidance on how to position new requirements as an opportunity rather than more paperwork.E-Zine
Editor’s desk: A chat with Peter G. Neumann

Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures.Feature
Choosing an external auditor: What to look for in an auditing firm

Expert Mike Chapple advises enterprises on how to choose an external auditor, focusing on four major qualities to look for in an auditing firm.Answer
Complying with MasterCard's new PCI Level 2 assessment requirements

Expert Mike Chapple breaks down how Level 2 merchants can comply with MasterCard's new requirement for PCI self-assessments.Answer
Audit failure: How one lab raised IT security awareness and its audit grade
Ensure audit success with sound security audit procedures
Four compliance IT management tips to improve employee engagement

Mike Chapple offers four tips for improving employee collaboration and creativity with an enterprise's compliance program.Answer
How an assessor validates the PCI DSS scope of compliance

Expert Mike Chapple explains the four tests a QSA performs to validate that an organization has properly defined their PCI DSS scope of compliance.Answer
Cloud Compliance: Tackling Compliance in the Cloud

Moving to a cloud environment brings compliance challenges, but they’re not insurmountable.Feature
VIEW MORE ON : IT Security Audits

HIPAA compliance training: How to prevent lost or stolen devices

Mike Chapple explains how enterprises can help lessen the impact of lost or stolen devices as part of HIPAA compliance training.Answer
Weighing compliance mandates vs. security vulnerability management

Should security vulnerabilities be prioritized based on compliance needs? Mike Chapple discusses this approach to vulnerability management.Answer
For CISOs, California Right to Know Act would raise privacy emphasis

The proposed California Right to Know Act may compel CISOs to develop additional privacy policies or create new privacy officer roles.News | 09 Apr 2013
Unencrypted credit card data storage: Why 70% of merchants do it

Mike Chapple offers four possible reasons why some merchants still store unencrypted credit card data after years of PCI DSS compliance requirements.Answer
Bruce Schneier explains why there is no privacy on the Internet

Video: Bruce Schneier provides three examples to prove there is no privacy on the Internet. Is government regulation needed?Video
Microsoft services agreement changes: What other enterprises can learn

Should enterprises be concerned about Microsoft services agreement changes after the Google privacy policy fiasco? Expert Michael Cobb discusses.Answer
Bruce Schneier on data privacy and Google's feudal model of security

Video: Bruce Schneier explains why Google, Apple and others have adopted a feudal model of security, and the resulting data privacy concerns.Video
Lacking privacy laws aid growing CISO role in data privacy management

More CISOs may be taking on data privacy management. Fortunately, old, outdated privacy laws may lend them a helping hand.News | 29 Jan 2013
Updated COPPA regulations add to child Internet protection guidelines

After 15 years, the FTC announced updated COPPA regulations effective July 2013. Learn how to deal with this updated child Internet privacy mandate.Tip
Stored Communications Act ruling muddles business online data privacy

A state supreme court decision addressing webmail hacking under the Stored Communications Act affects email privacy and the ability to sue hackers.Tip
VIEW MORE ON : Data Privacy and Protection

Interview: FDIC director explains FFIEC standard
Updated Bank Secrecy Act compliance exam guide focuses on risk

FFIEC makes it clear that financial institutions' anti-money laundering programs must account for changing risks. In this expert tip, Dan Fisher explains how to ensure your BSA program meets examiners' scrutiny.Tip
N.C. firm charged with AML violations

A North Carolina-based firm with mostly foreign customers failed to identify and verify customer identities, officials say.News | 09 Sep 2010
Data security implications of financial services regulatory reform

Industry experts weigh in on the possible ramifications of the sweeping legislation on information security and compliance professionals.Article | 29 Jul 2010
FFIEC security requirements: Physical security management and logging

In this expert response from Ernie Hayden, learn about FFIEC security requirements for creating physical security logs.Ask the Expert
Aite Group: Take action now to manage remote deposit capture risks

Fraud losses involving RDC technology have the potential to skyrocket if banks don't work proactively to deal with the risks, research firm says.Article | 11 May 2010
Regulators revisit authentication advice to thwart online banking fraud

t's been nearly five years since the Federal Financial Institutions Examination Council (FFIEC) issued its authentication guidance for online banking. Since then, cybercriminals have developed sophisticated malware that can circumvent multifactor authentication to hijack and loot online bank accounts. In the wake of the online banking fraud surge, which has targeted small and midsize businesses, federal regulators are revisiting their 2005 authentication guidance. SearchFinancialSecurity.com met with Jeffrey Kopchik, a senior policy analyst at the FDIC, to learn more about the effort.
Interview | 25 Mar 2010
FTC Red Flags Rules: How to create an identity theft prevention plan

Under FTC's Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. But who is a creditor and what is a covered account? Learn more in this expert tip.Tip
Don't forget the cleaning crew in your vendor management program

Banks often overlook non-IT vendors in their vendor management program, putting their organization and customers' data at risk, experts sayArticle | 05 Oct 2009
This May Day, banks wave the Red Flags

The Red Flags Rule, which mandates companies develop methods by which they will identify, detect and respond to identity theft incidents, is set to go into effect May 1.News | 14 Apr 2009
VIEW MORE ON : FFIEC Regulations and Guidelines

COBIT 5 certification: What training is necessary for accreditation?

Expert Mike Chapple offers advice for understanding COBIT and what it takes to acquire COBIT 5 certification.Answer
Mix of Frameworks and GRC Satisfy Compliance Overlaps
GRC: Over-Hyped or Legit?
COBIT 5: A first look at the recent updates

In this tip, learn how to integrate the new management practices from COBIT 5 into current IT security framework implementations.Tip
Forrester offers new guide for information security program development

The research firm's new 123-point maturity model is intended to go beyond COBIT as a more comprehensive way to help companies find and fix gaps in their infosec programs.Article | 30 Jul 2010
How to use COBIT for compliance

While the COBIT framework has been around for a long time, it can still be very useful in terms of understanding goals and benchmarks for a security program that can, in turn, aid compliance with many regulations.Tip
Tony Spinelli: Prioritize Information Security over Compliance

Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.Feature
Security survey finds increase in security standards adoption

Ernst & Young's 2008 Global Information Security Survey finds both positive and negative trends in information security depending on how you look at the numbers.Article | 30 Oct 2008
GRC: Over-Hyped or Legit?

Governance, risk and compliance (GRC) is being used as a catch-all phrase for most information security strategies and tagged onto various products, adding even more confusion in the market as to what it truly means or promises to corporations.Feature
Mix of Frameworks and GRC Satisfy Compliance Overlaps

Three organizations reveal how they use a combination of frameworks such as COBIT or ISO 27001 along with GRC tools satisfy overlapping industry and federal regulatory demands.Feature
VIEW MORE ON : COBIT

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

Security Audit, Compliance and Standards

Email Alerts

About This Topic

More from Related TechTarget Sites