The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and despite being a European Union regulation, its effects are far reaching, as we’ll explain below. Regardless of where a company is based, it is subject to GDPR if it collects “personal data” from a person physically located in an EU country, provided the collection relates to offering goods or services or monitoring their behavior. Thus virtually any website that collects data would be subject to GDPR. Many SaaS organizations may feel overwhelmed by these new regulations or unsure of how they will (or won’t) apply to them.
Despite the flood of information that’s been published about the new regulation, many SaaS companies are still unclear about what GDPR means for them, so in this post, we have provided a brief definition of the GDPR followed by five key points you should be aware of. Read more “5 Things Your SaaS Company Should Know About GDPR”
As a SaaS company, compliance is probably the last thing you want to think about as you kick off the new year. It can be complicated, but meeting compliance requirements can also open up new markets, speed up your sales process, and improve your company’s overall security posture. When it comes to improving your security maturity, compliance can serve as a useful part of your strategy.
Entering new markets, whether you’re targeting specific industry verticals or going after international customers, requires continuous education and awareness about the latest in compliance and regulatory standards as they relate to data privacy and security. With that in mind, this post takes a brief look at key standards in order to give you insights into the security and privacy requirements that may be pertinent to the way your SaaS company engages with prospects and customers and handles sensitive data. Read more “How SaaS Companies Can Build a Compliance Roadmap for 2018”
It’s difficult to quantify the money saved by preventing a cyber attack that never happened. This is why proving the ROI of security measures can be tricky and can sometimes make security feel more like a cost-center than an investment.
In truth, being a great security organization is a competitive advantage. It’s both a sales driver and a compliance linchpin. It’s not simply a cost of doing business. In fact, it can really give you a leg up, particularly when selling to customers with HIPAA, SOC 2, ISO27000, or other compliance requirements.
In this post, we’ll explore a number of ways to balance risk and reward as you pursue cloud security and ensure the vitality of your business. Read more “How to Balance Risk and Reward When it Comes to Cloud Security”
Recognizing that the financial services industry is a significant target of cybersecurity threats, the New York State Department of Financial Services (NYDFS) recently promulgated Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500).
If 23 NYCRR 500 applies to your organization, you will need to familiarize yourself with all the details, but in the meantime, here is a summary of the 6 key things every financial institution needs to know about this set of regulations. Read more “New York State Cybersecurity Requirements for Financial Services Companies — 6 Things You Should Know”
Let’s say you just found out that you need to be compliant with HIPAA or PCI DSS in order to win a big piece of new business for your organization.
Whether it’s a potential customer, a partner, a regulatory body or government making the demand, business often can’t move forward without demonstrable compliance with certain frameworks. And these can be thorny, complex, and time-consuming to meet.
You’ve heard the horror stories about becoming compliant — it can take twice as long as expected to get all your requirements up to par; it can cost way more than budgeted; and sometimes organizations don’t pass an audit even after all that hard work.
So what do you do?
We know meeting compliance isn’t a walk in the park. But if you’re prepared, you can cut to the chase a lot faster, within budget, and with fewer hiccups along the way. In this post, we’ll share a framework you can follow so you can get on the fast track to compliance. While a lot of tasks are involved in meeting compliance, there are ways to gain efficiencies as you work to meet a broad range of requirements.
Ready to dive in? Read more “How to Drive Efficiencies When Meeting Compliance Under a Deadline”
The Threat Stack Cloud Security Platform® is an important tool for companies with cloud compliance initiatives, including HIPAA, PCI, SOC 2, and FFIEC. To help our customers with these initiatives, Threat Stack has released four new example rulesets with monitoring rules that map to each of these compliance frameworks. This post is an introduction to these rule sets, and explains how to:
- Request the rule sets
- Use the compliance rule sets
- Customize compliance rules
- Create new compliance rules
(If you’re not a customer, this post will give you an excellent insight into one of Threat Stack’s powerful characteristics — the ability to create, clone, and edit rules in order to reflect the specific nature of your environment.) Read more “Working With Threat Stack Sample Compliance Rule Sets”
As reported in a recent post on our blog, banks are rapidly moving to the cloud. Another recent post discussed how banks can make this move securely. If you are a financial institution looking to make the move to the cloud, this post can help you meet the information security program management requirements of the FFIEC Information Technology Examination Handbook published in September 2016 (“the Handbook”).
Read more “FFIEC Guidance: A Cloud Security Perspective”
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Threat Stack customers frequently ask us how Threat Stack can help them comply with these two sets of requirements:
- Requirement 10: Track and monitor all access to network resources and cardholder data (in other words, determine the who, what, where, and when)
- Requirement 11: Regularly test security systems and processes (in order to continuously monitor and test security controls)
The good news is that the following Threat Stack features can provide significant benefits to customers who need to satisfy PCI Compliance Requirements 10 and 11:
- Configuration Auditing
- Vulnerability Scanning
- Rules monitoring file integrity, logins, network access, and threat intelligence activity
In the remainder of this post, we’ll demonstrate how these can help you meet your PCI compliance and security goals. Read more “Demonstrating PCI Compliance Using Threat Stack”