PCI Compliance Checklist

PCI DSS stands for Payment Card Industry Data Security Standard. These standards are in place to help businesses protect themselves and their customers by outlining how sensitive personal information, like credit card data, gets stored. If you process payments using debit or credit cards, you must meet PCI DSS, or you might be fined or have your ability to process cards revoked altogether.  Read more “PCI Compliance Checklist”

How SaaS Companies Can Build a Compliance Roadmap

Meeting compliance requirements can be a challenge, but it can also open up new markets, speed your sales process, and improve your company’s overall security posture. When it comes to improving your security maturity, compliance can be a useful part of your strategy.

Whether you’re targeting specific industry verticals or going after international customers, entering new markets requires continuous education about the latest in compliance and regulatory standards as they relate to data privacy and security. With that in mind, this post takes a brief look at key standards in order to give you insights into the security and privacy requirements that may be pertinent to the way your SaaS company engages with prospects and customers and handles sensitive data. Read more “How SaaS Companies Can Build a Compliance Roadmap”

Ensuring Compliance With EU Payment Services Directive (PSD2)

September 14, 2019 is the deadline by which all payment service providers within the European Union must comply with PSD2’s Regulatory Technical Standard (RTS) pertaining to the requirements of the revised Payment Services Directive (PSD2). In this post, we cover some of the main issues related to PSD2’s purpose, how to determine whether it applies to you, and key requirements for compliance and security. Read more “Ensuring Compliance With EU Payment Services Directive (PSD2)”

AWS GDPR: What You Need to Know

In May 2018, the General Data Protection Regulation became enforceable. While it is largely a European Union regulation, you are still covered by it if you store or process personal information of EU citizens.

If you use Amazon Web Services, you already know about many of the common security issues that can arise if you’re not on top of your game. But GDPR opens the door to a whole new set of security concerns and potential pitfalls, even for companies that aren’t based in the EU. Fortunately, AWS has taken steps to achieve GDPR compliance, but since it operates using a shared responsibility model, that means you’re on the hook for compliance, as well. With Threat Stack, you can secure your AWS infrastructure and uphold your end of the shared responsibility arrangement without slowing down DevOps. In addition, our intrusion detection platform helps you meet GDPR compliance obligations by helping you achieve observability throughout your infrastructure.

In this post, we discuss the steps AWS has taken to ensure GDPR compliance and what you can do to guarantee that your own infrastructure or system is likewise compliant. Read more “AWS GDPR: What You Need to Know”

Data Privacy is in the Spotlight as Colorado Enacts Landmark Consumer Data Privacy Bill (PCDP)

Introduction

— by Lindsey Ullian, Threat Stack Compliance Manager

Colorado has rightfully gained a reputation as one of the most socially progressive states as it was one of the first to adapt a regulated adult use marijuana marketplace. Now, Colorado is making news headlines again as it has adopted one of the nation’s strictest consumer privacy laws. The Colorado Consumer Protection Act (CCPA) is the result of a continued effort to protect residents’ personal data. Colorado’s law follows in theme with at least thirty-one other states that have heightened security surrounding consumers’ personal data and stands out as one of only twelve states that have imposed broader data security requirements.

Any company or public agency storing a Colorado resident’s personal data will now need a data-protection policy, an efficient breach notification system, and the capability to destroy the data when it is no longer needed. Whether you are a small company of one person or a Fortune 500 company, as long as you have customers in Colorado, you must comply with this new law. And whether or not your business is located in Colorado is irrelevant — what is key is whether you have customers located within the state.

For more details, take a look at the following article written by Kevin Kish, Privacy Technical Lead at Schellman & Company. In this article, Kevin highlights key takeaways from this law, as well as areas in which this law differentiates itself as one of the nation’s strictest data protection laws.

Read more “Data Privacy is in the Spotlight as Colorado Enacts Landmark Consumer Data Privacy Bill (PCDP)”

Beyond Checkboxes: 6 Cloud Security Measures All Healthcare Organizations Should Take

Modern healthcare is a full participant in the digital economy, and personal health information (PHI) is at its center. But today’s digital landscape is a volatile threat environment where sensitive personal data is a coveted commodity. Minimizing exposure, liability, and risk to PHI is a necessity with visibility all the way up to the board-level in every healthcare organization.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes the HIPAA Privacy Rule which establishes national standards to protect PHI. Every organization conducting health care transactions electronically is familiar with its rules, and being “HIPAA Compliant” is mandatory. But such standards can create a false sense of security; is simply checking the boxes and satisfying an annual audit really enough to keep attackers at bay? Do standards written over the course of decades adequately cover today’s rapidly evolving threat landscape? Are processes developed in the days of enterprise data-centers sufficient to protect containerized microservices running in the cloud?

The short answer is No: Merely being compliant is no longer enough. Digital leaders in proactive healthcare organizations — from providers to insurance companies — have realized that they must do much more to protect themselves from threats. Embracing DevSecOps and CI/CD gives healthcare organizations a strong foundation for security that goes beyond compliance with true full stack security observability. Read more “Beyond Checkboxes: 6 Cloud Security Measures All Healthcare Organizations Should Take”

AWS HIPAA Compliance Best Practices Checklist

The Health Insurance Portability and Accountability Act, or HIPAA, is a United States law that seeks to protect the privacy of patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. It seeks to make health insurance coverage available to everyone — even those who lose their jobs. It also aims to lower the cost of healthcare by setting up standards in the electronic transmission of financial and administrative transactions. As well, HIPAA is designed to help fight abuse, waste, and fraud in insurance and healthcare delivery. The act also gave rise to the HIPAA Privacy Rule, which is the first set of American standards that protect the health information of patients. All health-related clearinghouses, providers, and insurance plans are covered by the act, as well as all companies in the country that are handling or storing healthcare data.

The good news is that you can use AWS and be HIPAA compliant. One way to strengthen HIPAA compliance is by leveraging Threat Stack’s Cloud Security Platform®, which provides healthcare companies — as well as business associates — with the most advanced solutions they need to meet a broad range of HIPAA compliance requirements. This post outlines nine essential best practices you should know about AWS HIPAA compliance. Read more “AWS HIPAA Compliance Best Practices Checklist”

If You’re Not First, You’re Last: Risks of Delaying CCPA Compliance

Introduction

— by Lindsey Ullian, Threat Stack Compliance Manager

After GDPR went into effect in May 2018, many companies reassessed their privacy program — implementing more transparency and giving more control of personal information to the consumer. Now, with the CCPA (California Consumer Privacy Act) coming into effect in January 2020, even more companies are buttoning up their data privacy programs. The CCPA is not a guideline — it’s an act, and all companies that fall within its scope must comply. If companies don’t abide by this regulation, they could be looking at fines of up to $7,500 for each intentional violation.

Since both acts are related to data privacy and aim to provide more control and transparency to the consumer, most companies’ first question is, “If I’m GDPR compliant, am I covered for the CCPA?” The following article by Kevin Kish, Privacy Technical Lead at Schellman & Company, will give you a clear picture as to what you may have covered and what you’re lacking within your privacy program — outlining the similarities and differences between the two regulations. And what about companies that haven’t implemented proper GDPR data procedures? Short answer — they’ve got a bigger road ahead. Fortunately, this article details clear steps you can take to comply with the CCPA.

It’s clear by the enactment of the CCPA, shortly after the GDPR, that data privacy regulations are not going to go away anytime soon, so as a top level best practice, companies should aim to be proactive and build a privacy program that aligns with these regulations and allows them to maintain strict CCPA compliance monitoring.

Read more “If You’re Not First, You’re Last: Risks of Delaying CCPA Compliance”

Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!

For the second year in a row Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. We’re justifiably proud of this accomplishment, which underscores our ongoing commitment to rigorous security standards and our ability to maintain them in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

To an outsider, there’s no apparent difference between our 2017 and 2018 results. Threat Stack is Type 2 SOC 2 compliant in Security and Availability. CHECK AND CHECK. But under the hood, there’s a lot more to the story. The differences between the processes we used in 2017 and the way we optimized these in 2018 are significant, as are the differences in the personnel who took part in the two SOC 2 initiatives. So in this post, we’re going to talk about some of the lessons we learned and the changes we made in order to achieve the same results in an even more rigorous and efficient manner. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!”