Working With Threat Stack Sample Compliance Rule Sets

The Threat Stack Cloud Security Platform® is an important tool for companies with cloud compliance initiatives, including HIPAA, PCI, SOC 2, and FFIEC. To help our customers with these initiatives, Threat Stack has released four new example rulesets with monitoring rules that map to each of these compliance frameworks. This post is an introduction to these rule sets, and explains how to:

  • Request the rule sets
  • Use the compliance rule sets
  • Customize compliance rules
  • Create new compliance rules

(If you’re not a customer, this post will give you an excellent insight into one of Threat Stack’s powerful characteristics — the ability to create, clone, and edit rules in order to reflect the specific nature of your environment.) Read more “Working With Threat Stack Sample Compliance Rule Sets”

Compliance in the Cloud: Q&A Webinar Recap

On April 25th, I had the pleasure of speaking with Ryan Buckner, Principal at Schellman & Company and Kevin Eberman, Director of Ops at MineralTree during a webinar on compliance in the cloud.

Using the cloud as our lens, we discussed the ways in which companies can better understand and navigate compliance. You can view the entire webinar or read our recap below. Read more “Compliance in the Cloud: Q&A Webinar Recap”

Meeting Compliance in the Cloud ≠ A Choice

In the past, we’ve talked about various ways that compliance can add value to your business. But what happens when you don’t attain or maintain compliance. (Note: In the following, we focus on PCI, but equally unpleasant consequences can result, of course, if you fail to meet other standards such as HIPAA, SOC 2, etc.). Read more “Meeting Compliance in the Cloud ≠ A Choice”

Springbuk Case Study: How to Get Ahead of Compliance and Security Requirements on AWS

This is a guest blog post by Steve Caldwell, Director of Engineering at Springbuk, a health analytics software company that unifies pharmacy, biometric, and activity data, as well as medical claims to help employers make better decisions about employee health benefit programs.

As a health analytics company, Springbuk helps companies make better decisions around disease prevention and management through data. As such, meeting HIPAA requirements and following security best practices are very important to us; to ensure that we’re always compliant and as secure as possible, we needed to get a better handle on how security was managed across the organization. Read more “Springbuk Case Study: How to Get Ahead of Compliance and Security Requirements on AWS”

FFIEC Guidance: A Cloud Security Perspective

As reported in a recent post on our blog, banks are rapidly moving to the cloud. Another recent post discussed how banks can make this move securely. If you are a financial institution looking to make the move to the cloud, this post can help you meet the information security program management requirements of the FFIEC Information Technology Examination Handbook published in September 2016 (“the Handbook”).

Read more “FFIEC Guidance: A Cloud Security Perspective”

Three Good Reasons to Get Compliant Now

When things are hectic at your organization, compliance may not feel like the highest priority. If you aren’t in an industry that absolutely requires compliance, it can feel like a box to check — more of a nice-to-have than a must-do. In other cases, it may seem like a good idea . . . but one that can be kicked down the road indefinitely. However, we believe it’s a good idea to approach compliance early — often earlier than you may think.

Indeed, there are some situations in which compliance can actually move the needle in a big way for your business, either positively or negatively. Here are three specific, value-driven reasons why you should consider being proactive about compliance and get out ahead of it before it’s too late. Read more “Three Good Reasons to Get Compliant Now”

Demonstrating PCI Compliance Using Threat Stack

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Threat Stack customers frequently ask us how Threat Stack can help them comply with these two sets of requirements:

  • Requirement 10: Track and monitor all access to network resources and cardholder data (in other words, determine the who, what, where, and when)

  • Requirement 11: Regularly test security systems and processes (in order to continuously monitor and test security controls)

The good news is that the following Threat Stack features can provide significant benefits to customers who need to satisfy PCI Compliance Requirements 10 and 11:

  • Configuration Auditing
  • Vulnerability Scanning
  • Rules monitoring file integrity, logins, network access, and threat intelligence activity

In the remainder of this post, we’ll demonstrate how these can help you meet your PCI compliance and security goals. Read more “Demonstrating PCI Compliance Using Threat Stack”

MineralTree Achieves PCI Compliance With Threat Stack

Compliance processes have a reputation for being expensive, time-consuming, and fraught with difficulties — and sometimes certifications are looked upon with skepticism. However, most of the PCI requirements are common sense, best practices that any organization that is concerned with security should adopt. At MineralTree, we use Threat Stack to mitigate security threats. Additionally Threat Stack helps us adhere to PCI requirements and document our compliance.

Let me explain  . . .

Read more “MineralTree Achieves PCI Compliance With Threat Stack”

How to Verify That Compliance Controls and Processes are Being Met

Compliance is a complex, ongoing process. Between deciphering requirements into relatable terms, allocating a budget, and  assembling a team for your compliance audit — all while trying to stay focused on running your business — there’s a lot to think about and do. And after all of this, there is still more that needs to be managed.

From regular maintenance of the processes, controls, and technology you implemented, to questions from customers about your level of compliance, you’ll quickly realize that compliance is a continuous process that needs to be managed, not a one-and-done activity.

Having said that, what are you doing, or going to do, to make your compliance plan accessible so team members — from Security to IT to Sales — can quickly verify a control or process?

Read more “How to Verify That Compliance Controls and Processes are Being Met”

The Ultimate Compliance Cheat Sheet: A Wrap Up of Threat Stack’s Cloud Compliance Series

We write about compliance (and talk to customers about it) pretty regularly, and if you’ve been following our blog over the last two months, then you know we also just did a full series on the topic. In addition, we released the The Threat Stack Compliance Playbook that’s full of practical information you can use to help your company achieve compliance without losing your sanity.

Read more “The Ultimate Compliance Cheat Sheet: A Wrap Up of Threat Stack’s Cloud Compliance Series”