Allocating Resources for a Compliance Audit: A Practical Framework

When companies prepare to meet compliance, whether it’s PCI DSS, HIPAA, or SOC 2, one thing that can be estimated inaccurately is the stakeholders who need to be involved — who they are, what departments they come from within your organization, what their roles are, what knowledge and skill sets they require, how long they’ll be needed, etc. This post is intended as a practical guide to help you develop a thorough and realistic resource plan for your next compliance audit.

Read more “Allocating Resources for a Compliance Audit: A Practical Framework”

When is Good Enough Good Enough? Meeting Compliance Without Losing Your Mind

Have you heard one about the bear and the two hikers?

A bear jumps out of the bush and starts chasing two hikers. They both start running for their lives, but then one of them stops to put on his running shoes.

The first hiker says, “What are you doing? You can’t outrun a bear!”

The second hiker replies, “I don’t have to outrun the bear; I only have to outrun you!”

Compliance works in a similar way. You don’t need to be the most compliant company; you just need to meet the requirements well enough to satisfy regulators, auditors, customers, and stakeholders. And, ideally, you want to be more compliant than your competitors. That’s how you outrun the bear (err… win the customer.)

Read more “When is Good Enough Good Enough? Meeting Compliance Without Losing Your Mind”

File Integrity Monitoring and Its Role in Meeting Compliance

When’s the last time someone made an unauthorized change to your system files?

To answer this and other important security questions, as well as to meet many compliance requirements, you first need to have file integrity monitoring. In case you aren’t familiar with the term, file integrity monitoring (sometimes abbreviated to FIM) is the method for knowing exactly when and how your files are being changed at any moment in time. This includes critical system files, configuration files, and content files.

Read more “File Integrity Monitoring and Its Role in Meeting Compliance”

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Request a Demo

Budgeting for a Compliance Audit: A Practical Framework

Companies can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can skate by with minimal spend only sets you up for unpleasant surprises later on. Compliance can be a long, drawn-out process, involving everyone including HR, finance, security, and leadership. So it’s important to look at all the costs up front in order to set aside a realistic budget.

A good way to approach compliance is to treat it like a new product launch. You’ll need a dedicated project team, new technology, a reasonable budget, and more to get it off the ground.

Read more “Budgeting for a Compliance Audit: A Practical Framework”

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Request a Demo

The Compliance Playbook: How to Build PCI & HIPAA Compliant Businesses in the Cloud

The Threat Stack Compliance Playbook for Cloud Infrastructure is now available!

The Compliance Playbook is intended for readers who want to understand what’s involved in becoming compliant in a cloud environment — without getting caught up in the details and complexity that the compliance process is well known for.

Read more “The Compliance Playbook: How to Build PCI & HIPAA Compliant Businesses in the Cloud”

The Importance of Security Monitoring to Achieving Compliance in the Cloud

Monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems. Whether you’re on the lookout for an unauthorized employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is indispensable to a strong security posture.

As well, monitoring is a requirement for just about every major compliance framework and regulation, from PCI DSS to HIPAA and beyond. For the sake of this post, we’ll be focusing on security monitoring requirements for PCI DSS and HIPAA, two of the most widely applicable regulations today.

Read more “The Importance of Security Monitoring to Achieving Compliance in the Cloud”

The Impact of the Cloud’s Shared Responsibility Model on Compliance

Amazon Web Services (AWS) has pioneered the Shared Responsibility Model in the cloud. Basically, this model outlines how cloud service providers and consumers of these cloud-based services should share responsibilities when it comes to ensuring security in the cloud. AWS and other cloud service providers (CSPs) are responsible for ensuring that cloud infrastructure is secure. Meanwhile, companies (those using the cloud services) are responsible for their data, networks, applications, and operating systems — anything they own that lives in the cloud.

Read more “The Impact of the Cloud’s Shared Responsibility Model on Compliance”

Why You Need to be Compliant Much Sooner Than You Think

We’ve been talking a lot about compliance lately. That’s because, as more businesses are moving to the cloud and storing internal and customer data there, the means to achieving compliance change significantly. But it’s not the approach to compliance that changes in the cloud, it’s the tooling, as we explained in our post How Does Compliance Differ In The Cloud Versus On-Premise? So as more businesses move to the cloud or operate hybrid environments, we want to help them become clear about what they need to do and, for the purpose of this post, when they need to do it.

Read more “Why You Need to be Compliant Much Sooner Than You Think”

How to Reconcile Different Definitions of PCI DSS and HIPAA Compliance

Compliance would be challenging even if it were a black and white issue. The reality is that compliance regulations, such as PCI DSS and HIPAA, are really just a string of requirements open to interpretation. The definitions of each requirement can vary, sometimes quite a bit, from auditor to auditor or from company to company. Today, even the auditors are getting audited in an effort to ensure that the application of compliance regulations is as uniform as possible.

Read more “How to Reconcile Different Definitions of PCI DSS and HIPAA Compliance”