Let’s say you just found out that you need to be compliant with HIPAA or PCI DSS in order to win a big piece of new business for your organization.
Whether it’s a potential customer, a partner, a regulatory body or government making the demand, business often can’t move forward without demonstrable compliance with certain frameworks. And these can be thorny, complex, and time-consuming to meet.
You’ve heard the horror stories about becoming compliant — it can take twice as long as expected to get all your requirements up to par; it can cost way more than budgeted; and sometimes organizations don’t pass an audit even after all that hard work.
So what do you do?
We know meeting compliance isn’t a walk in the park. But if you’re prepared, you can cut to the chase a lot faster, within budget, and with fewer hiccups along the way. In this post, we’ll share a framework you can follow so you can get on the fast track to compliance. While a lot of tasks are involved in meeting compliance, there are ways to gain efficiencies as you work to meet a broad range of requirements.
Ready to dive in? Read more “How to Drive Efficiencies When Meeting Compliance Under a Deadline”
When companies prepare to meet compliance, whether it’s PCI DSS, HIPAA, or SOC 2, one thing that can be estimated inaccurately is the stakeholders who need to be involved — who they are, what departments they come from within your organization, what their roles are, what knowledge and skill sets they require, how long they’ll be needed, etc. This post is intended as a practical guide to help you develop a thorough and realistic resource plan for your next compliance audit.
Read more “Allocating Resources for a Compliance Audit: A Practical Framework”
When’s the last time someone made an unauthorized change to your system files?
To answer this and other important security questions, as well as to meet many compliance requirements, you first need to have file integrity monitoring. In case you aren’t familiar with the term, file integrity monitoring (sometimes abbreviated to FIM) is the method for knowing exactly when and how your files are being changed at any moment in time. This includes critical system files, configuration files, and content files.
Read more “File Integrity Monitoring and Its Role in Meeting Compliance”
Companies can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can skate by with minimal spend only sets you up for unpleasant surprises later on. Compliance can be a long, drawn-out process, involving everyone including HR, finance, security, and leadership. So it’s important to look at all the costs up front in order to set aside a realistic budget.
A good way to approach compliance is to treat it like a new product launch. You’ll need a dedicated project team, new technology, a reasonable budget, and more to get it off the ground.
Read more “Budgeting for a Compliance Audit: A Practical Framework”
The Threat Stack Compliance Playbook for Cloud Infrastructure is now available!
The Compliance Playbook is intended for readers who want to understand what’s involved in becoming compliant in a cloud environment — without getting caught up in the details and complexity that the compliance process is well known for.
Read more “The Compliance Playbook: How to Build PCI & HIPAA Compliant Businesses in the Cloud”
Monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems. Whether you’re on the lookout for an unauthorized employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is indispensable to a strong security posture.
As well, monitoring is a requirement for just about every major compliance framework and regulation, from PCI DSS to HIPAA and beyond. For the sake of this post, we’ll be focusing on security monitoring requirements for PCI DSS and HIPAA, two of the most widely applicable regulations today.
We’ve been talking a lot about compliance lately. That’s because, as more businesses are moving to the cloud and storing internal and customer data there, the means to achieving compliance change significantly. But it’s not the approach to compliance that changes in the cloud, it’s the tooling, as we explained in our post How Does Compliance Differ In The Cloud Versus On-Premise? So as more businesses move to the cloud or operate hybrid environments, we want to help them become clear about what they need to do and, for the purpose of this post, when they need to do it.
Read more “Why You Need to be Compliant Much Sooner Than You Think”
The Office of Civil Rights (OCR) has been alluding to a large-scale HIPAA audit for quite some time now — and it looks like that threat will soon come to pass.
Read more “Can You Afford NOT To Be HIPAA Compliant?”
Compliance would be challenging even if it were a black and white issue. The reality is that compliance regulations, such as PCI DSS and HIPAA, are really just a string of requirements open to interpretation. The definitions of each requirement can vary, sometimes quite a bit, from auditor to auditor or from company to company. Today, even the auditors are getting audited in an effort to ensure that the application of compliance regulations is as uniform as possible.
Read more “How to Reconcile Different Definitions of PCI DSS and HIPAA Compliance”
With 253 healthcare breaches in 2015 for a total of 112 million lost records, HIPAA compliance has never been more relevant. Meanwhile, 80 percent of businesses fail their PCI compliance assessments.
As a business, whether you’re storing patient records or processing customer credit card data, chances are the government or your customers (or, many times, both) require you to meet some sort of compliance standards. And it ain’t easy.
Read more “How Does Compliance Differ In The Cloud Versus On-Premise?”