Article Library


Beginning in 2021, contracts offered by the DoD can specify a required level of CMMC validation in order for the recipient to be awarded the contract. The plan is to continue to slowly phase in the CMMC requirements to DoD contracts, and by 2026 all active contracts will require CMMC certification. How do you determine what Level of CMMC you must achieve? 


All organizations that process, store, or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS).  How organizations attest that compliance to the acquiring banks can differ, but there are two standard methods for attesting compliance: SAQ and RoC.


Many organizations have transitioned away from traditional analog phone lines to Voice over Internet Protocol (VoIP).  With a VoIP network, voice phone calls are converted into packets of data. If you have merchants accepting cardholder data over a VoIP telephone, this can unfortunately expand your organization’s PCI DSS scope.  


Prior to a department or unit making the decision to purchase a product or service from a third-party vendor that will access, process, or maintain sensitive organizational information, your organization should have a defined policy and process that requires the vendor is compliant with all applicable information security and privacy laws, regulations, and organizational policies.  All third-party vendors and systems should undergo a thorough security review before approval.


While Human Resources may not play a significant role in the assessment, the NIST SP 800-171 Security Requirement 9 regarding Personnel Security contains controls that must be implemented and, usually, only HR staff can answer them. 


The release of v4.0 was initially planned for Q2 of 2021, however, after the initial drafts and request for comment (RFC) periods, the Security Standards Council (SSC) decided to allow for additional feedback on supporting documents like the Self-Assessment Questionnaires (SAQs). 


The 2020 Costs and Consequences of Gaps in Vulnerability Response from the Ponemon Institute revealed that most organization’s vulnerability management programs are not mature. Look at ongoing vulnerability management as part of the Payment Card Industry Data Security Standard.


Annual audits are coming, and all signs point to a continued focus on protecting student financial information. . We know student financial aid information must be protected, but what other information falls under the GLBA umbrella and where can this data be found across campus?  


Did you know that every 10 seconds in 2020 a new organization became a victim of ransomware? According to Verizon’s 2020 Data Breach Investigations Report, ransomware accounted for approximately 80% of incidents reported in the educational services sector in 2019.  This was a 48% increase from the previous year.


While Human Resources may not play a significant role in the assessment, the NIST SP 800-171 Security Requirement 9 regarding Personnel Security contains controls that must be implemented and, usually, only HR staff can answer them. 


It is now more important than ever for organizations to ensure all service providers are properly vetted, the appropriate contracts and agreements are in place, and the relationships are monitored and assessed on an ongoing basis.


With shrinking budgets and limited resources, many organizations can be hesitant to schedule a penetration test because of the realization that, once the test formally documents the holes in their environment, they won’t be able to dedicate adequate resources to fix them. Learn key points to consider if your organization is struggling to justify a penetration test:


Hackers are increasingly targeting endpoint devices because they are often less secure and are most likely storing valuable, sensitive data.  Reports show that 70% of security breaches originate at endpoint devices through vulnerabilities like phishing and compromised credentials or out of date systems.


Organizations are constantly changing processes and adding new vendors, various devices, cloud services, and applications to their environment. How can your organization ensure all departments are operating with at least the minimally-accepted security controls in place?


Email is consistently the number one entry point for information security threats, with 90% of breaches beginning with an email attack. How do you protect those accounts before they are phished?


As the expectation is that colleges and universities will continue to be a target of hackers, the U.S. Department of Education has emphasized the importance of taking appropriate measures to protect sensitive data and is now including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective in the federal single audit process. Learn the GLBA Committee's roles and responsibilities.


During the initial evaluation of a potential third-party partner, merchants should understand the requirements within your organizational policy and the process for conducting vendor security evaluations. Unfortunately, some vendors may attempt to sidestep the request if they believe they are not required to comply.


new internal and external threats are constantly emerging and hackers are identifying new ways to infiltrate networks via phishing scams, malware, and ransomware. The report detailed ten common data security mistakes.


We tend to focus a lot of attention on third-party payment applications and e-commerce websites due to the increased risks and recent data breaches, but what about those third-party vendors that are physically residing on your campus? 


Asking for forgiveness, not permission, does not apply when it comes to PCI. As part of your organization’s PCI compliance program, you must have a defined process for establishing a new merchant account or a new payment process.


Whether you are transitioning to a new bank as part of a larger system or state contract, or you have contemplated shopping around for other options internally, there are several key factors that should be considered as part of your decision.


Just last week, the FBI, CIA, and HHS released a warning to healthcare providers of the threat of an imminent attack, and to remind the providers to take reasonable precautions to protect their networks from these threats. These experts stressed the importance of having documented business continuity plans in order to minimize service interruptions in the event of an attack.


​For colleges and universities involved in R&D, the switch from DFARS to CMMC is big news. The Cybersecurity Maturity Model Certification (CMMC) is enforced by the US Department of Defense (DoD) and builds upon the existing Defense Federal Acquisition Regulation Supplement (DFARS) regulation.


Typically, an organization's most important security perimeter is the company firewall and related system infrastructure, but with workers now at home, the most important defense really does become the people themselves. 

Humans are the weakest link.


With the every expanding usage of 5G, we have begun seeing major network providers stating that they will be phasing out 3G networks soon. Merchants using cellular payment card terminals will need to upgrade to at least 4G devices in order to have the necessary support and coverage for payment card acceptance. 


PIN Transaction Security (PTS) devices are those devices used by merchants at the point of interaction for capturing payment card data and confirming receipt of transaction approval.  Approved PTS devices may be a requirement from the various card brands in order to protect against fraud and ensure the secure entry and transmission of account data.


With students now spending the majority of their days online, it is never too early to teach cyber awareness to the next generation. Schools can help by mitigating ongoing cybersecurity risks and providing information security best practices within their distance learning plans. 


When you consider the complex environments of campus-based organizations, trying to manage multiple merchants with different payment channels across different locations - it is easy to understand how difficult year-round compliance can be. Learn how Drexel and Tufts Universities accomplish it.


Organizations worldwide have had to quickly figure out how to function with their entire staff working remotely and now the focus is shifting to how, or even if, we can safely re-open. With these more urgent priorities, many organizations were forced to take a risk-based approach towards compliance. What has been the impact to requirements?


The number of insider incidents has been gradually decreasing since 2016, however, the numbers are still staggering. The decrease has been largely attributed to increased employee education but what exactly are the training requirements under the Health Insurance Portability and Accountability Act (HIPAA)?


Read some of the highlights and key findings from the recently released Australian National Data Breach Report.


Many organizations utilize third-party vendor solutions to help outsource compliance and security responsibilities, but a breach of a third-party’s systems can still cause a significant headache and reputational damage for your organization.


By performing numerous remote assessments, CampusGuard has documented best practices for achieving the desired outcome.