Article Library

AdobeStock_87325583.jpeg

A recent 'Best Life' blog listed the biggest mistakes parents usually make at the start of a new school year and, interestingly enough, they all seemed to easily convert to best practices for your team to consider when building and maintaining your organization’s information security and compliance programs. 

AdobeStock_337108606.jpeg

You have an awesome PCI Team Coordinator that has been handling your compliance efforts for almost 10 years. What happens if that staff member comes to you with the news that they have accepted another position or they are taking early retirement? Depending on the new role they are taking, they may not be available to train their replacement. Now what?

AdobeStock_361525012.jpeg

When it comes to PCI compliance, there are a number of factors that come into play for remote merchant environments. It is important to confirm which merchants are collecting payments, and how that is being done, to avoid any non-compliant processes and risks of compromise.

AdobeStock_108789418.jpeg

2021 has seen the highest volumes of ransomware attacks ever, with the global attack volume increasing by 151% for the first six months of the year. As the number of active threats continues to increase with no signs of things slowing down, where should organizations look first to address vulnerabilities and prevent these attacks?

AdobeStock_127998478.jpeg

With so much focus given to training and reminding employees to report, report, report, have you potentially overlooked the next step? What process is followed when that initial report is made to your designated help desk regarding a suspicious incident or potential compromise?

cmmc.png

Beginning in 2021, contracts offered by the DoD can specify a required level of CMMC validation in order for the recipient to be awarded the contract. The plan is to continue to slowly phase in the CMMC requirements to DoD contracts, and by 2026 all active contracts will require CMMC certification. How do you determine what Level of CMMC you must achieve? 

AdobeStock_441128440.jpeg

All organizations that process, store, or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS).  How organizations attest that compliance to the acquiring banks can differ, but there are two standard methods for attesting compliance: SAQ and RoC.

AdobeStock_136698102.jpeg

Many organizations have transitioned away from traditional analog phone lines to Voice over Internet Protocol (VoIP).  With a VoIP network, voice phone calls are converted into packets of data. If you have merchants accepting cardholder data over a VoIP telephone, this can unfortunately expand your organization’s PCI DSS scope.  

AdobeStock_379749531.jpeg

Prior to a department or unit making the decision to purchase a product or service from a third-party vendor that will access, process, or maintain sensitive organizational information, your organization should have a defined policy and process that requires the vendor is compliant with all applicable information security and privacy laws, regulations, and organizational policies.  All third-party vendors and systems should undergo a thorough security review before approval.

AdobeStock_318926996.jpeg

While Human Resources may not play a significant role in the assessment, the NIST SP 800-171 Security Requirement 9 regarding Personnel Security contains controls that must be implemented and, usually, only HR staff can answer them. 

PCIDSS4.0.png

The release of v4.0 was initially planned for Q2 of 2021, however, after the initial drafts and request for comment (RFC) periods, the Security Standards Council (SSC) decided to allow for additional feedback on supporting documents like the Self-Assessment Questionnaires (SAQs). 

AdobeStock_65499416.jpeg

The 2020 Costs and Consequences of Gaps in Vulnerability Response from the Ponemon Institute revealed that most organization’s vulnerability management programs are not mature. Look at ongoing vulnerability management as part of the Payment Card Industry Data Security Standard.

AdobeStock_414613545.jpeg

Annual audits are coming, and all signs point to a continued focus on protecting student financial information. . We know student financial aid information must be protected, but what other information falls under the GLBA umbrella and where can this data be found across campus?  

ransomware.png

Did you know that every 10 seconds in 2020 a new organization became a victim of ransomware? According to Verizon’s 2020 Data Breach Investigations Report, ransomware accounted for approximately 80% of incidents reported in the educational services sector in 2019.  This was a 48% increase from the previous year.

personnel.jpg

While Human Resources may not play a significant role in the assessment, the NIST SP 800-171 Security Requirement 9 regarding Personnel Security contains controls that must be implemented and, usually, only HR staff can answer them. 

thirdpartyrisk.png

It is now more important than ever for organizations to ensure all service providers are properly vetted, the appropriate contracts and agreements are in place, and the relationships are monitored and assessed on an ongoing basis.

AdobeStock_731814.jpeg

With shrinking budgets and limited resources, many organizations can be hesitant to schedule a penetration test because of the realization that, once the test formally documents the holes in their environment, they won’t be able to dedicate adequate resources to fix them. Learn key points to consider if your organization is struggling to justify a penetration test:

endpoint.png

Hackers are increasingly targeting endpoint devices because they are often less secure and are most likely storing valuable, sensitive data.  Reports show that 70% of security breaches originate at endpoint devices through vulnerabilities like phishing and compromised credentials or out of date systems.

Baseline_web.jpg

Organizations are constantly changing processes and adding new vendors, various devices, cloud services, and applications to their environment. How can your organization ensure all departments are operating with at least the minimally-accepted security controls in place?

Phishing_web.jpg

Email is consistently the number one entry point for information security threats, with 90% of breaches beginning with an email attack. How do you protect those accounts before they are phished?

commitee_web.jpg

As the expectation is that colleges and universities will continue to be a target of hackers, the U.S. Department of Education has emphasized the importance of taking appropriate measures to protect sensitive data and is now including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective in the federal single audit process. Learn the GLBA Committee's roles and responsibilities.

third_web.jpg

During the initial evaluation of a potential third-party partner, merchants should understand the requirements within your organizational policy and the process for conducting vendor security evaluations. Unfortunately, some vendors may attempt to sidestep the request if they believe they are not required to comply.

PSR-2020-mockup-exec-insights-new.webp

new internal and external threats are constantly emerging and hackers are identifying new ways to infiltrate networks via phishing scams, malware, and ransomware. The report detailed ten common data security mistakes.

balance_small.jpg

We tend to focus a lot of attention on third-party payment applications and e-commerce websites due to the increased risks and recent data breaches, but what about those third-party vendors that are physically residing on your campus? 

merchant_small.jpg

Asking for forgiveness, not permission, does not apply when it comes to PCI. As part of your organization’s PCI compliance program, you must have a defined process for establishing a new merchant account or a new payment process.

bank_switch_small.jpg

Whether you are transitioning to a new bank as part of a larger system or state contract, or you have contemplated shopping around for other options internally, there are several key factors that should be considered as part of your decision.

tabletop_small.jpg

Just last week, the FBI, CIA, and HHS released a warning to healthcare providers of the threat of an imminent attack, and to remind the providers to take reasonable precautions to protect their networks from these threats. These experts stressed the importance of having documented business continuity plans in order to minimize service interruptions in the event of an attack.

cmmc.png

​For colleges and universities involved in R&D, the switch from DFARS to CMMC is big news. The Cybersecurity Maturity Model Certification (CMMC) is enforced by the US Department of Defense (DoD) and builds upon the existing Defense Federal Acquisition Regulation Supplement (DFARS) regulation.

AdobeStock_182219870_small.jpg

Typically, an organization's most important security perimeter is the company firewall and related system infrastructure, but with workers now at home, the most important defense really does become the people themselves. 

Humans are the weakest link.

3g.jpg

With the every expanding usage of 5G, we have begun seeing major network providers stating that they will be phasing out 3G networks soon. Merchants using cellular payment card terminals will need to upgrade to at least 4G devices in order to have the necessary support and coverage for payment card acceptance. 

AdobeStock_246210697.jpeg

PIN Transaction Security (PTS) devices are those devices used by merchants at the point of interaction for capturing payment card data and confirming receipt of transaction approval.  Approved PTS devices may be a requirement from the various card brands in order to protect against fraud and ensure the secure entry and transmission of account data.

remotelearning.jpeg

With students now spending the majority of their days online, it is never too early to teach cyber awareness to the next generation. Schools can help by mitigating ongoing cybersecurity risks and providing information security best practices within their distance learning plans. 

cmmc.png

Beginning in 2021, contracts offered by the DoD can specify a required level of CMMC validation in order for the recipient to be awarded the contract. The plan is to continue to slowly phase in the CMMC requirements to DoD contracts, and by 2026 all active contracts will require CMMC certification. How do you determine what Level of CMMC you must achieve? 

AdobeStock_441128440.jpeg

All organizations that process, store, or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS).  How organizations attest that compliance to the acquiring banks can differ, but there are two standard methods for attesting compliance: SAQ and RoC.

AdobeStock_136698102.jpeg

Many organizations have transitioned away from traditional analog phone lines to Voice over Internet Protocol (VoIP).  With a VoIP network, voice phone calls are converted into packets of data. If you have merchants accepting cardholder data over a VoIP telephone, this can unfortunately expand your organization’s PCI DSS scope.  

cmmc.png

Beginning in 2021, contracts offered by the DoD can specify a required level of CMMC validation in order for the recipient to be awarded the contract. The plan is to continue to slowly phase in the CMMC requirements to DoD contracts, and by 2026 all active contracts will require CMMC certification. How do you determine what Level of CMMC you must achieve? 

AdobeStock_441128440.jpeg

All organizations that process, store, or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS).  How organizations attest that compliance to the acquiring banks can differ, but there are two standard methods for attesting compliance: SAQ and RoC.

AdobeStock_136698102.jpeg

Many organizations have transitioned away from traditional analog phone lines to Voice over Internet Protocol (VoIP).  With a VoIP network, voice phone calls are converted into packets of data. If you have merchants accepting cardholder data over a VoIP telephone, this can unfortunately expand your organization’s PCI DSS scope.  

clocks.jpg

When you consider the complex environments of campus-based organizations, trying to manage multiple merchants with different payment channels across different locations - it is easy to understand how difficult year-round compliance can be. Learn how Drexel and Tufts Universities accomplish it.

CovidImpact.jpg

Organizations worldwide have had to quickly figure out how to function with their entire staff working remotely and now the focus is shifting to how, or even if, we can safely re-open. With these more urgent priorities, many organizations were forced to take a risk-based approach towards compliance. What has been the impact to requirements?

HIPAA.jpg

The number of insider incidents has been gradually decreasing since 2016, however, the numbers are still staggering. The decrease has been largely attributed to increased employee education but what exactly are the training requirements under the Health Insurance Portability and Accountability Act (HIPAA)?

databreach.jpg

Read some of the highlights and key findings from the recently released Australian National Data Breach Report.

thirdparty.jpg

Many organizations utilize third-party vendor solutions to help outsource compliance and security responsibilities, but a breach of a third-party’s systems can still cause a significant headache and reputational damage for your organization.

remote.jpg

By performing numerous remote assessments, CampusGuard has documented best practices for achieving the desired outcome.