HIPAA Security Rule for dummies

HIPAA (Health Insurance Portability and Accountability Act) is a 1996 federal law that seeks to protect the medical information of patients. To achieve this, it lays down certain compliance requirements for covered entities. In the context of HIPAA, covered entities are organizations on which HIPAA is applicable. Under Title II of this act, the US … Continued

PCI DSS ASV scanning explained for dummies

Organizations across the globe are increasingly adopting PCI DSS to demonstrate that they securely store payment card data. Payment Card Industry Data Security Standards (PCI DSS) is a set of technical and operational requirements laid down by the PCI SSC (PCI Security Standard Council). Over the years, PCI DSS has become a reasonably expected compliance … Continued

How to choose a PCI DSS penetration testing partner?

Cyber attacks are getting increasingly sophisticated and complex. An organization cannot sit back and wait for a security incident to occur before taking any action. Modern-day organizations need to adopt proactive as well as reactive measures to minimize cybersecurity risks comprehensively. Penetration testing is one such proactive measure that helps an organization in identifying vulnerabilities … Continued

Are free PCI ASV scans possible?

Requirement 11.2 of PCI DSS states that a covered entity should conduct quarterly external scans and rescans via an Approved Scanning Vendor (ASV). An ASV is a PCI SSC-qualified company to conduct external vulnerability scanning services in line with PCI DSS Requirements 11.2.2. For a vendor to be designated as an ASV, PCI SCC’s ASV … Continued

Who needs PCI ASV scans and why?

Payment Card Industry Data Security Standards (PCI DSS) are operational and technical requirements prescribed by the PCI Security Standard Council (PCI SSC). This standard applies to all entities that store, process, or transmit cardholder data. PCI SCC looks after maintaining the PCI DSS standard and its enforcement. Over the years, PCI DSS has achieved the … Continued

PCI DSS compliance for your Azure hosted SaaS

Cloud computing has brought in a paradigm shift and transformed how organizations across the globe offer their services. Instead of setting up physical infrastructure, most organizations prefer moving to a cloud environment for on-demand access to resources. Cost-effectiveness and minimal management requirements further push SaaS providers to rely on cloud infrastructure, as compared to physical … Continued

FCA Penetration Testing

Compliance responsibilities of businesses cover various national, regional, and industry-specific laws and regulations. In our previous posts, we have discussed penetration testing and vulnerability scanning requirements for complying with ISO 27001 and PCI DSS and NIST 800-171. In this article, we will be discussing penetration testing for FCA and how BreachLock helps its clients in … Continued

HITRUST Compliance for Dummies

HITRUST stands for Health Information Trust Alliance (HITRUST). This alliance has defined and established a CSF – Common Security Framework. This framework can be used by organizations that access, store, create, or exchange either regulated or sensitive data. The framework has a set of prescriptive controls that harmonize the requirements of many standards and regulations in one place.  Background Story  … Continued

PCI DSS Compliance for SaaS Companies – An Overview

An increasing number of Software-as-a-Service (SaaS) providers are now involved in the transmission and storage of cardholder data. They may not be actually processing the data, the mere notion of storage and transmission brings such SaaS providers under the scope of PCI DSS compliance. In this article, we explore what PCI DSS compliance means for … Continued

Benefits of Automated Penetration Testing tools

Automated penetration testing plays an important role in a security analyst’s arsenal. As part of an organization’s overall security strategy, penetration tests quickly evaluate the existing security maturity of its technical infrastructure. However, one cannot solely rely on automated penetration tests, and they must be monitored by the internal security team.   Defining automated penetration testing  When … Continued