It’s Time For An Upgrade: Transitioning Your Current ISMS From ISO 27001:2005 To ISO 27001:2013

A new version of ISO 27001 has been issued and if it’s your job to upgrade your company’s ISO 27001 program from 2005 to 2013, we’re here to help.   The standard was revised for a number of reasons including addressing new technology, to comply with the ISO/IEC directive and make compliance simpler for organization that are certified with more than one management system.  So now that you know he why, let’s look at the how. The first thing you’ll want to look at is the deadlines and make a timeline for transition, which will depend on the current state of your ISMS.  The deadlines for transition are as follows:

Read More

Risk. Regulatory. Revenue: The A-LIGN R3 Framework

  You’ve seen the news reports:  56 million debit and credit cards used at Home Depot are at risk from a security breach that happened last month.  An estimated 40 million debit and credit card records were stolen from Target last year.  If security breaches can happen to these multi-billion dollar companies, it can happen to any business.  And they do…all the time.  Security and compliance requirements are ever-changing and it can be a difficult task for any business to keep up.  If you’re navigating the road of uncertainty when it comes to your business and risk, know that you have an ally in A-LIGN.

Read More

Shellshock: Are You at Risk?

By: Stuart Rorer, Senior Consultant and Penetration Tester at A-LIGN It seems with each passing day more and more vulnerabilities are being released, exposing gaping holes in the security of systems across the globe. Last week a security bulletin was released to the public that exposed a new threat, …

Read More

Understanding the PCI Security Standards Council’s Information Supplement on Third-Party Security Assurance

By: Vincent Booker, Senior Consultant at A-LIGN Understanding the PCI Security Standards Council’s Information Supplement on Third-Party Security Assurance: What You Should Be Asking Based on the New Requirements and Guidance. Third-Party Security Assurance As companies expand their reliance on third-party services providers (“TPSP”s) to store, process, or transmit cardholder …

Read More

Does Your SOC Report Address Subservice Organizations Using the Carve Out or Inclusive Method?

By: Peter Clarke, Managing Consultant at A-LIGN A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities).  An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization).  The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report. When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization.  First, the processes and controls can be included as a part of the report.  This is the Inclusive method.  Second, the processes and controls can be excluded from the report.  This is the Carve Out method.  Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).

Read More

How to Differentiate Your Title Agency for Success in a Dynamic Market

By: Blaise Wabo, Senior Consultant at A-LIGN In 2012 the Consumer Financial Protection Bureau (CFPB) released a bulletin related to service providers’ oversight, in which they expect supervised banks and nonbanks (lenders) to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial …

Read More

School’s Back in Session – How to Stay Updated on Regulations

By: Sue Wells, Senior Consultant at A-LIGN One of the most important areas that clients of compliance professionals count on is that their third-party “expert” will stay current on relevant regulations. I’d like to share some of the ways compliance professionals keep current with regulations, which will also work for …

Read More

Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports

By: Ivan Reyes, Senior Consultant at A-LIGN Standards for Attestation Engagements No. 16 (“SSAE 16”) is an attestation standard whereby a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting (ICFR). This is delivered in the form of a Service Organization Controls 1 (“SOC …

Read More

3 Step Guide on How To Avoid Data Breaches Through Soft Targets

By: Chris Berberich, Senior Consultant and Penetration Tester at A-LIGN In the real world of budgets and limited personnel, prioritizing security resources is a must. For the majority of companies who depend on IT resources, prioritizing information security resources is based on the significance of an asset to their overall …

Read More