Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program. A CSP needs to have the right people, processes and technologies in place, and must successfully demonstrate maturity for all three. CSPs that have an easier time with the vulnerability scanning requirements follow a similar approach, which can be best articulated by breaking down the expectations into three stages.

**Since the publication of this blog, the FedRAMP PMO has, in 2022, updated the FedRAMP Penetration Test Guidance. Schellman breaks down the latest in our article here.)

Well over a year ago, the PCI Standards Council announced, in addition to other requirements, that a PCI charter would now be required for service providers after January 31, 2018. Few service providers have implemented this yet, but all will soon need one to maintain or achieve PCI compliance.

Are you always concerned with making a good first impression? Do you often feel unsure of how to approach the conversation with a group of people you are meeting for the first time? Don’t worry, it’s common to feel anxious and uncertain in networking situations. When meeting new people, we tend to put a lot of stress on ourselves to shine and come across well, in order to make a connection.

With the General Data Protection Regulation (GDPR) becoming effective May 25, 2018, organizations (or rather, organisations) seem to be stressing a bit. Most we speak with are asking, “where do we even start?” or “what is included as personal data under the GDPR?” It is safe to say that these are exactly the questions organizations should be asking, but to know where to start, organizations first need to understand how the GDPR applies to their organization within this new definition for personal data. Without first understanding what to look for, an organization cannot begin to perform data discovery and data mapping exercises, review data management practices and prepare the organization for compliance with the GDPR.

In the information technology world, there are currently few buzzwords as popular as the term cybersecurity. As CIOs and VPs evaluate the status of their network environment, and decide who will oversee the related processes—including who has the unfortunate task of reporting to the Board

You most likely selected the link to this blog to discover one of two things: 1) how to effectively manage vendor requirements via SOC reports or 2) what the SOC 1/SOC 2 examination requirements are for vendor management. I don’t want to disappoint, so this article will provide you with some knowledge or at least some validation of your current thoughts on the matter.

As you likely know, there are different System and Organization Controls (SOC) report options, such as SOC 1 and SOC 2/SOC 3. What may be lesser known is that within those SOC report options, there are also different types, referred to as Type 1 and Type 2. In other words, the specific use of “Type” as a distinguisher are different specified options for both the SOC 1 and SOC 2 reports.