RSI Security

Blog

  • ASV Scanning: Who Needs It and How Often Should It Be Done?

    ASV Scanning: Who Needs It and How Often Should It Be Done?

    ASV scanning (Approved Scanning Vendor scanning) is a critical requirement for businesses that handle debit or credit card transactions. The PCI Security Standards Council mandates ASV scanning to identify external vulnerabilities and protect payment systems from cyber threats.

    This requirement goes beyond just merchants. Acquirers (banks), issuers, processors, and service providers must also undergo ASV scanning to ensure they remain PCI DSS compliant. In short, if your business touches payment card data in any way, ASV scans are essential for safeguarding both compliance and security.

    (more…)

  • External Vulnerability Scan: What to Expect During the Process

    External Vulnerability Scan: What to Expect During the Process

    An external vulnerability scan is one of the most important steps your organization can take to secure its network perimeter. These scans identify weaknesses before hackers can exploit them, reducing the risk of costly attacks. To put this in perspective, ransomware damage costs exceeded $5 billion last year, a staggering 15-fold increase compared to 2015.

    Under the Payment Card Industry Data Security Standard (PCI DSS), merchants that process, store, or transmit cardholder data are required to conduct external vulnerability scans regularly. Yet many organizations remain unsure about how these scans work, when to run them, and how they fit into PCI DSS compliance. This blog will break down what to expect so you can prepare with confidence.

    (more…)

  • HIPAA Guidelines For Employees

    HIPAA Guidelines For Employees

    HIPAA guidelines have been shaping the healthcare industry since the late 1990s, yet many organizations still struggle to comply with their requirements. A common area of concern for covered entities is the protection of patients’ protected health information (PHI). Failing to safeguard this sensitive data can lead to serious consequences, including data breaches, identity theft, fraud, loss of patient trust, fines, and even legal action.

    One of the main reasons for HIPAA non-compliance is human error. Employees may unintentionally expose PHI due to a lack of understanding, training, or awareness. While these mistakes are rarely malicious, the U.S. Department of Health and Human Services (HHS) does not accept ignorance as an excuse. That’s why it’s essential to ensure that all team members follow proper HIPAA guidelines for employees and understand their responsibilities in protecting patient information.

    Learn more about our HIPAA guidelines for employees to strengthen compliance and protect your organization.

    (more…)

  • How to Prepare for Cybersecurity Maturity Model Certification (CMMC)

    How to Prepare for Cybersecurity Maturity Model Certification (CMMC)

    The Cybersecurity Maturity Model Certification (CMMC certification) is designed to simplify compliance for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Department of Defense (DoD) supply chain. For a detailed explanation of what qualifies as CUI, refer to the Organization Index Grouping of Defense.

    Currently, Draft v0.7 of the CMMC is available, with the final version (v1.0) expected in January 2020. Companies are encouraged to review v0.7 to begin preparing for the level of DoD CMMC certification required for project bids.

    Draft v0.7 is accessible online in its entirety. Below is a concise summary of its contents, along with insights from Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, as presented in her webinar “What Contractors Need to Know About DoD’s CMMC” (July 17, 2019). Note: You must be signed in to view the webinar.

    During the webinar with the Professional Services Council, Katie Arrington highlighted that losses from inadequate cybersecurity controls leading to CUI breaches amount to over $600 billion annually. While achieving DoD CMMC certification may incur costs, the long-term savings outweigh these expenses. Additionally, the government considers CMMC certification costs as allowable expenses in its bidding process. The Request For Information (RFI) and Request For Proposal (RFP) Sections L and M outline the required level of CMMC certification, which can determine eligibility for project bids.

    (more…)

  • Safe Harbor Provisions Under HIPAA Explained

    Safe Harbor Provisions Under HIPAA Explained

    Businesses within and adjacent to the healthcare industry must follow strenuous controls to safeguard the class of data known as protected health information” (PHI). Per the Health Insurance Portability and Accountability Act of 1996 (HIPAA), de-identification is one central protection element. An innovative option available to businesses that need HIPAA compliance is an approach called “HIPPA safe harbor.” Read on to learn the safe harbor provisions under HIPAA and how to implement them in your healthcare business. (more…)

  • A Beginner’s Guide to the CMMC 2.0 Requirements

    A Beginner’s Guide to the CMMC 2.0 Requirements

    If your organization plans to work with the Department of Defense (DoD), understanding CMMC 2.0 requirements is the first step toward achieving compliance. These requirements are designed to protect sensitive federal information and are organized into three maturity levels, each with increasing cybersecurity expectations:

    Level 1 – Foundational
     Focuses on basic safeguarding practices to protect Federal Contract Information (FCI).

    Level 2 – Advanced
     Includes more detailed requirements aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

    Level 3 – Expert
     Represents the highest maturity level, emphasizing advanced cybersecurity practices and alignment with DoD’s most stringent security requirements. This beginner’s guide explains what each CMMC 2.0 level means and outlines how organizations can start preparing for compliance.
     (more…)

  • Top Advanced Persistent Threat Solutions

    Top Advanced Persistent Threat Solutions

    Companies seeking lucrative contracts with the US Department of Defense (DoD) need to keep their cyber defenses up to date. That’s why the final two CMMC Level requirements focus mainly on advanced persistent threat solutions, addressing the biggest and most complex threats to the Defense Industrial Base (DIB) sector.  (more…)

  • PCI DSS Network and Data Flow Diagrams | Compliance Guide

    PCI DSS Network and Data Flow Diagrams | Compliance Guide

    PCI DSS network and data flow diagrams play a critical role in visualizing how cardholder data moves into, though, and out of your organization’s systems.

    These diagrams not only help you identify where sensitive payment information is stored, processed, or transmitted but also support compliance with PCI DSS requirements. By mapping data flows, organizations can strengthen their cardholder data environment (CDE) and detect potential vulnerabilities or unauthorized network traffic before it leads to a breach.
    (more…)

  • Why Most CMMC Level 2 Failures Come Down to Documentation, And How to Fix It

    Why Most CMMC Level 2 Failures Come Down to Documentation, And How to Fix It

    Most organizations fail CMMC compliance at Level 2 not because their security controls are weak, but because their documentation doesn’t clearly prove the controls exist, function correctly, or are consistently followed.
     Many teams underestimate this critical detail.
     Documentation isn’t just “paperwork” , for CMMC compliance, it is the audit itself. If you can’t show a repeatable process, policy, or record on demand, assessors will likely mark controls as Not Met.
     In this article, we’ll explain why documentation is often the silent deal-breaker for CMMC Level 2 and share practical steps to fix it quickly.
     (more…)

  • How to Prepare for PCI Secure Software Compliance

    How to Prepare for PCI Secure Software Compliance

    There are four critical pillars to successful preparation for PCI Software Compliance. These steps help organizations align with the PCI Secure Software Framework (SSF) and meet all requirements for validation:

    1. Understand the scope of PCI SSF — This includes both component frameworks to ensure complete coverage.

    2. Meet the Secure Software Standard requirements — Address all mandatory controls to protect payment applications.

    3. Implement the Secure Software Lifecycle (Secure SLC) — Establish ongoing governance and security practices for long-term compliance.

    4. Conduct a compliance assessment — Validate readiness with a qualified PCI-listed assessor to achieve certification.

    (more…)