NIST Special Publication 800–53, Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800–53 or NIST 800–53), establishes an information security standard for the federal government.

Specifically, NIST 800–53 establishes security controls and privacy controls for federal information systems and organizations excluding those involved with national security.

The goal of NIST SP 800–53 is to protect operations, assets, individuals, organizations and the United States from a diverse set of cyber threats such as hostile attacks, human error and natural disasters.

The controls are written to be flexible and customizable to aid organizations in implementation.

Table of contents

Vendor risk management is hard. And it’s getting harder. But it doesn’t have to be.

Business units are outsourcing more of their operations to third-party suppliers. In turn, these suppliers outsource to their own service providers. It’s undeniable, the average organization’s exposure to third-party risk and fourth-party risk has never been higher.

Outsourcing will always introduces some level of cybersecurity risk but a good vendor risk management program can mitigate risk and prevent data breaches and data leaks.

Many organizations myopically focus on operational risk factors in their supply chain, such as service levels, quality standards, KPIs and service levels…

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) or Senate Bill 5575, was enacted on July 25, 2019 as an amendment to the New York State Information Security Breach and Notification Act. The law goes into effect on March 21, 2020.

The motivation behind the SHIELD Act is to update New York’s data breach notification law to keep pace with current technology. The bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.

It also broadens the definition of a data…

There are many SecurityScorecard alternatives that offer the same core functionality your organization needs to successfully manage first-party, third-party and fourth-party risk.

SecurityScorecard is one of the most well-known security ratings platforms but let’s look at an alternative and see how they stack up. These security ratings providers are promising to reduce cybersecurity risk by continuously monitoring the security posture of any company in the world, instantly and non-intrusively.

If you are new to the space, here’s the general idea.

SecurityScorecard is provider of security ratings that promises to use a proprietary, non-intrusive signal collection process that gathers as much…

An organization’s security posture (or cybersecurity posture) is the collective security status of all software, hardware, services, networks, information, vendors and service providers.

Your security posture encompasses information security(InfoSec), data security, network security, penetration testing, security awareness training to prevent social engineering attacks, vendor risk management, vulnerability management, data breach prevention and other security controls.

Alongside your IT security team, these cybersecurity strategies are designed to protect against security threats, prevent different types of malware and cyber crime and stop the theft of intellectual property.

Table of contents

When it comes to protecting sensitive data, preventing data breaches and detecting cyber attacks, you need a way to track whether you’re meeting your goals.

Key performance indicators (KPIs) are an effective way to measure the success of your cybersecurity program and aid in decision-making.

According to PwC, just 22 percent of Chief Executive Officers believe their risk exposure data is comprehensive enough to form decisions. A figure that — alarmingly — hasn’t changed in 10 years. The EY Global Information Security Survey supports this with only 15% of organizations saying their information security(InfoSec) reporting fully meets their expectations.

Table of contents

The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.

While initially developed by the SANS Institute and known as the SANS Critical Controls, the CIS Controls are now managed by the Center for Internet Security and developed by a community of experts who apply their experience as CISOs and security professionals, creating globally accepted…

The Brazilian General Data Protection Law ( Lei Geral de Proteção de DadosPessoais or LGPD) is a new law that was passed by the National Congress of Brazil on August 14, 2018 and comes into effect on August 15, 2020.

The LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modelled after the European Union’s General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil.

Table of contents

Vulnerability management is the process of identifying, evaluating, prioritizing, remediating and reporting on security vulnerabilities in web applications, computers, mobile devices and software.

Continuous vulnerability management is integral to cybersecurity and network security and is on the Center for Internet Security’s (CIS) list of basic security controls, citing that organizations need to “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers.”

In short, vulnerability management provides organizations with a process to identify, prioritize and remediate possible attack vectors and minimize their attack surface.

Table of contents


The California Consumer Privacy Act (CCPA) or AB 375 is a new law that became effective on January 1 2020, designed to enhance consumer privacy rights and protection for residents in the state of California by imposing rules on how businesses handle their personal information.

The CCPA is the most extensive consumer privacy legislation to pass in the United States and is akin to the European Union’s General Data Protection Regulation (GDPR) and other data privacy laws and privacy regulations.

The bill was put together in seven days to avoid a ballot initiative to pass an even stricter law that…

UpGuard — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store