Monthly Archives: Oct 2017

QSA’s are friendly… As long as you pick the right one… (Part 2)

QSA Partner. Continuation from Part 1…

Selecting a QSA partner

Back to the joys of selecting a QSA partner!  I know when I contact them they are all going to want to know a lot of details about my business, including technical configurations.  This is because of a PCI audit like many other audit frameworks needs to verify the policy and configuration details of just about, every component of your business and networks to properly scope the amount of work for your environment.  This includes standard server images hardening process to firewalls, antivirus, change management, software development, physical access, visitors, vendors, policies, etc.

read more

NIST 800-171 requirements for contractors

Meeting NIST Requirements while using SaaS Software.

December 312017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171.  The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.

read more

QSA’s are friendly… As long as you pick the right one… (Part 1)

It’s that time again. Yes, time to find this year’s auditor.  You’d think that after 10 years of contacting, meeting with, planning and doing in-depth level 1 audits for multiple customers per year, for ZZ Servers a managed private cloud provider for PCI & HIPAA businesses, finding a Qualified Security Assessor (QSA) to work with would be easy.  Maybe it would be especially easy because, before ZZ, I was a PCI QSA doing the level 1 audits/code reviews/penetration tests myself!

read more