Here is a quick roundup of recent significant changes in the compliance world. 🔐 #PCI v4.0 published in March 2022 -Two year transition period. PCI v3.2.1 will be retired on March 31, 2024. -64 new requirements: 51 new requirements are "best practice until March 31, 2025" and 13 new requirements are "effective immediately for all v4.0 assessments". -Two validation methods: "Defined Approach" and "Customized Approach". -Defined Approach: traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard. -Customized Approach: allows entities to meet a requirement's control objective in a way that does not strictly follow the defined requirement. 🔐 #ISO27002 updated to the 2022 version in February 2022 -Controls are categorized as Organizational, People, Physical, and Technological. -Attributes tied to controls: Controls Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, Security Domains. -Control number reduced to 93. -11 new controls, 24 controls merged, 58 controls reviewed and revised. -Transition period being determined. -ISO 27001:2013 will be updated accordingly within the near future to reference ISO 27002:2022. 🔐 #HITRUST released Version 9.6 and new assessment options in December 2021. -Version 9.6 includes revisions of the NIST 800-53 r4 mapping, updates to requirements for the new i1 option and various updates to the CSF. -Three Assessment Options: "bC Assessment", "i1 Validated Assessment", "r2 Validated Assessment". -bC is a self-assessment and i1 and r2 are external assessments. 🔐 #SOC2 attestations must follow SSAE No. 21, effective for reports dated on or after June 15, 2022. -Updated "AT-C section 205", forcing CPA firms to add a statement to the report indicating they are independent. -SOC 2 TSC will not be updated. 🔐 #CMMC 2.0 announced in November 2021 -Changes will be implemented through the rulemaking process. -DoD is exploring opportunities to incentivize contractors to voluntarily obtain a certification in the interim period. -Level 1 will be an annual self-assessment of 17 practices. Level 2 will either be a triennial C3PAO assessment or an annual self-assessment of the 110 NIST 800-171 controls. Level 3 will be a triennial government led assessment of the NIST 800-171 controls + TBD selected NIST 800-172 controls. 🔐 #SEC proposed rules in March 2022 for disclosure of the following by public companies: -Information about a cybersecurity incident within four business days after determining if they have experienced a material cybersecurity incident -Policies and procedures, if any, for identifying and managing cybersecurity risks; -Cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks; -Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.

Open in Linkedin

👀🚨This happened. A NASDAQ-listed company Verra Mobility called out the following material weakness in their internal control over financial reporting as of December 31, 2021 in their Form 10-K submitted to the SEC. 🤯”Specifically, the third-party service organization, Vena Solutions, provided a SOC 1 Type II report that was prepared by Vena Solutions personnel who falsely asserted that it had been audited by an independent auditor” It’s pretty hard to fake a SOC 1 report, so my guess is that one or more of the individual auditors that worked on the audit from the CPA firm were not independent of Vena Solutions. Either way, this has potentially far reaching implications. Vena solutions works with many publicly traded companies…

Open in Linkedin