Monthly ArchivesJuly 2009

The Simplicity of PCI, and the best way to complicate it! standard

OK folks, bring on the love.  Ready?  I’m going to stick my neck way out there. PCI is easy. *GASP* OK, taking a company that ignored security (or only focused on one particular element of a good security program) to compliance is hard, painful, and will result in lots of kicking and screaming and other tantrum like actions.  Why?  See this post. But take PCI DSS on the surface.  It’s prescriptive (potentially overly so in some cases), it is based on a good, common set of security practices that, quite frankly, you should already be doing, and its impact to your organization can be limited dramatically depending on how you approach it.  If you look at the high level twelve ...

Continue Reading

MasterCard Fines Start NOW standard

On Monday, I told you all about a MasterCard fine schedule but I was unsure on when it was going to start.  Well, as it turns out Level 2 and 3 merchants are being fined NOW, not sometime after the December 2010 date. That’s right, some Level 2 merchants have already received their first $25K fine from MasterCard under their new fine program. Apparently, that’s how many of the acquirer’s found out about the program!

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

The Breach You Didn’t Expect standard

Portions of this post originally appeared in the March 2009 Issue of the ISSA Journal. We just got our first severe weather scare of the year in Texas. A tornado was reported less than five miles from my house by spotters on February 11th. Some of my customers have facilities in Tornado Alley and have heavily fortified their data centers to take a direct hit by a tornado. Usually, the secondary data center is also in Tornado Alley. Why would you put two data centers in harms way? When you run the probability calculations, the likelihood of both being destroyed is about the same as an intersection in Montana having a Starbucks on every corner1. Other parts of the world ...

Continue Reading

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Continue Reading

Why PCI DSS is a good thing for YOU! standard

You know, it’s kinda funny.  Everywhere I go, I see how polarizing PCI DSS is.  If you deal with PCI often, think about your interactions with others when discussing PCI.  This is a response you have probably never heard: “Well, that PCI thing is OH-KAY.  I’m not really thrilled one way or the other…” More likely it was something like “That F&*@ing PCI DSS!  I hate it!” or “God bless those PCI DSS Overlords for giving me a stick to whip my company into shape!”  I tend to hear the former much more than the latter, but that demonstrates the wide difference in corporate cultures faced with PCI DSS. Those of you screaming and complaining about PCI should stop for ...

Continue Reading

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail.  Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external.  Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally.  In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Continue Reading

Guest Post: Is it better to be secure, or appear secure? standard

The following is a guest post by Matt Wilgus, Technical Services Practice Manager for VeriSign’s Global Security Consulting group. While the aforementioned question rarely gets formally asked, it is a decision information security offices deal with all the time. Often the security office also handles compliance initiatives. Given the limited resources, is it better to comply with requirements, if the opportunity cost is investing in a project which could bolster security, but not meet compliance initiatives? If an organization is secure than the organization should likely appear secure; however, this is not always the case. The extent an organization is secure is open to perception and often boils down to risk tolerance and risk acceptance. However, what really drives tolerance ...

Continue Reading

Guest Post: The DNA of Compliance standard

The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group. The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant? The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed. Listed below are just some of the compliance issues businesses need to take into account: Data Protection ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!