Monthly ArchivesFebruary 2011

Security as a Service ≠ Securing the Cloud standard

What a week! The 20th RSA Conference is over and it was great to see the masses back out at the Moscone again. I don’t think it’s been this big in a while, but if the parties are any indication, companies are spending money again. I want to say congrats to all the Social Security Blogger Awards nominees and winners! The selection committee did a great job this year selecting a group of absolutely fantastic individuals. Also, thank you to Securosis for putting on the Disaster Recovery Breakfast. That was much needed, and it also was a place for Anton & I to plan out the 3rd edition of our book! Wait until you see what we have in store ...

Continue Reading

Dave Hogan Leaves the NRF standard

Yep, it’s true. Looks like Dave is moving on for a more “traditional industry position.” In honor of Dave leaving his long tenure, I wanted to revisit my favorite five posts about Dave Hogan: Why the NRF is Dead Wrong The NRF Goes Past Where the Sidewalk Ends The Blame Game Review of PCI Congressional Hearing For the Record, I Love Dave Hogan! Blue skies, Dave, and enjoy!

Continue Reading

Seven Deadly Sins of a QSA (THE END) standard

QSAs are human, and humans make mistakes. Over the last several posts we have discussed seven deadly sins committed by QSAs, shown examples of what those mistakes look like, and given you guidance for how to avoid them or navigate your way through them if you find yourself in the middle of one. If you must comply with PCI DSS, one of the best investments you can make in your people is to put them through the same training QSAs go through and have them certified as Internal Security Assessors (ISAs). This way, you will have an additional check to know if a QSA is making one of these (or other) mistakes and have a chance at catching them before ...

Continue Reading

Seven Deadly Sins of a QSA (Part 16) standard

Sin #7 – Bowing to Threats about the Future Remember when we discussed consulting being a people business? The last sin we will cover is actually one that can be committed by either party. Maybe more accurately, committed by the QSA, but enabled by the assessee. QSAs sometimes give in to someone who says, “If you don’t mark this as compliant, I am giving my business to someone else.” I’m not talking about a contract issue or some other incidental dispute during the assessment, I’m referring to the rigor of the assessor being used as a bargaining chip. It’s My Way or the Highway As an assessor, I’ve been threatened like this multiple times over my career. Having someone in ...

Continue Reading

Seven Deadly Sins of a QSA (Part 15), Be My Valentine? standard

Sin #6 – Q/A Tunnel Vision The Quality Assurance (Q/A) program is in full swing at the PCI Security Standards Council. After companies started taking PCI DSS seriously and retaining QSAs, merchants and service providers realized that not every QSA interpreted requirements the same. One of the biggest complaints about the QSA community is variance in interpretation on key items that could impact the cost of compliance—positive or negative. The Q/A program was announced at the 2008 PCI Community Meeting1 and began to take effect shortly thereafter. QSAs were put on the remediation list as early as 2009. Myopic Assessment Views The objective of the Q/A program was to decrease the variance in interpretation among QSAs and increase the overall quality ...

Continue Reading

Seven Deadly Sins of a QSA (Part 14) standard

Good PCI DSS, Bad Infosec Foundation You may also find that QSAs do not understand your environment thoroughly enough to make an accurate compliance call. More executives are telling me their recent QSAs struggle when assessing complex technology implementations. QSA work isn’t sexy like it used to be. Back in the day, my favorite projects involved helping companies rebuild their network to include security to close PCI DSS gaps. I solved complex problems involving hundreds of people, thousands of machines, and millions of dollars. It was taxing on my brain, but I absolutely loved the challenge! Solving PCI problems five years ago required considerable knowledge of how business processes and technology fit together. Most companies facing PCI DSS today are ...

Continue Reading

Seven Deadly Sins of a QSA (Part 13) standard

Sin #5 – The FNG The Flipping New Guy (FNG) causes havoc wherever he goes. He also goes by the Pimply-Faced Youth (PFY) in some circles, and is often labeled as having the talent to tame a lion, but the experience to raise a hamster. He’s the guy that just went to new QSA training, passed his test, and showed up to do some good, old-fashioned assessing! Three Days of Ground School One summer, well after I became a QSA, I earned my private pilot certificate. If you ask my wife, she will tell you she remembers me babbling all of these fantastic1 bits of knowledge that I was learning every day, and passing the time in the evening with at ...

Continue Reading

Visa Allows Non-US EMV Merchants to forego PCI Assessments standard

Interesting note from Visa yesterday. They have given non-US merchants an escape hatch (Visa Europe’s version is here and differs from the Visa Inc. version in several ways) for validating PCI DSS compliance annually if they meet four specific requirements: The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis. Visa Europe provides a separate procedure: Merchant must have: previously satisfied PCI DSS compliance validation by completing milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS OR have previously completed milestone 1 of the Payment Card Industry’s Prioritised Approach for PCI DSS and conducted a PCI DSS gap analysis against milestones ...

Continue Reading

Seven Deadly Sins of a QSA (Part 12) standard

How to Avoid the Buddied-Up QSA If you are lucky enough to have one, it’s hard to avoid his impact. It could get even worse if the guy is also drunk with executive-sponsored power. When I was a buddied-up QSA, I told those managers to get a meeting together with the executive and discuss the technical and business constraints they faced. I also instructed them to make sure they do their homework. Don’t whine, and don’t focus on why you shouldn’t meet her standard. Bring everything to the table that is required to meet the executive’s directive. This should include any capital expenditures like hardware, software, and costs of people time, as well as soft costs  such as lost productivity, ...

Continue Reading

Seven Deadly Sins of a QSA (Part 11) standard

Sin #4 – Buddying Up with an Executive Consulting is a people business. People buy knowledge, skills, and services delivered by other people. Unlike a product business, you can’t guarantee that each unit is exactly the same, even from the same person. And also unlike a product business, the consultant interfaces on a human level with various members of the executive staff. Strange things can happen when QSAs buddy up with executives. Let’s explore a situation near and dear to me. My Standard > PCI DSS Executives act different after someone suspects a security breach has happened on their watch. All of the sudden, they get religious and grow a tiny, beating security heart inside their otherwise empty chest. This ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!