Monthly ArchivesMarch 2011

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...

Continue Reading

I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Continue Reading

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

PCI Board of Advisors Voting Open! standard

If you are a participating organization or other stakeholder in the PCI Security Standards Council, you should have received your voting ballot for the next Board of Advisors today. RSA is listed as one of the vendors, and I hope that we contribute enough value to the security community to be considered one of your top three! Voting closes on Friday, April 8. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Herding Cats February and March standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, The New Network Security Paradigm! You can also see the column from last month, Alice, Bob, and Chuck, paying homage to the RSA Conference’s 20th anniversary! I also published a more corporate friendly version of The Seven Deadly Sins of a QSA (the too hot for TV version is here). This month’s column discusses the changing IT paradigm corporations must support as consumer-marketed technology becomes a bigger player in the corporate world. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are ...

Continue Reading

February 2011 Roundup standard

What was popular in February? This month I concluded my new piece, The Seven Deadly Sins of a QSA! You can download it below. We also had the 20th Annual RSA Conference in San Francisco this year. It was probably the best RSA Conference I have attended since I started working the show five years ago. Here are the five most popular posts from last month: Visa Allows Non-US EMV Merchants to forego PCI Assessments. This was an interesting move by Visa. Essentially, Visa has given merchants a way to avoid the annual assessment process if they meet four critera. Check out this article to see if you can qualify! Keep in mind, if you accept other non-Visa branded payment ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!