Categories ArchivesEnterprise Security

Will Service Suffer? standard

It’s weeks like this last one that I am glad I am not a market maker or securities broker. I doubt my ticker could survive the roller coaster ride of highs and lows over the last three years. But what happens with service as the economy falters? Let’s just say that this recent string of declines forces some businesses to continue to wring cost out of their business. That means that once again, the cost centers of business will be asked to do more with less. Cutting heads, moving employees to lower cost geographies, and removing investments for continuous improvement take their toll on the employees, which then trickles down to customers. Between appointments last night, I flipped on Undercover ...

Continue Reading

Herding Cats July, Breaches Can’t Happen to Us standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Breaches Can’t Happen to Us. This one was fun for me as it follows a common theme you can expect from Ol’ Brando, the business end of security. Most security professionals have not had any sort of business training, or with some I have met, really give a flying futon about business. Before you go ask for more money in your budget, you should read this article. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up ...

Continue Reading

Using Transaction ID for Payments standard

Where is it in your strategy? Each payment brand calls it something slightly different but they all have something like this now. Every transaction pushed through their network can now be identified with a unique transaction ID. With PCI DSS continuing to be a significant burden for merchants to handle, I can’t think of a better time to consider alternative methods for handling cardholder data after authorization. Merchants have many options when it comes to PAN replacement options. When it comes to tokens, there are typically two different options you might choose—either per-transaction tokens or per-card tokens. Merchants that want to perform analytics on purchasing behavior using just the payment card itself as a way to track purchases should go ...

Continue Reading

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

Continue Reading

Audience Participation: Who wants stricter PCI DSS requirements? standard

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps: Make PCI DSS more prescriptive and remove gray area! Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard! While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of ...

Continue Reading

Telephone-based Payment Security standard

Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data. Wait… MARCH you say? Brando, seriously, work on the timeliness of information. Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. ...

Continue Reading

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Continue Reading

Herding Cats April, May, and June! standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, This Ain’t Yo’ Daddy’s Malware! I’ve also posted in Herding Cats section of the site, the April and May editions of the column. My sincere apologies for not putting those up here earlier, but those of you who are members of ISSA got to see them as they were published. Are you not a member? Well why not?! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Selective Domain Filtering with Postfix ...

Continue Reading

Wait, we did something right? standard

Where have I been? Certainly not here! I’ve been on a little bit of travel to Asia and Australia and spending time with security professionals both inside and outside my company. I also tried the Tim Tam Slam for the first time, and videoed it. Enjoy. In my travels over the last two weeks, I am learning that the security market here tends to be more focused on shiny tools than security process. Someone even made a statement about the maturity of the US around information security and how much more mature it is than what they are dealing with. I was a little shocked, actually. It’s pretty rare that you hear that kind of praise outside of the US. ...

Continue Reading

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!