Categories ArchivesEnterprise Security

Boss, I Think Someone Stole Our Customer Data standard

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! “Boss, I Think Someone Stole Our Customer Data” ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about–a breach of customer data. While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes. Possibly Related Posts: Selective Domain ...

Continue Reading

WDOCD: Secure Tape Destruction standard

For our VERY FIRST installment of “What Do Other Companies Do” (WDOCD), Randy Smith has asked the following: “What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification. What standard seems to be “secure enough” for older tapes potentially with unencrypted data? Do you feel that standard is OK to relax when all the account number data is encrypted?” Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we ...

Continue Reading

What Do Other Companies Do? standard

Well folks, it’s time. Yes, I’ve been running this blog for a whopping month or so, and I just want to see if anyone is reading. So far, the only comments that have been submitted are those for “Biagra” and some “Hot New Penny Stock” that promises to make me rich beyond my wildest dreams. While those are certainly enticing links, I think we could make this much more productive. What I’m looking for is to play a game called “What Do Other Companies Do” (similar to “Spin the Topic Wheel” for any P1s out there). Essentially, I’d like you to email questions to TheSecurityBlog@gmail.com asking how other companies address various security practices. For example, “What do other companies do ...

Continue Reading

Knowing Your Data Flows standard

Going to privacyrights.org will clue you into a large cause of data breaches–the stolen laptop. This type of incident is a repeated example of why knowing where data lives in your enterprise is so vital. When we are called into a customer for PCI consulting services, rarely do we see a holistic approach to understanding data flows. There are certainly experts who know their part, and 80% of the time they are right on. But they often lack an over-arching perspective of the data flows, and are unaware of data flows that lie outside of their bailiwick. The level of documentation required for overarching visibility is considerable, but it is also extremely valuable. Imagine being able to see the entire ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!