Categories ArchivesEnterprise Security

Acceptable Losses, a Customer Perspective standard

I recently did some work for a customer that had an interesting perspective on the physical security of devices. We were talking about putting some specific controls in place to hold encryption keys, and when we mentioned that we could put them on little USB sticks (not an HSM, but think like that), they said “Oh, if we do that they will disappear from the stores.” Employee or customer theft of devices sure does not come up as something we deal with every day. This particular company ran largely a cash-based business, and had a very small group of customers that paid by credit card. They were actually considering completely dropping all credit card acceptance because of the added risk ...

Continue Reading

The Problem with Scale standard

One of the big problems with building a business is ensuring that processes & procedures scale. Information Technology programs are no exception. We spend as much time as we can building in automation such that our precious resources are not consumed repeating a task over and over. Security is no different. In fact, there are several tactical security tasks that require strategic planning in order to scale them. For example, patch management tends to be a big issue for many companies, especially retailers. How do I create a system that allows me to do massive patching with limited (if any) downtime? How can I ensure a high rate of success? How do I keep exception management to a minimum? We ...

Continue Reading

Boss, I Think Someone Stole Our Customer Data standard

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! “Boss, I Think Someone Stole Our Customer Data” ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about–a breach of customer data. While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes. Possibly Related Posts: Level Up ...

Continue Reading

WDOCD: Secure Tape Destruction standard

For our VERY FIRST installment of “What Do Other Companies Do” (WDOCD), Randy Smith has asked the following: “What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification. What standard seems to be “secure enough” for older tapes potentially with unencrypted data? Do you feel that standard is OK to relax when all the account number data is encrypted?” Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we ...

Continue Reading

What Do Other Companies Do? standard

Well folks, it’s time. Yes, I’ve been running this blog for a whopping month or so, and I just want to see if anyone is reading. So far, the only comments that have been submitted are those for “Biagra” and some “Hot New Penny Stock” that promises to make me rich beyond my wildest dreams. While those are certainly enticing links, I think we could make this much more productive. What I’m looking for is to play a game called “What Do Other Companies Do” (similar to “Spin the Topic Wheel” for any P1s out there). Essentially, I’d like you to email questions to TheSecurityBlog@gmail.com asking how other companies address various security practices. For example, “What do other companies do ...

Continue Reading

Knowing Your Data Flows standard

Going to privacyrights.org will clue you into a large cause of data breaches–the stolen laptop. This type of incident is a repeated example of why knowing where data lives in your enterprise is so vital. When we are called into a customer for PCI consulting services, rarely do we see a holistic approach to understanding data flows. There are certainly experts who know their part, and 80% of the time they are right on. But they often lack an over-arching perspective of the data flows, and are unaware of data flows that lie outside of their bailiwick. The level of documentation required for overarching visibility is considerable, but it is also extremely valuable. Imagine being able to see the entire ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!