Tags Archivescompliance

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading

Hospitality Still in the Crosshairs standard

With all the news and information we are pummeled with daily, it’s hard to ignore the significance of cyber security and its role in protecting enterprises and individuals. It’s even pretty easy to ignore until it happens to you. I have written and spoken about the challenges in the hospitality industry before, and they remain a big target for a few big reasons. Many hotels, even ones with a big-brand name on the facade, are owned and operated by individual companies and investors. Joe’s Hotel Group buys the building, hires the employees, and plugs into GiantHotelChain’s reservation and reward system. Many hotels are wide-reaching properties where everywhere you go you have an opportunity to perform a transaction (pay TV, internet, ...

Continue Reading

What’s your Maturity? standard

No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it. If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are: Physiological: food, water, sleep, movement toward stability Safety: security of body, employment, resources, morality, family, health, ...

Continue Reading

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Continue Reading

PCI DSS for the Small Office standard

Before I jump into this topic, have I told you lately that I LOVE reader email? REALLY love it. Why? Because it gives me ideas on content to bring to you! If you have a question or idea for a post, please contact me! Now, on to the goods. A reader asked me about compliance in a small medical office situation. How should someone approach it? You probably got a letter from someone with a Self-Assessment Questionnaire, and you are unsure what to do! Here are a few things to consider: What Level Merchant are you? If you are a level 4, you do not have any mandatory reporting requirements per Visa, MasterCard, and Discover, but your processor or acquirer ...

Continue Reading

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

PCI DSS versus Y2K standard

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona. From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early ...

Continue Reading

Why your QSA should not be your Security Partner standard

This one is link-laden folks.  Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things: Scope and price the deal in ...

Continue Reading

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches1.  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping of victims had between 1,001 and 10,000 employees. In ...

Continue Reading

A Thought to Take You to the Weekend standard

It’s been a crazy week, and I’ve been busy gearing up for BlackHat on top of all the fun stuff my day job entails.  To close out the week, I wanted to throw something at you that I thought about while discussing how to better approach compliance initiatives. It’s a simple one liner that really describes why companies should invest in security instead of compliance: A good information security program makes compliance with any standard a tweak, not an overhaul. Compliance should not be the notion that drives security in your organization. Security, among other things, should support and drive compliance. Compare that to your approach.  Does that fit with how you execute your security strategy?  If not, why?

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!