compliance | Branden R. Williams, Business Security Specialist

Forrester Unleashes PCI standard

John Kindervag, prominent analyst from Forrester, released a report this week entitled PCI Unleashed, where he talks history, dispels myths, and gives practical tips for companies trying to get a handle on PCI DSS. John doesn’t waste any time getting started, and throws out a couple of points to shock the reader. In fact, I’m kind of shocked they are in there, but it’s refreshing to see an organization of Forrester’s stature putting them into writing. While many agree that PCI DSS should be blamed on the payment brands, John asserts that it should not. While I agree that the result (the standard itself) should not necessarily be blamed on the payment brands, its evolution is a direct result of ...

Consider Outsourcing Cashless Payments standard

One of the things that baffles me every time I walk into a retailer struggling with PCI compliance is why management doesn’t consider completely outsourcing all of their cashless payment processing. I know how we ended up in this situation, but who takes the blame for continuing to push this paradigm forward? Let’s take payments off the table and re-focus on the information we store. Information today is the lifeblood of business. The value of information is in the process of distilling petabytes of information into actionable tasks that create competitive advantage. Because information is perceived as highly valuable, the general position of information managers is “store or get access to every piece you can, then we’ll figure out how ...

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance. According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.” That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month. Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature. His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA. VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful. Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them! That was, by far, my favorite part of writing the book. Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail. Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external. Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally. In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Guest Post: The DNA of Compliance standard

The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group. The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant? The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed. Listed below are just some of the compliance issues businesses need to take into account: Data Protection ...

Tags Archivescompliance