I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Continue Reading

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

Herding Cats February and March standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, The New Network Security Paradigm! You can also see the column from last month, Alice, Bob, and Chuck, paying homage to the RSA Conference’s 20th anniversary! I also published a more corporate friendly version of The Seven Deadly Sins of a QSA (the too hot for TV version is here). This month’s column discusses the changing IT paradigm corporations must support as consumer-marketed technology becomes a bigger player in the corporate world. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are ...

Continue Reading

February 2011 Roundup standard

What was popular in February? This month I concluded my new piece, The Seven Deadly Sins of a QSA! You can download it below. We also had the 20th Annual RSA Conference in San Francisco this year. It was probably the best RSA Conference I have attended since I started working the show five years ago. Here are the five most popular posts from last month: Visa Allows Non-US EMV Merchants to forego PCI Assessments. This was an interesting move by Visa. Essentially, Visa has given merchants a way to avoid the annual assessment process if they meet four critera. Check out this article to see if you can qualify! Keep in mind, if you accept other non-Visa branded payment ...

Continue Reading

Security as a Service ≠ Securing the Cloud standard

What a week! The 20th RSA Conference is over and it was great to see the masses back out at the Moscone again. I don’t think it’s been this big in a while, but if the parties are any indication, companies are spending money again. I want to say congrats to all the Social Security Blogger Awards nominees and winners! The selection committee did a great job this year selecting a group of absolutely fantastic individuals. Also, thank you to Securosis for putting on the Disaster Recovery Breakfast. That was much needed, and it also was a place for Anton & I to plan out the 3rd edition of our book! Wait until you see what we have in store ...

Continue Reading

Dave Hogan Leaves the NRF standard

Yep, it’s true. Looks like Dave is moving on for a more “traditional industry position.” In honor of Dave leaving his long tenure, I wanted to revisit my favorite five posts about Dave Hogan: Why the NRF is Dead Wrong The NRF Goes Past Where the Sidewalk Ends The Blame Game Review of PCI Congressional Hearing For the Record, I Love Dave Hogan! Blue skies, Dave, and enjoy!

Continue Reading

Seven Deadly Sins of a QSA (THE END) standard

QSAs are human, and humans make mistakes. Over the last several posts we have discussed seven deadly sins committed by QSAs, shown examples of what those mistakes look like, and given you guidance for how to avoid them or navigate your way through them if you find yourself in the middle of one. If you must comply with PCI DSS, one of the best investments you can make in your people is to put them through the same training QSAs go through and have them certified as Internal Security Assessors (ISAs). This way, you will have an additional check to know if a QSA is making one of these (or other) mistakes and have a chance at catching them before ...

Continue Reading

Seven Deadly Sins of a QSA (Part 16) standard

Sin #7 – Bowing to Threats about the Future Remember when we discussed consulting being a people business? The last sin we will cover is actually one that can be committed by either party. Maybe more accurately, committed by the QSA, but enabled by the assessee. QSAs sometimes give in to someone who says, “If you don’t mark this as compliant, I am giving my business to someone else.” I’m not talking about a contract issue or some other incidental dispute during the assessment, I’m referring to the rigor of the assessor being used as a bargaining chip. It’s My Way or the Highway As an assessor, I’ve been threatened like this multiple times over my career. Having someone in ...

Continue Reading

Seven Deadly Sins of a QSA (Part 15), Be My Valentine? standard

Sin #6 – Q/A Tunnel Vision The Quality Assurance (Q/A) program is in full swing at the PCI Security Standards Council. After companies started taking PCI DSS seriously and retaining QSAs, merchants and service providers realized that not every QSA interpreted requirements the same. One of the biggest complaints about the QSA community is variance in interpretation on key items that could impact the cost of compliance—positive or negative. The Q/A program was announced at the 2008 PCI Community Meeting ((If you are a stakeholder in PCI DSS and are not going to these meetings, you are missing out.)) and began to take effect shortly thereafter. QSAs were put on the remediation list as early as 2009. Myopic Assessment Views The ...

Continue Reading