Guest Post: Is it better to be secure, or appear secure? standard

The following is a guest post by Matt Wilgus, Technical Services Practice Manager for VeriSign’s Global Security Consulting group. While the aforementioned question rarely gets formally asked, it is a decision information security offices deal with all the time. Often the security office also handles compliance initiatives. Given the limited resources, is it better to comply with requirements, if the opportunity cost is investing in a project which could bolster security, but not meet compliance initiatives? If an organization is secure than the organization should likely appear secure; however, this is not always the case. The extent an organization is secure is open to perception and often boils down to risk tolerance and risk acceptance. However, what really drives tolerance ...

Continue Reading

Guest Post: The DNA of Compliance standard

The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group. The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant? The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed. Listed below are just some of the compliance issues businesses need to take into account: Data Protection ...

Continue Reading

Guest Post: The IT forecast – Cloud-y with a 10% Chance of Effective Security standard

The following is a guest post by Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group. With the stampede to the next big thing gaining speed, Cloud Computing and Cloud Services face the standard, yet utterly preventable, horse-before-the-cart security conundrum. Anytime paradigm-shifting technology that saves money and decreases operational costs hits the market, two things are certain – 1) your company, just like 99% of the other companies in your vertical, will be running with the pack straight towards rapid adoption, and 2) security tools, techniques, and control technologies to find and mitigate the huge business risks associated with the new cloud services are: Lacking in essential functionality, scalability, or cloud-wide scope Not based on well-vetted best practice ...

Continue Reading

Webcast, on July 7, Maintaining PCI Compliance! standard

Please join me on July 7 for an informative webcast on Maintaining PCI Compliance! To register or attend, please go to: http://www.brighttalk.com/webcasts/4431/attend. Now that Level I merchants have undergone a few annual Payment Card Industry (PCI) assessments (and Level 2 merchants are soon to be doing the same), they are addressing the realization that a mature, sustainable compliance program requires more than once-a-year rallying to prepare for, participate in, and pass an assessment. Daily operational focus and ongoing effort are vital to protect investments in compliance, manage risk, and minimize the business disruptions and costs associated with achieving and demonstrating compliance year after year. This presentation discusses best practices for building a compliance program that can be supported and maintained ...

Continue Reading

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants.  Whether you are currently a Level 1 or Level 2 merchant, these changes affect you.  Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments.  This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Continue Reading

Much Ado About Nothing, Merrick v. Savvis Update standard

Don’t write Savvis off yet! Dave Navetta posted an update to the Merrick v. Savvis case that every QSA is closely watching. Savvis filed a motion to dismiss in response to the lawsuit. I’m not a lawyer, but I’m glad David is. He explains the reasoning, and even mentions that Merrick’s potential procedural error (or end-around) could get this case dismissed before the substantive merits of the case can be explored, thus continuing to leave the world in the dark about more potential liabilities involved with performing PCI Assessments. Go check it out!

Continue Reading

Clarification on MasterCard Level 2 Requirements standard

Javelin Strategy & Research posted an update to the new MasterCard Requirements. After speaking with John Verdeschi, Robert Vamosi pointed out an error in our initial analysis. After re-reading my material, I looked at one piece of information and made a leap (incorrectly) about the intent (see the final word here). John clarified that the intent is to use the next eighteen months as a transition period. Level 2 merchants should both submit a SAQ, and also have an On-Site assessment completed so they can submit a Report on Compliance by December 31, 2010. This means that Level 2 Merchants effectively have eighteen months to complete a readiness assessment, remediate, and validate compliance. Sorry for the confusion folks, and thank ...

Continue Reading

Nevada’s New PCI Law standard

You’ve probably heard about it by now. Thanks to a friend doing business in Nevada, I was alerted to this new law last week. Nevada is now the second state to enact laws requiring companies to comply with PCI (though, arguably, the Massachusetts Identity Theft Prevention Regulations seemed to have been lifted at a high level from PCI), the first being Minnesota. David Navetta has a great analysis from a legal perspective, and Chris Mark published his thoughts as well. One thing that is interesting about the Nevada law is an apparent Safe Harbor provision. Will this added pressure force more religious views on payment security and compliance inside companies? Or will companies continue to roll the dice with their ...

Continue Reading

More on NRF’s Letter to PCI SSC, and the Wireless Network that Could standard

A couple of weeks ago, I jotted down a few thoughts on the letter from the NRF to the PCI-SSC about the PCI Standards. My post was a bit rant-ish, but Anton Chuvakin threw down a great review in his blog yesterday. The only point that I wanted to add a different opinion on is the use of WEP. I’ve been a proponent for wide open wireless networks in corporations for a few years. I argue that because network compromises are either hit-or-miss with advanced encryption technologies, most hackers default to attacking hosts instead. One of our own testers is known to breach networks that security professionals thought were virtually impenetrable. He didn’t do it by packing a Cray into ...

Continue Reading