Do Data Breach Laws Push Compliance? standard

CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye. But what Bob does not say is what is really driving compliance. I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being ...

Continue Reading

Compliance & Security Diverge on Private Label Cards standard

Here’s one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, “Tra-la-la.” I was speaking to a friend of mine at a birthday party about this because guys don’t stay inside for the Hannah Montana makeover, we go outside and talk about beer, sports, and information security. OK, SOME of us do that. So what if I like my toes painted? Anyway, he was telling me that his company was taking the stance that private label cards, or those cards that have the company name on them instead of a Visa, MasterCard, American Express, Discover, or JCB logo on them, should be included in their PCI ...

Continue Reading

Seth Godin Gets Risk Management standard

On a recommendation from a friend, I picked up Tribes by Seth Godin. I’ve read many of Seth’s great books, the most popular probably being The Purple Cow, and each time I marvel at human nature’s rationalization that complex equals better. Complexity sometimes equals better, but don’t you think it’s funny how sometimes the simplest ideas are the ones that far exceed the complex ones? These are the ones that end up leaving a red mark on your forehead from your hand after you smack yourself and say “Dammit, why didn’t I think of that?!?” Man crush aside ((Yeah, I have a small man crush on Seth Godin.)), security professionals need to read his books. If there is anything negative ...

Continue Reading

Debating PCI, and the Story of the Unresearched Position standard

Do you remember debate or speech class? I remember having a professor assign me the counterpoint position on an issue in which I didn’t agree. I always thought that the other guy had it easy if our beliefs were the same because he already believed what he was saying. I recently read an article by Ariel Silverstone in CSO Magazine entitled “Where PCI DSS Still Falls Short (and How to Make it Better)” in which Ariel seems to have been put in a similar situation. Either she was asked to publish something (anything), or asked to specifically publish something on PCI; regardless, she should have spent a little bit more time on research than she did. After reading her positions, ...

Continue Reading

Managed Security Services ≠ Light Switch standard

RSA 2009 has been in the can for over a week now, and I’ve had some time to reflect on the state of security since the economy broke it’s nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were: Non-essential security spending was cut (but things you have to do like SOX and PCI are fine) Headcount was cut No change My hair is on fire Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of ...

Continue Reading

Herding Cats and The Art of the Compensating Control standard

OK folks, two biggies from the April issue of the ISSA. The first is this month’s issue of Herding Cats entitled, Get Compliant on the Cheap, where I review some of the fantastic commentary provided at the end of last year by JD Smith, one of our esteemed PCI Consultants. The feature of the April journal is my article, The Art of the Compensating Control. I hope that this article helps to clear up some of the fog that clouds compensating controls. Hope you enjoy, and Happy Monday! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

The Legal Risk around PCI standard

David Navetta published a fantastic article in this month’s ISSA Journal entitled, “Who is Minding the Legal Risk around PCI” that takes a deep dive into the legal ramifications of not complying with the standard. If you do not get the journal, first off, go join the ISSA! It comes free with your membership! In the meantime, jump over to David’s blog to read the article! Towards the latter part of the article, David lays out two very real risks that I have discussed many times in this blog such as QSA shopping, rubber stamping, and scoping. Enjoy, and have a great weekend! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO ...

Continue Reading

Join me for a Compliance Week webcast! standard

What are you doing at 2pm eastern today? If you have that annoying budget meeting, or maybe one of those late lunches with the group of folks that bug you, how about joining me for a webcast on PCI? Click here to register, and I’ll be on Twitter during the event if you guys want to interact! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

Continue Reading

Thank you RSA! standard

Well, I finally made it back home yesterday after a week in San Francisco. It was great to put some faces to names, and thanks to all of you who stopped by the VeriSign ESS booth and said “Hi!” On Wednesday, the blogger meetup DID happen, and neither Tim Callan nor I won any of the awards; though we did cheer loudly for our fellow bloggers! And then, who woulda thunk it, but little ol me won a Seagate Black Armor 420 NAS drive! SWEET! Thank you to Seagate for that! The tweeps were tweeting all over the place! Now, one last thing before I check out of the blogosphere for the week, I had to pass along this freaking ...

Continue Reading