What is the best way for a business to prevent data breaches?

Let’s start with the short version of the answer – use your common sense before reading vendor collateral. I think PT Barnum once said “There is a sucker born every minute” in the famous Cardiff Giant hoax – (although some say it was his competitor, Mr. George Hull. Kachina Dunn wrote how Microsoft got security […]

Tell your friends and colleagues about us. Thanks!
Share this

Security sturm und drang – selling fear.

Sturm und Drang is associated with literature or music aiming to frighten the audience or imbue them with extremes of emotion”. The Symantec Internet Security Threat Report is a good example of sturm und drung marketing endemic in the information security industry. Vendors like Symantec sell fear, not security products, when they report on “Rises on Data […]

Tell your friends and colleagues about us. Thanks!
Share this

Ten steps to protecting your organization’s data

Here are 10 steps  to protecting your organization’s privacy data and intellectual property. As a preface, begin with the understanding that you already have all the resources you need. Discussions with colleagues in a large forensics accounting firm that specialize in anti-fraud investigations, money laundering and anti-terror funding (ATF), confirm what I’ve suspected for a […]

Tell your friends and colleagues about us. Thanks!
Share this

The Tao of GRC

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War). The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance […]

Tell your friends and colleagues about us. Thanks!
Share this
catch 22

Catch 22 and Compliance

Let’s say your’e a payment processor going through a PCI DSS 2.0 audit: Does this sound familiar? (just replace certain words by certain other compliance related words): Without realizing how it had come about, the combat men in the squadron discovered themselves dominated by the administrators appointed to serve them. They were bullied, insulted, harassed […]

Tell your friends and colleagues about us. Thanks!
Share this

Why less log data is better

Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of […]

Tell your friends and colleagues about us. Thanks!
Share this

Using DLP to prevent credit card breaches

I think that Data Loss Prevention is great way to detect and prevent payment card and PII data breaches. Certainly, all the DLP vendors think so.  Only problem is, the PCI DSS Council doesn’t even have DLP in their standard which pretty much guarantees zero regulatory tail wind for DLP sales to payment card industry […]

Tell your friends and colleagues about us. Thanks!
Share this

Rising the level of trust associated with identity in online transactions

Obama’s National Strategy for Trusted Identities in Cyberspace In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions. NSTIC focuses on upgrading outdated password-based authentication systems and […]

Tell your friends and colleagues about us. Thanks!
Share this

Application software in the cloud – power to the people

I think that it might be a novel approach to build a flat cloud security control model centered around consumers (stake holders, users and developers) of business applications software and the performance of the cloud services that they consume. This might be a more productive and relevant control model than then the current complex, multiple layer, […]

Tell your friends and colleagues about us. Thanks!
Share this

On data retention – when not to backup data?

It is often assumed that the problem of data retention is about how to backup data and then restore it quickly and accurately, if there is a security event or system crash. But, there are important cases, where the best data retention strategy is not to backup the data at all. The process of backup […]

Tell your friends and colleagues about us. Thanks!
Share this