The importance of data collection in a risk assessment

A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business. The question in any risk assessment is how do you get from point A (current […]

Tell your friends and colleagues about us. Thanks!
Share this

10 guidelines for a security audit

What exactly is the role of an information security auditor?  In some cases, such as compliance  by Level 1 and 2 merchants with PCI DSS 2.0,  external audit is a condition to PCI DSS 2.0 compliance.   In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike […]

Tell your friends and colleagues about us. Thanks!
Share this

How to convert a web application to a multi-tenant SaaS solution

Of course, putting an application into a cloud data center is not enough. You have to think about application security, data security and compliance such as PCI DSS 2.0 or HIPAA if you are in the life science space. But – in addition to cloud security, you need to make sure that your Web application […]

Tell your friends and colleagues about us. Thanks!
Share this

Credit card security in the cloud

While the latest version of Payment Card Industry (PCI) Data Security Standard (DSS) 2.00 is an improvement,  the scope of system component connectivity is not well-defined: A “system component” is part of the cardholder data environment (CDE) if one of two conditions is met: The system component stores, processes, or transmits cardholder data, or The […]

Tell your friends and colleagues about us. Thanks!
Share this

Understanding culture and security

Whether you’re an account manager at Cisco, a programming geek in an Israeli startup, an expert on PCI DSS 2.0 or an industry authority on CRM; you must understand the culture in your workplace in addition to your professional skills in order to effectively manage risk and comply with regulation. If you alienate people – […]

Tell your friends and colleagues about us. Thanks!
Share this

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation. Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices […]

Tell your friends and colleagues about us. Thanks!
Share this

Protecting your data in the cloud

Several factors combine to make data security in the cloud a challenge. Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 […]

Tell your friends and colleagues about us. Thanks!
Share this

How to assess risk – Part II: Use attack modeling to collect data

In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling […]

Tell your friends and colleagues about us. Thanks!
Share this

Compliance, security and Wikileaks

This is an essay I wrote in 2004.  There is nothing here that doesn’t still ring true, especially with the latest round of Wikileaks disclosures. I wrote then and I still hold that  compliance and and data security technology cannot protect an organization from a data breach. The best security countermeasures  for protecting a company’s […]

Tell your friends and colleagues about us. Thanks!
Share this

Will you be left holding the bag?

Introduction Where data security decision making is concerned, the PCI DSS and HIPAA regulatory requirements  are more striking for what they leave unsaid than for what they say. They do tell you what an auditor would look for in determining the level of your systems’ data  security. However, the security checklists  don’t enable you to […]

Tell your friends and colleagues about us. Thanks!
Share this