Do you run an e-commerce site? Are you sure you do not store any payment card data or PII (personally identifiable information) in some MySQL database? The first step in protecting credit card and customer data is to know what sensitive data you really store, classify what you have and set up the appropriate security …
Read more »Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of …
Read more »I first heard the idea about hedging risk against actual future disasters (man-made or natural) around the time of Hurricane Katrina. The essay below by professor Avinash Persaud considers the creation of a terrorism futures market. The ideas are particularly timely in the context of the unrest in Libya and the uptick in oil prices. Right …
Read more »What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike …
Read more »3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute. The question is, what will be …
Read more »Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation. Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices …
Read more »A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines. As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole. Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those …
Read more »Defense in depth is a security mantra, usually for very good military security and information security reasons. However – defense in depth may be a very bad idea, if your fundamental assumptions are wrong or you get blinded by security technology. The sin of wrong assumptions In the defense space – we can learn from …
Read more »The notion of a security consultant guild is a seductive idea. Promoting quality, defining service levels and enhancing professional standing are good things, but there is a red ocean of professional forums so – I would not just jump in and start a guild. Just take a look at forums like LinkedIn and Infosec Island …
Read more »Assuming you knew why a data breach will happen, wouldn’t you take your best shot at preventing it? Consider this: Your security defenses don’t improve your understanding of the root causes of data breaches, and without understanding the root causes – your best shot is not good enough. Why is this so? First of all – …
Read more »