I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War). The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance …
Read more »Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of …
Read more »What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike …
Read more »While the latest version of Payment Card Industry (PCI) Data Security Standard (DSS) 2.00 is an improvement, the scope of system component connectivity is not well-defined: A “system component” is part of the cardholder data environment (CDE) if one of two conditions is met: The system component stores, processes, or transmits cardholder data, or The …
Read more »This is an essay I wrote in 2004. There is nothing here that doesn’t still ring true, especially with the latest round of Wikileaks disclosures. I wrote then and I still hold that compliance and and data security technology cannot protect an organization from a data breach. The best security countermeasures for protecting a company’s …
Read more »A recent post “Can smartphones replace credit cards” wonders whether or not consumers are ready to trade in their plastic for their cell-phone. Mobile payment technology has been around for about 10 years and it has not really taken off in a big way – although there are niche applications. In Tel Aviv for example, …
Read more »How does your company mitigate the risk of data security threats? Is your company management adopting a policy of “It’s other peoples money”? In a recent thread on LinkedIn - Jody Keyser shared some quotes from David Vose’s book on risk, reliability and computerized risk modeling: Risk Analysis a quantitative guide. The responses to correctly identified …
Read more »There is a lot to be said for preventing data loss at the point of use but if you are considering endpoint DLP (data loss prevention), I recommend against buying and deploying an integrated DLP/Anti-virus end-point security agent. This is for 4 reasons: Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, …
Read more »Reading through the trade press, DLP vendor marketing collateral and various forums on information security, the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation. However – This is certainly true …
Read more »Forrester just started calling lost credit card numbers “toxic asset”. Since when is data that is publicly available toxic?
Read more »