The Tao of GRC
I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War). The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance […]
Why less log data is better
Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of […]
10 guidelines for a security audit
What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike […]
Credit card security in the cloud
While the latest version of Payment Card Industry (PCI) Data Security Standard (DSS) 2.00 is an improvement, the scope of system component connectivity is not well-defined: A “system component” is part of the cardholder data environment (CDE) if one of two conditions is met: The system component stores, processes, or transmits cardholder data, or The […]
Will smart phones replace credit cards?
A recent post “Can smartphones replace credit cards” wonders whether or not consumers are ready to trade in their plastic for their cell-phone. Mobile payment technology has been around for about 10 years and it has not really taken off in a big way – although there are niche applications. In Tel Aviv for example, […]
The top 2 responses to data security threats
How does your company mitigate the risk of data security threats? Is your company management adopting a policy of “It’s other peoples money”? In a recent thread on LinkedIn – Jody Keyser shared some quotes from David Vose’s book on risk, reliability and computerized risk modeling: Risk Analysis a quantitative guide. The responses to correctly identified […]
Choosing endpoint DLP agents
There is a lot to be said for preventing data loss at the point of use but if you are considering endpoint DLP (data loss prevention), I recommend against buying and deploying an integrated DLP/Anti-virus end-point security agent. This is for 4 reasons: Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, […]
Learning about change and changing your security
Reading through the trade press, DLP vendor marketing collateral and various forums on information security, the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation. However – This is certainly true […]
Toxic assets
Forrester just started calling lost credit card numbers “toxic asset”. Since when is data that is publicly available toxic?
Sharing security information
I think fragmentation of knowledge is a root cause of data breaches. It’s almost a cliche to say that the security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years. It is apparent that government regulation is ineffective in preventing identity […]
