Aug 29 2023

Is the cybersecurity community’s obsession with compliance counter-productive?

Category: Security Compliancedisc7 @ 9:31 am

Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we can’t fly unless we do so...

I’m starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as we’re told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.

I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). To add to this: countless “auditor” titles – roles designed specifically to assure fealty to various standards requirements.

Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:

  • An unpatched vulnerability
  • Credential theft
  • Installation of malicious software (typically via phishing)

So, let’s try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:

1. They could completely ignore standards and compliance, and they’d be given no credit for any level of compliance (and there would be no ramifications for non-compliance)

2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked

3. Their single objective was to win the game (stop the bad actors, and minimize their organization’s risk of a compromise)

How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organization’s cyber risk?

It’s not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):

  • Equifax (PCI and NIST CSF)
  • Target (PCI)
  • Marriott (PCI)
  • Anthem (HIPAA)
  • Premera Blue Cross (HIPAA)
  • CareFirst BCBS (HIPAA)
  • SolarWinds (NIST CSF)

This is, of course, not an exhaustive list. Show me a large enterprise that was breached and I’ll show you a large enterprise adhering to multiple compliance standards.

Indeed, just this month, several US government agencies were victims of an attack exploiting a vulnerability in file transfer software (albeit a zero-day). It’s fair to assume there are several regulations strictly adhered to by the agencies just breached.

So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.

And yet, there’s been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.

The less obvious reason for our community’s love for compliance is that it covers behinds. “Yes, we were breached, but we did everything we were supposed to do, so don’t blame us.” Coaches in every sport will identify that as a loser’s attitude. Champions know there’s no checkbox formula for winning, and there’s no excuse for losing, especially “we did everything we were supposed to and still lost.” It’s cliche’, but the best teams and athletes “just know how to win.”

Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isn’t working, and we in cybersecurity are the living embodiment of (not) Einstein’s definition of insanity: doing the same thing over and over and expecting a different result.

Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldn’t be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.

CISO Desk Reference Guide Executive Primer: The Executive’s Guide to Security Program

Security Awareness: Applying Practical Cybersecurity in Your World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: compliance, Security Awareness

Jun 24 2022

How companies are prioritizing infosec and compliance

Category: Information Security,Security ComplianceDISC @ 8:35 am

Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: infosec and compliance

Feb 22 2021

Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations

Category: Security ComplianceDISC @ 11:39 pm
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?

Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.

I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.

Let me give you an example:

Let’s say your company receives a California Consumer Privacy Act data access request.

First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.

You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).

In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.

To help put this process into perspective, we like to ask six simple questions:

1. Do you know where your data is?
2. Do you know who owns your data?
3. Do you know what regulations govern your data?
4. Do you know what third parties have access to your data?
5. Can you forensically prove data integrity throughout all the processes that use your data?
6. Can you easily and quickly respond to requests for your data?

Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations

Jan 19 2021

CPRA Compliance

Category: Information Security,Security ComplianceDISC @ 12:24 am

This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.

Oct 04 2019

5 Updates from PCI SSC That You Need to Know

Category: Security ComplianceDISC @ 9:39 pm

As payment technologies evolve, so do the requirements for securing cardholder data.

Source: Slideshows – Dark Reading

PCI DSS: Looking Ahead to Version 4.0

3 Primary Goals for PCI DSS Version 4.0

What is PCI DSS? | A Brief Summary of the Standard

How to Achieve PCI DSS Compliance on AWS

Subscribe to DISC InfoSec blog by Email

Tags: pci dss, PCI SSC

Oct 01 2019

CCPA – The California Consumer Privacy Act

Category: Security ComplianceDISC @ 4:51 pm

More detail on site: Steps to CCPA Compliance roadmap

Everything You Need To Know About CCPA 2018

Subscribe to DISC InfoSec blog by Email

Tags: CCPA

Sep 21 2019

How to get started with the NIST Cybersecurity Framework (CSF) – Expel

Category: NIST CSF,Security ComplianceDISC @ 11:02 am

We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

Source: How to get started with the NIST Cybersecurity Framework (CSF) – Expel

The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”” title=”NIST CSF 1.1 preso”]

Virtual Session: NIST Cybersecurity Framework Explained

CSS2017 Session 14 SANS Training – NIST Cyber Security Framework

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certification | Edureka

Free PDF download: NIST Cybersecurity Framework and ISO 27001 | IT Governance USA

Subscribe to DISC InfoSec blog by Email


Mar 17 2019

Risk Management Framework for Information Systems

Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2

Subscribe to DISC InfoSec blog by Email

Tags: Risk Management Framework

Mar 07 2019

How to choose the right cybersecurity framework

Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

Source: How to choose the right cybersecurity framework

Sep 27 2017

Data flow mapping under the EU GDPR

Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

  • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?


  • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

  • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?


  • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?


  • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.


  • Who has access to the data in question?


The key challenges of data mapping

  • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
  • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
  • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.


Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.


Order Today


Tags: data flow mapping, data privacy, data security, gdpr

Aug 11 2017

GDPR Documentation Toolkit and gap assessment tool

Category: GDPR,IT Governance,Security ComplianceDISC @ 10:46 am

Data Protection / EU GDPR Toolkits


Use this gap assessment tool to:

  • Quickly identify your GDPR compliance gaps
  • Plan and prioritize your GDPR project

EU GDPR Compliance Gap Assessment Tool


Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

  • A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
  • Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
  • Direction and guidance from expert GDPR practitioners.
  • Includes two licenses for the GDPR Staff Awareness E-learning Course.

EU General Data Protection Regulation (GDPR) Documentation Toolkit

Aug 09 2017

EU GDPR: Does my organization need to comply?

Category: GDPR,Security ComplianceDISC @ 9:36 am

By Chloe Biscoe

The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.

Who needs to comply with the GDPR?

The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.

Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.

Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.

What do US organizations need to do to comply with the GDPR?

The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.

For US organizations, the most significant change concerns the territorial reach of the GDPR.

The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.

Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.

Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield

EU GDPR & EU-US Privacy Shield – A Pocket GuideAugust’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.

Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:

  • The terms and definitions used within the GDPR and the EU-US Privacy Shield
  • The key requirements
  • How to comply with the Regulation


Data Protection / EU GDPR Toolkits


Jul 14 2011

The TickITplus Kick Start Guide has Been Launched

Category: Security ComplianceDISC @ 12:32 pm

Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched

/EIN Presswire/ — Following the release late last month of the Base Process Library (, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here in a PDF format or hard copy.

The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.

TickITplus ( is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.

As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.

The Kick Start Guide can be purchased today from

Tags: TickITplus

May 09 2011

The Business Case for Information Security Management System

Category: Information Security,ISO 27k,Security ComplianceDISC @ 2:10 pm

Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.

So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.

Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.

It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.

Mar 07 2011

Manager’s Guide to Compliance

Category: Security ComplianceDISC @ 1:45 pm

Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)

A Wall Street Journal/Harris poll revealed that two thirds of investors express doubts in the ability of corporate boards of directors to provide effective oversight. In the shadow of recent global scandals involving businesses such as Parmalat and WorldCom- Manager’s Guide to Compliance: Best Practices and Case Studies is essential reading for you- whether your organization is a major corporation or a small business.

This timely handbook places U.S. and global regulatory information- as well as critical compliance guidance- in an easy-to-access format and helps you make sense of all the complex issues connected with fraud and compliance.

‘Wide perspectives and best practices combined deliver a punch that will knock your “SOX” off! The author has blended together a critical mix necessary for effectively handling the requirements of SOX.’
Rob Nance- Publisher- AccountingWEB- Inc.

‘Robust compliance and corporate governance is an absolute necessity in today’s business environment. This new book by Anthony Tarantino is an authoritative guide to understanding and implementing compliance and regulatory requirements in the United States and around the world. From SOX to COSO to ERM- this book covers them all.’
Martin T. Biegelman- Certified Fraud Examiner- Fellow and Regent Emeritus of the Association of Certified Fraud Examiners- and coauthor of Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance

‘If compliance wasn’t difficult enough- now companies are faced with a barrage of technology vendors claiming to automate compliance as if it were a project. In his new book- Dr. Tarantino paints the reality of the situation: companies need to embrace the broader tenets of governance and use technology to embed governance policies and controls into their daily business processes. Only then can they gain business value from their compliance investments.’
Chris Capdevila- CEO and cofounder- LogicalApps

Here is a link to this book: Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)

Tags: ASX 10, BASEL II, Best Practices, COBIT, COSO, ERM, IFRS, OECD Principles, OMB's A-123, Sarbanes-Oxley, Turnbull Guidance

Sep 21 2010

ArcSight offers $49.00 entry-level audit logging package

Category: Security ComplianceDISC @ 9:25 am
Image representing ArcSight as depicted in Cru...
Image via CrunchBase

Security Log Management: Identifying Patterns in the Chaos

Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.

Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.

For more detail on the article: ArcSight offers $49.00 entry-level audit logging package

Tags: ArcSight, Consultants, General and Freelance, Identityview 2.0, Logger 5.0, Security, Security event manager

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.

  • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.

  • PCI DSS v1.2 Documentation Compliance Toolkit

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).

    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    Sep 01 2009

    Audit of security control and scoping

    Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm


    Information Technology Control and Audit

    The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

    Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

    The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

    Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

    Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

    Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.

    Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

    Aug 24 2009

    Vulnerability management and regulatory compliance

    Category: Security ComplianceDISC @ 8:09 pm

    Threat and Vulnerability Management in the Ent...
    Image by Michele Mondora via Flickr

    Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
    The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

    Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
    The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.

    Reblog this post [with Zemanta]

    Tags: Security, Security Scanners, vulnerability

    Aug 08 2008

    PCI DSS significance and contractual agreement

    Category: pci dss,Security ComplianceDISC @ 11:52 pm

    The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.

    To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.

    Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.

    Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.

    When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


    Documentation Compliance Toolkit

    PCI Compliance

    Practical guide to implementation (Soft Cover)

    Practical guide to implementation (Download)

    PCI Compliance

    Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx