July 15th, 2009
PCI and Assessment Consistency
As many organizations that have hired QSAs recently have seen, the Report on Compliance (ROC) has changed quite dramatically for v1.2 of the PCI DSS standard from previous versions. Although previous versions of the DSS required that a QSA address all the controls and properly document them, in fact many ROCs failed to provide adequate […]
July 14th, 2009
Is your Compliance Driven by More Than an Audit?
Preparing for an audit can be one of the best ways to fund and improve your security program, but this “stimulus package” for your compliance effort typically dwindles once an organization completes or passes an audit. I see this happen frequently in recurring or annual audits, but it is particularly relevant with the recent news […]
July 14th, 2009
Compliance vs. Risk
As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to […]