September 17th, 2009
Cyber Security and Nuclear Energy
I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape. She discussed the quite substantial investment that her organization had […]
August 21st, 2009
You Cannot Outsource the Consequences of a Breach
Mozilla is known to most people for its open-source and free software, most notably Firefox. However, starting around August 4th, it also became known as yet another company whose merchandise store was breached. Following the announcement on the company’s blog and closure of Mozilla’s store, the following headlines filled trade pubs and the blogosphere: “Mozilla […]
August 11th, 2009
Social Media and Corporate Guidance
One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: http://tinyurl.com/mc7yb8) Using social media applications is not just a personal computing trend; […]
August 11th, 2009
Healthcare Organizations and Tighter Security Requirements
Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare. Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected […]
August 6th, 2009
The Far-Reaching Impact of the PCI DSS
The last few years have seen a great deal of discussion, arguing, hand-wringing, and posturing within the retail / hospitality community regarding the PCI DSS. It has also driven a lot of investment in technology–and a lot of investment by technology companies. Then PA-DSS came along. The PCI Council took a voluntary program (PABP) and […]
July 15th, 2009
PCI and Assessment Consistency
As many organizations that have hired QSAs recently have seen, the Report on Compliance (ROC) has changed quite dramatically for v1.2 of the PCI DSS standard from previous versions. Although previous versions of the DSS required that a QSA address all the controls and properly document them, in fact many ROCs failed to provide adequate […]
July 14th, 2009
Is your Compliance Driven by More Than an Audit?
Preparing for an audit can be one of the best ways to fund and improve your security program, but this “stimulus package” for your compliance effort typically dwindles once an organization completes or passes an audit. I see this happen frequently in recurring or annual audits, but it is particularly relevant with the recent news […]
July 14th, 2009
Compliance vs. Risk
As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to […]