Regulatory Compliance, Governance and Security:

ITKE grandparent

February 23, 2009  1:11 AM

What is SAS 70 | A Question I’m Often Asked by Service Organizations

Posted by: Charles Denyer
aicpa, regulatory compliance, SAS 70 Type I, sas 70 type ii,, service organizations, What is SAS 70?

What is SAS 70? For us in the regulatory compliance and Information Technology world, this would be an absurd question. Well, put yourself in the shoes of businesses who work hard everyday, struggling to make ends meet, and then suddenly,...

February 21, 2009  12:57 PM

PCI Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data | What You Need to Know

Posted by: Charles Denyer
cisco, firewalls, juniper, load balancers, payment card industry data security standards (PCI DSS), PCI DSS, pci dss v1.2, PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data, qualified security assessor (QSA), routers, rulesets

For Payment Card Industry (PCI) compliance, there are twelve (12) core, functional requirements mandated under PCI DSS v1.2. What's important to note is that many times you truly need to "read between the lines" to interpret, comprehend, and understand what the PCI DSS standards are actually...

February 18, 2009  7:53 PM

PCI DSS and SAS 70 Audits | Audit Efficiencies? Maybe…just Maybe

Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), PCI DSS, pci dss assessments, qsa, SAS 70, sas 70 audits, sas70

As a SAS 70 auditor and a PCI QSA, i'm often asked about the efficiencies of scale that can be achieved with SAS 70 audits and PCI DSS assessments. I have blogged about this a few times before, so let me be more clear and transparent in what i believe can actually be obtained in regards to audit...

February 14, 2009  1:52 PM

Payment Card Industry (PCI) Compliance | Much More than just I.T.

Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), PCI DSS, pci dss 1.2, pci dss policies and procedures, pci readiness assessment, qualified security assessor (QSA), requirement 12: Maintain a policy that addresses information security

That's right. Payment Card Industry (PCI) compliance is much more than just I.T. and all the surrounding hardware and software components that make up the "system components" within the cardholder environment. I've just recently finished up a PCI Readiness Assessment for a client on the West Coast...

February 11, 2009  10:27 PM

PCI DSS Requirement 10: Regularly Monitor and Test Networks

Posted by: Charles Denyer
12 pci requirements, Linux, payment card industry data security standards (PCI DSS), pci audit trails, pci dss logging, PCI Requirement 10: Regularly Monitor and Test Networks, qualified security assessor (QSA), unix, windows

Payment Card Industry (PCI) Data Security Standards (DSS) compliance is often not a black and white assessment. Sure the PCI council gives you the complete assessment document, which fully explains each of the twelve (12) requirements and what is needed for validating each of these respective...

February 8, 2009  2:59 PM

SAS 70 Audit Guide | Learn the Secrets to SAS 70 Audits

Posted by: Charles Denyer
sas 70 audit guide, sas 70 scoping and pricing, SAS 70 Type I, sas70

Need to learn about SAS 70 audits? Not too sure about what the audit actually entails in regards to scope, time, effort and financial considerations? Well, if your organization is seeking to become SAS 70 Type I or Type II compliant for 2009...

January 30, 2009  9:33 PM

PCI DSS Compliance | What is the “Cardholder Environment”?

Posted by: Charles Denyer
cardholder environment pci dss, payment card industry data security standards (PCI DSS), PCI DSS, qsa pci dss, qualified security assessor (QSA), system components pci dss compliance

Regarding PCI DSS compliance, i'm often asked as a PCI QSA what is the cardholder environment? In essence, people are wanting to know what is in scope and how do you determine scope. To be honest, it is not at all a clear black and white answer; so many variables come into play, the biggest being...

January 29, 2009  1:09 PM

California Security Breach Information Act (SB-1386) | What You Need to Know.

Posted by: Charles Denyer
California SB-1386, California Security Breach Information Act (SB-1386), GLBA, Gramm Leach Bliley, HIPAA, MN PCI DSS, MN plastic card security act, SAS 70

In short, the California Security Breach Information Act (SB-1386) is a California state law requiring organizations that maintain personal information about individuals to inform those...

January 28, 2009  1:03 PM

SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite

Posted by: Charles Denyer
cpa, payment card industry data security standards (PCI DSS), PCI DSS, pci dss report on compliance (ROC),, qsa,

As an accountant and a PCI Qualified Security Assessor (QSA), i'm seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC)...

January 28, 2009  12:47 PM

PCI DSS Requirement 1.1.2 | Network Diagrams | Easier Said Than Done

Posted by: Charles Denyer
1.1.2 netowrk diagram, cardholder data pci dss, firewalls, firewalls pci dss, payment card industry data security standards (PCI DSS), PCI DSS, pci dss requirement 1.1.2, qualified security assessor (QSA), remote access pci dss, routers and switches, system components, wireless networking pci dss

PCI DSS Requirement 1.1.2 is an often overlooked area within the PCI framework for assessment. That's also a shame because it's such a critical component for helping lay the groundwork for true clarity and transparency for the assessment...

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: