IT Compliance Advisor

August 29, 2011  6:10 PM

Cloud Security Alliance seeks transparency over secrecy for compliance

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

The Cloud Security Alliance is launching a new program for gathering information on how cloud service providers are securing their services and meeting compliance initiatives.

The CSA Security, Trust & Assurance Registry (STAR) program enables cloud service providers to submit self-assessment reports that document compliance regarding best practices published by the alliance. According to the CSA, the searchable registry will allow potential cloud customers to review the security practices of providers and determine the level of compliance offered — or better yet, learn from the best how to secure their own cloud initiatives.

Some may find this a bit disconcerting and will worry that transparency will expose them to attacks and breaches. However, transparency also leads to better understanding and improvements in security by exposing possible flaws and weaknesses.

STAR offers a “major leap forward in industry transparency, encouraging cloud service providers to make security capabilities a market differentiator,” according to a CSA release. CSA STAR will be available in the fourth quarter. Cloud providers can submit two different types of reports — the Consensus Assessments Initiative Questionnaire and the Cloud Controls Matrix.

Find out more at

August 22, 2011  5:59 PM

Online privacy concerns a persistent problem for businesses, consumers

Ben Cole Ben Cole Profile: Ben Cole

The editors at have written a lot in recent months about online privacy concerns for businesses and their customers, and it appears global increases in hacking and data theft may finally be pushing folks to take positive steps to secure their data.

The combination of an increasing number of data breaches, the growth of cloud computing, the proliferation of location-based services and the expansion of regulatory requirement is forcing organizations to review or completely revise their privacy policies before the end of 2012, according to new research from Gartner Inc.

These findings echo results of a McAfee Inc. survey that found only about one-third of online consumers believe that most websites are safe for shopping, an 11% decrease since McAfee conducted the survey in 2009. Eighty-four percent of the 605 respondents said that they have some level of concern when providing personal information online, and only 6% said they do not worry about security on the Internet.

Gartner notes that, while privacy-related regulatory changes are likely imminent, they should not distract privacy officers from pursing their own more immediate privacy strategies. Most regulatory changes will continue to evolve over the long term, the analysts note.

Despite the increased attention to privacy, obstacles will surely remain. Privacy programs will be chronically underfunded for the next two years, so privacy officers will need to build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams, suggests Gartner’s Carsten Casper.

Casper also suggests establishing a relationship with regulatory authorities and the privacy advocacy community as a way to help maintain privacy standards.

And what about those businesses that use the nebulous nature of online privacy rules to their advantage? This week, the Wall Street Journal profiled “supercookies” that are used to track users’ Web-browsing tendencies. The supercookies are capable of re-creating users’ profiles after people delete regular cookies. Due to a lack of federal regulations, the online ad industry has been left to police itself, and sometimes privacy concerns take a back seat to commerce.

Until the feds establish hard rules on online privacy to protect personal information, it will be up to the businesses to police themselves and protect customer information. As the McAfee study shows, consumers may end up decreasing their online purchasing activity because of online privacy concerns. Businesses will have to prove that they are doing all they can to protect their customer’s information, or risk their reputation — and bottom line.

August 16, 2011  2:31 PM

Make your enterprise risk management policy proactive, all-inclusive

Ben Cole Ben Cole Profile: Ben Cole

During‘s recent virtual trade show on enterprise risk management, presenter Kevin Beaver opened his presentation with a quote from management expert James Champy:

“Many executives are insulated from reality and consequently don’t know what the hell is going on.”

Beaver cited this trend and subsequent “general false sense of security” as a major factor in the proliferation of ineffective enterprise risk management policies. Due to the maze of complexity in business environments — wireless networks, mobile devices, the cloud, to name just a few — the potential for flaws and security vulnerabilities is nearly limitless, Beaver said.

As a result, basic technical and operational security weaknesses can snowball and result in big problems for business if they are not dealt with effectively and in a timely manner. This lack of preparation and general “everything-is-fine” attitude was cited several times by presenters throughout the virtual trade show, “Enterprise Risk Management: Mitigation Strategies for Today’s Global Enterprise.”

During his presentation on risk management strategies for protecting enterprise supply chains, consultant and IT auditor Paul Kirvan pointed out the many threats to organizations and the firms that support them, and suggested that supply chain risk management should be an important business activity.

“Much work needs to be done to transform an organization from one that simply reacts to unplanned events to one that anticipates disruption, develops prevention and mitigation strategies to address them and has fully developed procedures to keep the organization and its supply chain running,” Kirvan said.

Kirvan suggested companies quantify and prioritize risks, then develop strategies that can cost-effectively address supply chain risk points. Another key factor to an enterprise risk management policy is to identify employees’ role in the supply chain, and to outline a succession plan that prepares alternate members of the staff to step in and take over for employees in their absence.

By doing so, organizations can prepare for and plug any holes in the management chain before something as simple as a key employee catching the flu causes a huge compliance risk.

“This type of activity should not be restricted to the most senior members of the organization,” Kirvan said.

Perhaps the simplest message is this: Get involved. By being proactive and paying close attention to the risks unique to your organization, you can get a jump on vulnerabilities before they snowball into major violations.

Security needs to be addressed now, and the true leaders focus their efforts before a security breach occurs, not after, Beaver said.

“Forget about what security analysts are saying, stop listening to scare tactics and focus on the basics: urgent flaws on most important systems,” he said.

August 4, 2011  8:15 PM

When it comes to PCI compliance standards, size doesn’t really matter

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Mention PCI compliance standards, and the typical business owner will probably spout off about how they are an expensive burden that offer little in return. However, PCI compliance can provide value in the form of savings and protecting business interests.

Case in point: An owner of two small magazine stores was surprised to discover that hackers had installed software on his registers and stolen credit card information. After an investigation, at the owner’s expense, he was out over $20,000 — half his annual profit.

“His experience highlights a growing threat to small businesses. Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers’ main target,” according to a Wall Street Journal article.

In a sense, adhering to PCI compliance standards is becoming something like an insurance policy — one that protects businesses while eliminating unforeseen expenses. Driving that value is the fact that the payment card industry has come down hard on both retailers and other organizations that store or have access to credit and debit card information by imposing heavy penalties for violating PCI compliance standards.

That translates to SMBs focusing more on security and incorporating regular and automated systems management to maintain compliance and prevent hacking.

Luckily, standards exist, ones that make it that much easier to meet PCI compliance. Take, for example, PCI DSS — now in version two — which spells out what is needed to secure the data associated with payment card-based transactions.

PCI DSS shows it takes more than just encryption and secure data storage to meet PCI compliance. Businesses need to incorporate management mechanisms, actively manage their systems and perform audits. PCI DSS includes 12 requirements for building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

It is those standards that show where additional value can be wrung out of PCI compliance. After all, improvements in security and operations always lead to measurable results.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.

July 25, 2011  2:00 PM

Little to celebrate after one year of Dodd-Frank compliance

Cgonsalves Chris Gonsalves Profile: Cgonsalves

As birthday parties go, this one was forgettable. Awful, really. One year into compliance with the Dodd-Frank Wall Street Reform and Protection Act, few are in a mood to fete the guest of honor, that bloated, convoluted, amorphous bundle of regulations that gave many businesses 12 months of headaches and FUD.

That’s not to say nobody is celebrating. The milestone was marked last Thursday by the official opening of the Consumer Financial Protection Bureau (CFPB), one of the 11 bureaucracies charged with administering Dodd-Frank, and the first new federal agency created in more than 10 years. So there’s at least one building full of Dodd-Frank revelers. It’s unlikely that’s who Treasury Secretary Tim Geithner was talking about when he sold Dodd-Frank on the promise that it was “designed to lay a stronger foundation for innovation, economic growth and job creation.”

But a win is a win, I suppose.

As for the rest of us, how well has the massive Dodd-Frank Act, with its 243 new rules administered by 11 different federal agencies, worked in its first full year on the books?


  • Unemployment has risen to 9.2%; 22 million Americans can’t find work.
  • More than 44 million Americans are now on food stamps.
  • The so-called Misery Index, a measure of unemployment and inflation, is at a 30-year high.


  • The creation of new businesses in the United States is at a 17-year low.
  • The cost of compliance with Dodd-Frank will top $1.25B (including $329 million for the new CFPB) through 2012, according to a congressional report.
  • It will take regulated businesses an estimated 2,260,631 annual labor hours required to comply with the 10% of Dodd-Frank regs activated so far, according to The Heritage Foundation.

It’s been ugly, as critics have been quick to point out.

“Thanks to efforts like Dodd-Frank, the drivers of our economy are increasingly focused inward,” wrote Rep. Ed Royce (R-Calif.), a senior member of the House Financial Services Committee and part of last year’s Dodd-Frank Conference Committee. “Rather than looking to finance the next Google or Microsoft, businesses will be mired in complying with 2,300 pages of flawed rules and regulations.

“From the Consumer Financial Protection Bureau, with its half-billion dollar budget and virtually no accountability or oversight, to the new derivatives regulation, ‘compliance’ with ever-changing dictates will consume these firms,” writes Royce. “If the end result was a more stable financial system, this may be a cost worth bearing. Unfortunately, every indication points in the opposite direction; a fundamentally weaker financial system and a less vibrant economy. This is not an anniversary worth celebrating.”

Fellow Financial Services Committee member Rep. Sean Duffy of Wisconsin agrees. “Dodd-Frank was rammed through Congress on claims that by increasing government mandates and control over the private economy, we would see robust growth in our economy and greater economic security for our working families and small businesses,” Duffy says in an op-ed piece in The Washington Times. “One year later, with new business creation at a 17-year low and paralysis in the private sector, it’s clear that Dodd-Frank has woefully underdelivered.”

Duffy is among those offering new legislative efforts to roll back much of what Dodd-Frank has wrought. But with a stagnant economy, ongoing public suspicion of Wall Street, and partisan political battles continuing at a fever pitch, any quick action to make Dodd-Frank easier for the regulated parties seems unlikely.

And so we might be wise to celebrate a little at Dodd-Frank’s one-year anniversary. After all, 90% of its directives haven’t even hit yet. There’s a tsunami of regulations still stored up in the act’s endless pages, waiting to be unleashed. Uncountable hours and incalculable costs for compliance will spew forth in the coming years. So raise a glass and toast Dodd-Frank. This is as good as it gets. As bad as this year seemed, the worst may be yet to come.

July 21, 2011  7:50 PM

What’s in a name? Why ’private‘ clouds may not be secure as you think

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Cloud is a word that has helped to misclassify IT operations. Throw the word private in front of cloud, and now you really have some confusion, especially when it comes to security. The problem is that the word cloud implies a nebulous entity that allows information to be shared freely, while private indicates the exact opposite.

Today, social networking and cloud technologies are all about sharing information — much to the chagrin of those responsible for keeping intellectual property safe and secure. For those seeking to share information freely using cloud technologies, private clouds become an ideology of choice. However, private clouds can be anything but private, especially if they’re using the Internet as a connection methodology between sites.

In effect, this means that private clouds will always have some form of connectivity to the outside world. Of course, a properly configured private cloud will incorporate several virtual and logical carriers that are designed to prevent unauthorized access to the content contained within (that’s the theory, at least).

Nevertheless, those managing and attempting to secure private clouds have to ask themselves a few questions, including: How can I be sure my cloud is protected from intrusion? Is my firewall, VPN or other security technology effective? How can I remediate any security problems?

The answers to those questions would dictate how to proceed with a security ideology that effectively protects data contained within private clouds. For many, the answer comes in the form of layered protection. By combining the benefits of a stateful packet inspection firewall, encrypted access, secure logins and extensive auditing, compliance managers should be able to achieve effective protection to secure private clouds. Yet, some will find that may not be enough.

Luckily for IT managers, the security market is evolving, bringing new technologies to the market that help prevent, remediate or detect security issues. Of course, the best approach is to avoid a breach altogether — a task that may be impossible but is nevertheless a worthwhile goal.

Companies such as Palo Alto Networks are re-engineering firewall technology to be more effective, and are offering new products that seem to be a more effective fit within the cloud community. Naturally, Cisco, Juniper, Check Point and many others are also hardening their security products to better protect IT assets, all of which will help make it easier to secure private clouds.

Nevertheless, cloud security still needs to be validated and maintained, and those tasks usually require auditing, forensics, continual testing and effective monitoring. These tasks usually fall to compliance officers and security administrators. Luckily, the tools in these arenas are evolving as well.

For example, networking forensics vendor NIKSUN launched a forensics platform that promises to give IT managers full insight into network activity. Ideally, administrators could use NIKSUN’s forensics utilities to diagnose breaches, gather evidence and plug holes.

Keeping private clouds private demands that IT managers take a different look at how security is enforced across a network and how interaction between networks is monitored. This requires effective monitoring and analysis that goes beyond validating firewall and user account settings. The key here is to catch anomalies as they occur, or taking a more proactive approach to protection.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.

July 18, 2011  5:01 PM

As Web access expands, experts say new malware threats cause concern

Ben Cole Ben Cole Profile: Ben Cole

It seems nobody is safe from malware attacks these days –even the White House is taking notice. Last week, a Department of Homeland Security official acknowledged the threat of pre-existing malware on imported electronic and computer devices sold within the U.S. With the availability of malware entry points expanding — including ubiquitous IT such as emails, social media, smartphones and tablet computers — the threat is not going anywhere anytime soon.

Eighty-seven percent of 2,277 surveyed smartphone owners used their device to access the Web or email at least once a day, according to a recent report issued by Pew Research Center. Of those smartphone owners, 25% said that they mostly go online using their phone, rather than with a computer. Also last week, Trusteer CEO Mickey Boodaei told eWeek Europe that as smartphones grow in popularity, hackers are increasingly researching Apple iOS and Android for vulnerabilities. One in 20 Android mobile phones and iPhones will be infected by financial malware and Trojans within the next 12 months, he added.

Budget constraints, unawareness of the severity of new malware threats and a reactive attitude to malware contribute to the problem, according to reps from M86 Security in their report on new malware threats.

Despite a high level of concern expressed about the security of mobile devices, 14% of 382 companies surveyed in M86’s report have no solutions in place to protect users from Web-based threats. Researchers found that 78% of the organizations surveyed had experienced at least one malware attack during the preceding 12 months.

In addition, 49% of survey respondents acknowledged that although security breaches occur, they accept this as part of the cost of doing business. This complacent attitude toward malware could result in additional costs, bad press and lost revenue opportunities for companies involved.

The M86 report recommended that organizations consider addressing malware prevention, detection and remediation in two ways:

  1. Train users on how to properly surf the Web, what they should do when they encounter a threat (such as a spam email that contains a link to a website), how they should be wary of emails whose source is not known, how to spot phishing attempts, etc.
  2. Address the long-term, strategic impacts, such as malware detection and remediation at every ingress point, including email, smartphones, Web browsers and the growing multitude of other platforms from which malware can enter the network.

This probably does not have to be pointed out, but as IT becomes more sophisticated, so do malware attacks. More people have access to the Web, often in the palm of their hand. This makes their personal information — and sometimes, that of their employers — increasingly vulnerable to hackers. New malware threats are coming, and IT departments need to be on the look out and proactive about protecting themselves.

July 7, 2011  6:48 PM

Adhering to PCI DSS 2.0 requirements affects costs, IT operations

Ben Cole Ben Cole Profile: Ben Cole

There’s one big problem for IT departments seeking guidance related to PCI DSS 2.0. The best advice, as Payment Software Co. principal Tom Arnold points out, is often “it depends.”

That makes it difficult for companies trying to get definitive answers on budgeting for IT expenditures connected to PCI DSS, Arnold said during a recent webcast exploring IT impacts under PCI DSS.

“Depending on the technology being used, depending on the environment and how the environment works and specifically how your business model works, there can be variances,” Arnold said.

PCI DSS 2.0 requirements affect IT costs due to an expansion of existing requirements (increased testing procedures) and a redefinition of past requirements (a greater emphasis on processes), Arnold said. There were new requirements as well, such as the introduction of metrics to evaluate vulnerabilities. Increased regulations surrounding network security, protecting stored data and developing secure systems and applications can impact capital expenditures as well, Arnold said.

The new and revised requirements have logistical effects as well. Arnold estimated that collecting evidence for a PCI DSS compliance assessment could now take twice as long as before. Also, reporting requirements on Qualified Security Assessor (QSA) mandates require a large amount of additional information. This could result in PCI DSS compliance budgeting to be two to three times higher than in previous years, Arnold added.

To deal with these changes (and the extra funds involved), Arnold advises companies to:

  • Engage a QSA to perform gap analysis based on PCI DSS 2.0 requirements.
  • Define architecture to close gaps between requirements and areas that are lacking.
  • Define solutions for both retail and remote sites.
  • Identify capital exposures surrounding PCI DSS 2.0.
  • Budget appropriately for exposures (and plan to implement them by Jan. 1).

Despite this sound advice, the “it depends” factor still looms. This subjectivity fueled significant criticism of PCI DSS and PCI DSS 2.0, with some critics saying that the rules were too dependent on the makeup of organizations trying to achieve PCI DSS compliance. It doesn’t help that companies already tightening their belts face the added expense of adapting to the new PCI DSS 2.0 requirements.

Still, following the PCI DSS rules could benefit a business’ bottom line. As recent data breaches have shown, not adequately protecting customer information can be quite a bit more costly than spending on compliance.

June 20, 2011  8:42 PM

How forensics technology ties to your regulatory compliance needs

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Most people associate the term forensics with security or law enforcement. However, the concept of forensics and forensics technology lends itself very well to compliance. Adhering to compliance regulations is about managing the access to data and ensuring that data is not corrupted, misdirected, intercepted or used in any fashion that falls outside of policy. This concept is relatively easy to grasp.

However, compliance becomes more complex once you are asked to prove its existence (or, more correctly, its adherence). For many, proof takes the path of forms, check boxes and simple audits (yep, we did that; OK, that’s been checked) and other relatively easy validations. Nevertheless, we all know that really isn’t enough — a stack of papers and lists of check boxes really prove little more than someone filled out some forms. That is where in-depth auditing comes into play. To prove compliance, you must be able to effectively audit events in the past, as well as in the present.

That is where forensics comes into play — not just as a process, but as a technology as well. For the typical business bound by compliance regulations, the amount of data and the number of transactions can be massive, and therein lies the real problem: How does one apply the process of forensics to a system without creating a technical and physical nightmare that can cost thousands of dollars and man-hours? The simple answer is to apply forensics technology to the process.

Take security and forensics hardware vendor Niksun, for example. The company has developed appliances that are designed to capture all activity on a network, allowing administrators to re-create events at will. What’s more, Niksun’s devices can operate at line speed and offer real-time analysis. This allows administrators to not only apply forensics, but also identify anomalies that may open windows into potential compliance violations. In other words, administrators can not only prove compliance, but they can also proactively protect it.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.

June 10, 2011  7:06 PM

As social media expands, beware of social networking risks

Ben Cole Ben Cole Profile: Ben Cole

Social media use by businesses and their employees is on the rise, and with good reason — social networking tools can easily help companies reach millions of new customers. New information, however, suggests that companies are also beginning to acknowledge social networking security risks.

Last week, Peak Advisor Alliance announced survey results that found respondents’ biggest challenge is differentiating and marketing to generate new business — but adhering to social media compliance was deemed “too risky” by over half of respondents.

This week, Regus released a survey showing a rise in U.S. companies using social networks to win new business. According to the survey, 43% of firms are successfully using social networking to win new customers, an 8% increase from the 2010 survey. Fifty percent of businesses in the U.S. use social media to connect with customers, and the survey found a 7% global increase in the proportion of businesses successfully recruiting new customers through social networks.

And the social networking security risks do not end with business-related social media. Last month, the Society of Corporate Compliance and Ethics and its affiliated Health Care Compliance Association released findings from a survey among compliance and ethics professionals. The survey found 42% of respondents reported that their organizations have had to discipline an employee for behavior on social networking sites, up from 24% that reported the same in 2009. At the same time, only about one-third of survey respondents report that their organizations have adopted policies specifically addressing the use of social media sites outside of work.

All this comes as the U.S. Department of Commerce released a report June 8 that proposes “voluntary codes of conduct” to strengthen the cybersecurity of “companies that increasingly rely on the Internet to do business.” The report notes that “cyberattacks on Internet commerce, vital business sectors and government agencies have grown exponentially,” and addressing these issues in a way that “protects the tremendous economic and social value of the Internet, without stifling innovation, requires a fresh look at Internet policy.”

The Internet’s vulnerability to online activity attacks, including social media use, is mentioned several times in the Commerce Department report.

With the attention social network security risks are getting, it is very possible more attention will be paid by legislators, and social media compliance rules for business could follow. In the coming weeks, will be examining social networking security risks and social media compliance. Check back for information on what you need to wary of when using this lucrative – but risky – innovation.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: