Overheard - Shared Assessments Program

“One of the big issues everyone faced, especially on the service provider side was the inconsistency in the level of questions and controls clients looked at. This sets the standard and a baseline so everyone is looking at pretty much the same types of controls…You remove inconsistency and raise the overall bar of information security.” Charlie Miller, as quoted in Shared Assessments aims to ease third-party security evaluations

Today’s WhatIs.com Word of the Day is Shared Assessments Program.

Overheard - FISMA and ICE

“The new FISMA requirements call for government agencies and DoD contractors to comply with a set of prioritized controls that reflect their ability to detect and stop cyberattacks.” Alexander B. Howard, ICE Act would restructure cybersecurity rule, create White House post

Today’s WhatIs.com Word of the Day is FISMA.

Overheard - PCI compliance

“In our view, if you peel off all the layers around the PCI Data Security Standards, you will see it for what it is in significant part, a tool to shift risk off the banks’ and credit card companies’ balance sheets and place it on others.” Dave Hogan, as quoted in Cybersecurity hearing highlights inadequacy of PCI DSS

Today’s WhatIs.com Word of the Day is PCI compliance.

Overheard - Defining parameters for data encryption

From 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH / Definitions section

“Encrypted,” transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

PCI DSS - protecting your credit and debit cards

The poker game continues. Get set for an all-nighter. David Taylor, Raising the Bet: A National Payment Security Standard

Friday’s WhatIs.com Word of the Day is Payment Card Industry Data Security Standard, better known as PCI DSS. If you’ve ever had your debit card replaced without your asking, you’ve been affected by PCI DSS. The standard is managed by a consortium of credit card companies. David Taylor explains how (and why) merchants are hooking up to promote a new standard.

From its humble beginnings as an effort to rationalize and harmonize the Visa, MasterCard and AMEX security guidelines and turn them into a single standard, the PCI SSC continues to raise the bet by launching more and more standards to address different aspects of the payment security business: Payment application security (PA-DSS), PIN entry device security (PCI-PED), Hardware security modules (PCI HSM), Kiosk and ATM security (PCI UPT), etc.

Even though these standards are emerging through a participatory process, some merchants and vendors clearly see this game as “rigged” – run by the card networks, enforced by the card networks, with fines imposed by the card networks. The merchants and vendors may be allowed to offer advice; they are not “players” in the game. But now this could be changing.

Overheard - FCC regulations for “Identity Theft Red Flags”

As institutions embrace automated services such as self-service password reset for purposes of reducing costs and boosting efficiency, these services are being targeted by attackers for the relative ease with which they can be used to gain access to registered accounts. Thomas Varghese, Addressing Red Flags compliance

The Federal Trade Commission (FTC) has instituted new regulations known as “Identity Theft Red Flags” that promise to mitigate the havoc posed by identity theft to financial institutions and their customers. Effective May 1, 2009, these new regulations require financial institutions and creditors with covered accounts to implement programs that detect, prevent, and mitigate instances of identity theft.

Under the rules, entities must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The FTC has issued guidelines that identify 26 different red flags to assist in designing identity theft prevention programs. These red flags are not a checklist, rather examples that financial institutions and creditors can model as a reference.

Overheard - Avoiding common audit pitfalls

“Make no mistake — auditors will find fault with your systems, your processes, and the people who operate them. They’re auditors. It’s their job.” Kelly Jackson Higgins, Experts share tips on how to avoid the most common pitfalls in an audit

If you missed Kelly’s article when it first came out, take moment and read through it.  I bet you’ll learn something.

Key points I want to remember:

• Two of their most common reasons for failing an audit are poor documentation and poor training programs.
• It’s all about proving that data isn’t tampered with — from inside or out.

- Manage change in a consistent manner.
- Clearly define roles and permissions.
- Know who (and where) users are, what role they play and what permissions they have.
- Align physical security with IT security.
- Be ready to demonstrate how you monitor security.
- Be ready to demonstrate how you are able to detect and act on anomalies.
- Map security processes to business processes. A checklist isn’t enough.

Overheard: Deduplicating data and meeting nonrepudiation compliance requirements

Dedupe does not change data any more than compression changes data, or traditional file systems change data. Plain old LZ compression gives you a different output bitstream than what went in, with redundant parts removed, just like deduplication. But when you decompress the file, you get your exact original bitstream back. No information is lost. Conventional file systems break up files into blocks and scatter those blocks across one or more disks, requiring complicated algorithms to retrieve and reassemble the data. Dedupe is no different. Nonrepudiation requirements are satisfied by the reliability and immutability of the system as a whole, deduplicating or not. Jered Floyd, Deduplication is Not a Crime

Overheard: There’s no killer app for GRC software

Most people assume that so-called GRC software–governance, risk and compliance–will continue to gather steam, as big boys like Oracle and SAP continue their marketing. It makes sense to automate compliance and risk issues, but the reality of this nascent field is that there really isn’t a single point solution. John Hagerty, CFOs face complex GRC software decisions

Video: Sarbanes-Oxley explained?

Steven Zelin, the Singing CPA, sings a rather clever rendition of “Happy Birthday” to Sarbanes-Oxley.