Overheard - FACTA Red Flags Rule

Compliance with the Red Flag rules must take a risk-based approach. Organizations are not given a specific set of items to implement; there is no detailed checklist. Compliance is principle-based focused on the outcome — avoiding identity theft — and not on specific requirements. Michael Rasmussen, Red Flag Rules compliance demands a risk-based approach

Today’s WhatIs.com Word of the Day is Red Flags Rule.

Overheard - Enterprise document management

Compliance is a hamster wheel of pain. Are we in compliance? -> Hire Consultant -> The Consultant Says No -> Scurry and spend -> Repeat. Alex Hutton, The Cult Of Compliance

Today’s WhatIs.com Word of the Day is enterprise document management.

Overheard - Bank Secrecy Act

FinCEN is now seeking to engage smaller to moderate size depository institutions who are working to implement the four pillars of theBank Secrecy Act regulatory regime: (1) policies, procedures and internal controls; (2) designation of a compliance officer; (3) ongoing training; and (4) independent testing. Bryan Cave Law Firm, October 2009 Client Alerts

Today’s WhatIs.com Word of the Day is Bank Secrecy Act.

Overheard - Shared Assessments Program

“One of the big issues everyone faced, especially on the service provider side was the inconsistency in the level of questions and controls clients looked at. This sets the standard and a baseline so everyone is looking at pretty much the same types of controls…You remove inconsistency and raise the overall bar of information security.” Charlie Miller, as quoted in Shared Assessments aims to ease third-party security evaluations

Today’s WhatIs.com Word of the Day is Shared Assessments Program.

Overheard - FISMA and ICE

“The new FISMA requirements call for government agencies and DoD contractors to comply with a set of prioritized controls that reflect their ability to detect and stop cyberattacks.” Alexander B. Howard, ICE Act would restructure cybersecurity rule, create White House post

Today’s WhatIs.com Word of the Day is FISMA.

Overheard - PCI compliance

“In our view, if you peel off all the layers around the PCI Data Security Standards, you will see it for what it is in significant part, a tool to shift risk off the banks’ and credit card companies’ balance sheets and place it on others.” Dave Hogan, as quoted in Cybersecurity hearing highlights inadequacy of PCI DSS

Today’s WhatIs.com Word of the Day is PCI compliance.

Overheard - Defining parameters for data encryption

From 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH / Definitions section

“Encrypted,” transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

PCI DSS - protecting your credit and debit cards

The poker game continues. Get set for an all-nighter. David Taylor, Raising the Bet: A National Payment Security Standard

Friday’s WhatIs.com Word of the Day is Payment Card Industry Data Security Standard, better known as PCI DSS. If you’ve ever had your debit card replaced without your asking, you’ve been affected by PCI DSS. The standard is managed by a consortium of credit card companies. David Taylor explains how (and why) merchants are hooking up to promote a new standard.

From its humble beginnings as an effort to rationalize and harmonize the Visa, MasterCard and AMEX security guidelines and turn them into a single standard, the PCI SSC continues to raise the bet by launching more and more standards to address different aspects of the payment security business: Payment application security (PA-DSS), PIN entry device security (PCI-PED), Hardware security modules (PCI HSM), Kiosk and ATM security (PCI UPT), etc.

Even though these standards are emerging through a participatory process, some merchants and vendors clearly see this game as “rigged” – run by the card networks, enforced by the card networks, with fines imposed by the card networks. The merchants and vendors may be allowed to offer advice; they are not “players” in the game. But now this could be changing.

Overheard - FCC regulations for “Identity Theft Red Flags”

As institutions embrace automated services such as self-service password reset for purposes of reducing costs and boosting efficiency, these services are being targeted by attackers for the relative ease with which they can be used to gain access to registered accounts. Thomas Varghese, Addressing Red Flags compliance

The Federal Trade Commission (FTC) has instituted new regulations known as “Identity Theft Red Flags” that promise to mitigate the havoc posed by identity theft to financial institutions and their customers. Effective May 1, 2009, these new regulations require financial institutions and creditors with covered accounts to implement programs that detect, prevent, and mitigate instances of identity theft.

Under the rules, entities must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The FTC has issued guidelines that identify 26 different red flags to assist in designing identity theft prevention programs. These red flags are not a checklist, rather examples that financial institutions and creditors can model as a reference.

Overheard - Avoiding common audit pitfalls

“Make no mistake — auditors will find fault with your systems, your processes, and the people who operate them. They’re auditors. It’s their job.” Kelly Jackson Higgins, Experts share tips on how to avoid the most common pitfalls in an audit

If you missed Kelly’s article when it first came out, take moment and read through it.  I bet you’ll learn something.

Key points I want to remember:

• Two of their most common reasons for failing an audit are poor documentation and poor training programs.
• It’s all about proving that data isn’t tampered with — from inside or out.

- Manage change in a consistent manner.
- Clearly define roles and permissions.
- Know who (and where) users are, what role they play and what permissions they have.
- Align physical security with IT security.
- Be ready to demonstrate how you monitor security.
- Be ready to demonstrate how you are able to detect and act on anomalies.
- Map security processes to business processes. A checklist isn’t enough.