Audit

Does compliance equate to secure?

Despite earning a living in the space, I often question the value of regulatory compliance.

How is it that a business can be PCI-compliant but still have glaring vulnerabilities?  How is it that despite layer upon layer of controls...

How’s about a federally mandated Information Security Assessment?

I had a eureka moment recently that I’d like to share.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me...

2 for 1 sale: How governance leads to compliance.

A while back I’d written about the Unified Compliance Framework from Network Frontiers, which takes quite literally every regulation and framework within the IT domain and maps them in such a way where you can identify how a single control addresses multiple requirements. In...

Financial regulations and my crystal ball.

I had a great piece lined up for this week about a governance project I’m working on but was waylaid by all the news that hit the radar around regulatory reform.

In what may be the understatement of the year, the plans revealed last week by President...

Risk is at the heart of what matters most.

I had two great conversations this week regarding risk assessments (jeez, does that ever sound geeky). The first conversation centered on what an associate was expecting  to accomplish via the risk assessment process and the second one was a general conversation about the proper approach to...

IT Security: Something has to give.

My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it's a case of the old "if it wasn't for the last minute nothing would ever happen" philosophy).  And in authoring some of our reports we're identifying issues and gaps that are in...

Who put the G in GRC?

I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years.  I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been...

PCI compliance is not the end all

I was sitting in on a meeting this week during which a security review was being conducted for a proposed software solution for my client. The product was designed and hosted by a third-party vendor.

At first blush I was...

Keep an eye on Shared Assessments.

About thirty seconds after I posted my last blog an item on the

Why do you need policies and procedures? I’ll tell you why.

I once heard a parent say that they wished they had a dollar for every time their teen-aged child rolled their eyes at them.  I'm a parent so I get it.  But what I really wish for is to have a dollar for every time a client rolls their eyes at me when I tell them they need to have all their...