Blogs

Showing Blog Posts: 1–10 of 80 tagged Compliance

  • Three Reasons Why Employees Chafe at Security Policies

    by Christopher Burgess on December 12, 2014

    How often have you heard someone say, "We can't do it that way, because our security policies prohibit . . . " Perhaps they were discussing customer data security and the means to achieve frictionless engagement. Variants of this conversation occur every day, and if you are the chief information security officer (CISO), you need to maintain these policies. Here are three reasons why employees…

  • Security Storage: To HSM or Not To HSM?

    by Joshua Marpet on November 18, 2014

    Information security storage is necessary; without it, how would Amazon know what it is selling or what product recommendations to make? How could it store the shopper’s credit card information to make purchases with a single click? While consumers would like to think their credit card information, purchase history, and other personalized data is stored securely, that is not always the case. …

  • Measuring and Managing Information Risk: A FAIR Approach

    by Ben Rothke on October 27, 2014

    If you work in IT, you can’t go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current irrational panic around Ebola shows how people are clueless about risk. While distressing over Ebola, the media is oblivious to legitimate public…

  • Pre-review: Measuring and Managing Information Risk: A FAIR Approach

    by Ben Rothke on October 5, 2014

    Some of the music composed by Rachmaninoff had monstrously difficult parts that were full of big, fat chords. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have created the equivalent of an information security concert, full of big, fat chords. The book is nearly 400 pages of densely packed chords, which can lead the reader to truly understand the…

  • Compliance is Not Supposed to be Security

    by Fahmida Y. Rashid on September 17, 2014

    With all the high-profile data breaches at major retailers over the past few months, it’s really tempting to write off PCI DSS as being ineffective. It’s clearly not working, since the security standard clearly didn’t protect these companies from attack. Then again, perhaps we are looking at the standard all wrong. Businesses—and often auditors—measure their security effectiveness against PCI DSS…

  • Security Audit: The Pitfalls of Third-Party Assessments

    by John Linkous on September 9, 2014

    Everyone is aware of last year’s data breach at Target. Millions of records of cardholder data were stolen and Target is still recovering, with current costs at $148 million. What's not well-known, or openly discussed, is the behind-the-scenes conversations the company has had with its PCI assessor and the standards organization. The PCI Security Standards Council (SSC), consisting of major credit…

  • Thinking About Compliance in September

    by Fahmida Y. Rashid on September 5, 2014

    Compliance is one of those never-ending things. If the organization is not in the middle of an audit, then it is either reviewing its results or preparing for an upcoming one. That isn’t a bad thing, since the point is to be always compliant, not just sometimes. Unfortunately, compliance has a bad reputation because those regulatory activities can be so time-consuming. It may be frustrating to…

  • Security Metrics: How Are You Measuring Security?

    by Joshua Marpet on August 12, 2014

    Do you have an information security practice? How do you measure its effectiveness? By the number of tickets generated? The number of viruses found and stamped out? Or by how quiet it is?—"If they don't bother me, they must be doing their job!" Have the security metrics guidelines changed in the last few years as infosec moved away from a helpdesk mentality, towards a penetration tester's…

  • Security Awareness: Applying Practical Security in Your World

    by Ben Rothke on July 22, 2014

    Security awareness is a vital part of information security. Just how important is it? In September, the 10-day SANS Security Awareness Summit 2014 will cover every aspect of the topic. For those that want to get an appreciation for the topic but can’t make it to Dallas for the Summit, Security Awareness: Applying Practical Security in Your World is a good resource for the reader that wants both an…

  • Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity,

    by Ben Rothke on June 16, 2014

    Having worked at the same consulting firm and also on a project with author J.J. Stapleton (yes, that was full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand…

This document was retrieved from http://www.rsaconference.com/blogs on Thu, 18 Dec 2014 16:40:09 -0500.
© 2014 EMC Corporation. All rights reserved.