Menu

Blogs

Showing Blog Posts: 1–10 of 82 tagged Compliance

  • Enterprise Software Security: A Confluence of Disciplines

    by Ben Rothke on January 15, 2015

    To date, most software security books have focused solely on writing secure code and educating developers on how to do that. In Enterprise Software Security: A Confluence of Disciplines, authors Kenneth van Wyk, Mark Graff, Dan Peters and Diana Burley take a different, and ultimately necessary approach. Their tactic is that treating software security as an autonomous discipline doesn’t work. With…

  • The Muddled State of Security Standards

    by John Linkous on December 22, 2014

    One of my favorite quotes—attributed to either Admiral Grace Hopper or computer science professor Andy Tanenbaum—goes something like this: "The nice thing about standards is that there are so many to choose from." It’s true in the information security world, too. Standards, Standards Everywhere! Let’s first settle what we mean by security standards. There's no shortage of recommendations on how to…

  • Three Reasons Why Employees Chafe at Security Policies

    by Christopher Burgess on December 12, 2014

    How often have you heard someone say, "We can't do it that way, because our security policies prohibit . . . " Perhaps they were discussing customer data security and the means to achieve frictionless engagement. Variants of this conversation occur every day, and if you are the chief information security officer (CISO), you need to maintain these policies. Here are three reasons why employees…

  • Security Storage: To HSM or Not To HSM?

    by Joshua Marpet on November 18, 2014

    Information security storage is necessary; without it, how would Amazon know what it is selling or what product recommendations to make? How could it store the shopper’s credit card information to make purchases with a single click? While consumers would like to think their credit card information, purchase history, and other personalized data is stored securely, that is not always the case. …

  • Measuring and Managing Information Risk: A FAIR Approach

    by Ben Rothke on October 27, 2014

    If you work in IT, you can’t go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current irrational panic around Ebola shows how people are clueless about risk. While distressing over Ebola, the media is oblivious to legitimate public…

  • Pre-review: Measuring and Managing Information Risk: A FAIR Approach

    by Ben Rothke on October 5, 2014

    Some of the music composed by Rachmaninoff had monstrously difficult parts that were full of big, fat chords. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have created the equivalent of an information security concert, full of big, fat chords. The book is nearly 400 pages of densely packed chords, which can lead the reader to truly understand the…

  • Compliance is Not Supposed to be Security

    by Fahmida Y. Rashid on September 17, 2014

    With all the high-profile data breaches at major retailers over the past few months, it’s really tempting to write off PCI DSS as being ineffective. It’s clearly not working, since the security standard clearly didn’t protect these companies from attack. Then again, perhaps we are looking at the standard all wrong. Businesses—and often auditors—measure their security effectiveness against PCI DSS…

  • Security Audit: The Pitfalls of Third-Party Assessments

    by John Linkous on September 9, 2014

    Everyone is aware of last year’s data breach at Target. Millions of records of cardholder data were stolen and Target is still recovering, with current costs at $148 million. What's not well-known, or openly discussed, is the behind-the-scenes conversations the company has had with its PCI assessor and the standards organization. The PCI Security Standards Council (SSC), consisting of major credit…

  • Thinking About Compliance in September

    by Fahmida Y. Rashid on September 5, 2014

    Compliance is one of those never-ending things. If the organization is not in the middle of an audit, then it is either reviewing its results or preparing for an upcoming one. That isn’t a bad thing, since the point is to be always compliant, not just sometimes. Unfortunately, compliance has a bad reputation because those regulatory activities can be so time-consuming. It may be frustrating to…

  • Security Metrics: How Are You Measuring Security?

    by Joshua Marpet on August 12, 2014

    Do you have an information security practice? How do you measure its effectiveness? By the number of tickets generated? The number of viruses found and stamped out? Or by how quiet it is?—"If they don't bother me, they must be doing their job!" Have the security metrics guidelines changed in the last few years as infosec moved away from a helpdesk mentality, towards a penetration tester's…

This document was retrieved from http://www.rsaconference.com/blogs on Sun, 25 Jan 2015 07:17:00 -0500.
© 2015 EMC Corporation. All rights reserved.