Blog Posts Tagged with "Security Audits"

959779642e6e758563e80b5d83150a9f

Case Study: SOX IT Compliance

December 01, 2011 Added by:Danny Lieberman

We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company to evaluate internal and external threats that impact the company’s information assets. Using Business Threat Modeling, a practical threat analysis model was constructed...

Comments  (0)

69dafe8b58066478aea48f3d0f384820

Bank Executive Pleads Guilty to Stealing Nearly $2 Million

December 01, 2011 Added by:Headlines

"Walker... withdrew money from a line of credit in the name of a trust that held an account at Farmers and Merchants. To cover up the scheme, Walker made interest payments on the money supposedly loaned to the trust. Walker will face a maximum sentence of 30 years in federal prison..."

Comments  (0)

9259e8d30306ac2ef4c5dd1936e67634

ISO 27002 – What Will the Next Revision Bring?

November 27, 2011 Added by:Dejan Kosutic

This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change...

Comments  (0)

9fbacd2502ce5f91a25f722d8dfe2933

Five Key Aspects of a Good Infosec Risk Assessment

November 25, 2011 Added by:Albert Benedict

Because they are consistent and repeatable, current risk assessment results can be compared to previous years’ results to see if there was any growth. You can also compare the client’s status to other companies of similar size and stature to show them where they stand...

Comments  (0)

69dafe8b58066478aea48f3d0f384820

GAO Report: IRS Security Controls Continue to Languish

November 16, 2011 Added by:Headlines

The "IRS did not, in GAO’s opinion, maintain effective internal control over financial reporting... These issues increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information,” the report contends...

Comments  (0)

Ad5130e786d13531cc0f2cde32dacd0f

Changing the Landscape of Pentesting

October 11, 2011 Added by:Andrew Weidenhamer

Today’s market has become diluted with companies and individuals claiming they can perform penetration assessments - if you don’t believe me attend Defcon once. Organizations need to have a better understanding as to how these hired service providers are actually performing these assessments...

Comments  (4)

Ad5130e786d13531cc0f2cde32dacd0f

The Holy Grail and the PA-DSS Implementation Guide

October 04, 2011 Added by:Andrew Weidenhamer

As a QSA it is very frustrating to walk in, ask the merchant for the PA-DSS Implementation Guide, and receive a glazed over eye look. It's even more frustrating when you then ask the Vendor/Reseller for the Implementation Guide and they look at you as if you have three heads....

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

Strutting and Fretting Upon the Security Stage: The Playing Field

September 22, 2011 Added by:Infosec Island Admin

There are too many ways that a company can open itself up to vulnerabilities. It takes a rounded approach to do the due diligence for that company’s security posture. The information security business has become a leviathan of competing entities from the quacks to the bleeding edge...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

It is Time to Address PCI Compliance Reporting

September 22, 2011 Added by:PCI Guru

The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...

Comments  (3)

0a8cae998f9c51e3b3c0ccbaddf521aa

Auditing vs. Secure Software - An Inconvenient Argument

September 19, 2011 Added by:Rafal Los

You may have missed one of the strangest exchanges I think I've seen in a long while. An out-of-the-blue scathing blog post by Oracle's CSO prompted a swift response from VeraCode's Chief Technology and Security Officer. What brought this on is anyone's guess...

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

Strutting and Fretting Upon the Security Stage: The Players

September 16, 2011 Added by:Infosec Island Admin

There will always be elements within the company with impetus to not take your advice on security matters and maybe even give you a large amount of pushback. This is especially true of any company that has little to no security posture to start with. So who are the key client players?

Comments  (1)

6429389c5e8a4c9555be876f8484331a

Guide: How to Pass an IT Audit

September 01, 2011 Added by:Sasha Nunke

The purpose of this document is to pass along tips we learned that may be useful as you consider adopting QualysGuard PC. This guide covers the steps and procedures to passing an IT GRC audit — as told by an enterprise end-user who deployed QualysGuard Policy Compliance...

Comments  (0)

8fcd3af85e00d8db661be6a882c6442b

Why Data Centers Don't Need SSAE 16

August 24, 2011 Added by:david barton

I agree that DCs provide certain fundamental general controls that may impact the systems that are maintained there. But even those general controls do not constitute Internal Controls over Financial Reporting (ICFR) which is clearly a requirement for performing a SOC 1 (SSAE 16) review...

Comments  (9)

0f57a863af3b7e5bf59a94319a408ff7

Auditing: Remote Access Security in 2011

August 15, 2011 Added by:Enno Rey

When the standards were written, endpoints were supposed to be mostly company managed Windows systems. In the meantime most organizations face an unmanaged mess composed of a growing number of smartphones and tablets, some company managed, while some are predominantly free floating...

Comments  (0)

59d9b46aa00c70238bb89056cfeb96c0

How Cyrano de Bergerac Portends the Compliance Assessment

August 06, 2011 Added by:Thomas Fox

Enhanced Compliance Obligations build upon concepts which have been articulated for some time. By utilizing the annual compliance assessment a company more nimbly move towards a best practices program by determining if it currently has these concepts incorporated into the program...

Comments  (0)

B451da363bb08b9a81ceadbadb5133ef

Native Auditing In Modern Relational Database Management

August 03, 2011 Added by:Alexander Rothacker

Modern databases provide powerful built-in auditing capabilities that are often underestimated. There are downsides of native auditing like the ability for a malicious user to manipulate the audit trail. Overall, this feature allows customers to monitor database activity at a very granular level...

Comments  (3)

Page « < 1 - 2 - 3 - 4 - 5 > »