Blog Posts Tagged with "Security Audits"
Some Opinions On PCI Self-Assessment Questionnaires
July 12, 2011 Added by:PCI Guru
Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?
Comments (0)
Infosec and Internal Audit Working Together
July 11, 2011 Added by:Robb Reck
The difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do...
Comments (3)
What is a Kernel Level Audit Trail?
July 11, 2011 Added by:Jamie Adams
Few people understand how audit records are generated or the difference between a kernel level audit trail and an application event log. It is critical to configure auditing and logging mechanisms to capture the right data to safeguard the data to prevent it from being modified...
Comments (0)
Cynical Security Cliches
June 17, 2011 Added by:Javvad Malik
Auditors are always trying to pin something on security departments. They’ll doggedly pursue every lead, using their statement of work as an all-access pass to the security procedures. Worse, the cynic can even find himself becoming a chief suspect in his own investigation...
Comments (1)
Cloud Computing, Security, and You
June 16, 2011 Added by:Global Knowledge
There are many benefits of cloud computing, yet cloud computing also brings significant security concerns when moving critical applications and sensitive data to public and shared cloud environments. Here are five things to keep in mind when considering cloud based services...
Comments (0)
PCI Self-Assessment Questionnaires
June 09, 2011 Added by:PCI Guru
Where most organizations go wrong with the original SAQ C is when they have an integrated POS that connects back to a corporate network. Remote management is allowed in this environment, but the entity that remotely connects must not have uncontrolled access to the POS environment...
Comments (0)
Draft PCI DSS v2.0 “Scorecard” Released
May 18, 2011 Added by:PCI Guru
The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...
Comments (0)
How to Use Your FCPA Audit
May 18, 2011 Added by:Thomas Fox
In short, do not be afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”. After you have completed the FCPA audit, what steps should you take? This post will explore some of the issues related to the evaluation and response...
Comments (0)
Auditing Security, Measuring Risk, and Promoting Compliance
May 11, 2011 Added by:Ben Rothke
In most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network...
Comments (0)
Does ISO 27001 Mean That Information is 100% Secure?
May 10, 2011 Added by:Dejan Kosutic
ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks...
Comments (1)
PCI QSA Re-Certification – 2011 Edition
May 10, 2011 Added by:PCI Guru
Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...
Comments (0)
PCI Security Compliance: Q and A with Anton Chuvakin
April 22, 2011 Added by:Anton Chuvakin
PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...
Comments (0)
Nuclear Research Facility Lacks Adequate Cyber Security
April 21, 2011 Added by:Headlines
"Without improvements, the weaknesses identified may limit program and site-level officials' ability to make informed risk-based decisions that support the protection of classified information and the systems on which it resides," a federal audit concluded...
Comments (0)
Detailed FISMA Logging Guidance Continued
April 18, 2011 Added by:Anton Chuvakin
Configuring tools needs to happen after the policy is created. Goals first, infrastructure choices second. In case of privacy and other regulations on top of FISMA, the legal department should also have their say, however unpalatable it may be to the security team...
Comments (0)
Detailed FISMA Logging Guidance
April 14, 2011 Added by:Anton Chuvakin
FISMA emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to secure the information systems that support its operations and assets. Here is what is likely needed for a successful FISMA-driven log management implementation...
Comments (0)
NASA Systems Are Still Too Vulnerable to Attack
March 31, 2011 Added by:Dan Dieterle
Serious security gaps were found at NASA during a recent audit. The fact that a government run entity has been attacked, and then apparently ignored a plan to remedy the situation, speaks volumes about our nation's ability - or maybe better said desire - to thwart hacking attempts...
Comments (0)
- Improving Security by Failing Faster
- BYOD: Should It Be the Wave of the Future?
- Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox