Items Tagged with "Security Audits"
February 05, 2012 Added by:Norman Marks
When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly? The same thing applies to information security personnel...
January 10, 2012 Added by:Headlines
The rule requires contractors and subcontractors to provide details on how their products and services meet federal IT regulations. The rule also requires contractors and subcontractors to submit to audits on practices and procedures to ensure mandates are satisfied...
December 13, 2011 Added by:Rafal Los
Getting back to basics is critical, and one of the most basic of basics is managing the rights to your data, your systems, and your critical operations. Let's take a critical, step-by-step look at how managing privileges can greatly decrease your likelihood of leaking data...
December 13, 2011 Added by:Danny Lieberman
A client asked us to find a way to reduce risk exposure at the lowest cost. Using the Business Threat Modeling methodology and Practical Threat Analysis software, we were able to mitigate 80% of the total risk exposure in dollars at half the security budget proposed by the vendor....
December 01, 2011 Added by:Danny Lieberman
We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company to evaluate internal and external threats that impact the company’s information assets. Using Business Threat Modeling, a practical threat analysis model was constructed...
December 01, 2011 Added by:Headlines
"Walker... withdrew money from a line of credit in the name of a trust that held an account at Farmers and Merchants. To cover up the scheme, Walker made interest payments on the money supposedly loaned to the trust. Walker will face a maximum sentence of 30 years in federal prison..."
November 27, 2011 Added by:Dejan Kosutic
This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change...
November 25, 2011 Added by:Albert Benedict
Because they are consistent and repeatable, current risk assessment results can be compared to previous years’ results to see if there was any growth. You can also compare the client’s status to other companies of similar size and stature to show them where they stand...
November 16, 2011 Added by:Headlines
The "IRS did not, in GAO’s opinion, maintain effective internal control over financial reporting... These issues increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information,” the report contends...
October 11, 2011 Added by:Andrew Weidenhamer
Today’s market has become diluted with companies and individuals claiming they can perform penetration assessments - if you don’t believe me attend Defcon once. Organizations need to have a better understanding as to how these hired service providers are actually performing these assessments...
October 04, 2011 Added by:Andrew Weidenhamer
As a QSA it is very frustrating to walk in, ask the merchant for the PA-DSS Implementation Guide, and receive a glazed over eye look. It's even more frustrating when you then ask the Vendor/Reseller for the Implementation Guide and they look at you as if you have three heads....
September 22, 2011 Added by:Infosec Island Admin
There are too many ways that a company can open itself up to vulnerabilities. It takes a rounded approach to do the due diligence for that company’s security posture. The information security business has become a leviathan of competing entities from the quacks to the bleeding edge...
September 22, 2011 Added by:PCI Guru
The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...
September 19, 2011 Added by:Rafal Los
You may have missed one of the strangest exchanges I think I've seen in a long while. An out-of-the-blue scathing blog post by Oracle's CSO prompted a swift response from VeraCode's Chief Technology and Security Officer. What brought this on is anyone's guess...
September 16, 2011 Added by:Infosec Island Admin
There will always be elements within the company with impetus to not take your advice on security matters and maybe even give you a large amount of pushback. This is especially true of any company that has little to no security posture to start with. So who are the key client players?
September 01, 2011 Added by:Sasha Nunke
The purpose of this document is to pass along tips we learned that may be useful as you consider adopting QualysGuard PC. This guide covers the steps and procedures to passing an IT GRC audit — as told by an enterprise end-user who deployed QualysGuard Policy Compliance...