Items Tagged with "Security Audits"
Why Data Centers Don't Need SSAE 16
August 24, 2011 Added by:david barton
I agree that DCs provide certain fundamental general controls that may impact the systems that are maintained there. But even those general controls do not constitute Internal Controls over Financial Reporting (ICFR) which is clearly a requirement for performing a SOC 1 (SSAE 16) review...
Comments (9)
Auditing: Remote Access Security in 2011
August 15, 2011 Added by:Enno Rey
When the standards were written, endpoints were supposed to be mostly company managed Windows systems. In the meantime most organizations face an unmanaged mess composed of a growing number of smartphones and tablets, some company managed, while some are predominantly free floating...
Comments (0)
How Cyrano de Bergerac Portends the Compliance Assessment
August 06, 2011 Added by:Thomas Fox
Enhanced Compliance Obligations build upon concepts which have been articulated for some time. By utilizing the annual compliance assessment a company more nimbly move towards a best practices program by determining if it currently has these concepts incorporated into the program...
Comments (0)
Native Auditing In Modern Relational Database Management
August 03, 2011 Added by:Alexander Rothacker
Modern databases provide powerful built-in auditing capabilities that are often underestimated. There are downsides of native auditing like the ability for a malicious user to manipulate the audit trail. Overall, this feature allows customers to monitor database activity at a very granular level...
Comments (3)
Some Opinions On PCI Self-Assessment Questionnaires
July 12, 2011 Added by:PCI Guru
Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?
Comments (0)
Infosec and Internal Audit Working Together
July 11, 2011 Added by:Robb Reck
The difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do...
Comments (3)
What is a Kernel Level Audit Trail?
July 11, 2011 Added by:Jamie Adams
Few people understand how audit records are generated or the difference between a kernel level audit trail and an application event log. It is critical to configure auditing and logging mechanisms to capture the right data to safeguard the data to prevent it from being modified...
Comments (0)
Cynical Security Cliches
June 17, 2011 Added by:Javvad Malik
Auditors are always trying to pin something on security departments. They’ll doggedly pursue every lead, using their statement of work as an all-access pass to the security procedures. Worse, the cynic can even find himself becoming a chief suspect in his own investigation...
Comments (1)
Cloud Computing, Security, and You
June 16, 2011 Added by:Global Knowledge
There are many benefits of cloud computing, yet cloud computing also brings significant security concerns when moving critical applications and sensitive data to public and shared cloud environments. Here are five things to keep in mind when considering cloud based services...
Comments (0)
PCI Self-Assessment Questionnaires
June 09, 2011 Added by:PCI Guru
Where most organizations go wrong with the original SAQ C is when they have an integrated POS that connects back to a corporate network. Remote management is allowed in this environment, but the entity that remotely connects must not have uncontrolled access to the POS environment...
Comments (0)
Draft PCI DSS v2.0 “Scorecard” Released
May 18, 2011 Added by:PCI Guru
The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...
Comments (0)
How to Use Your FCPA Audit
May 18, 2011 Added by:Thomas Fox
In short, do not be afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”. After you have completed the FCPA audit, what steps should you take? This post will explore some of the issues related to the evaluation and response...
Comments (0)
Auditing Security, Measuring Risk, and Promoting Compliance
May 11, 2011 Added by:Ben Rothke
In most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network...
Comments (0)
Does ISO 27001 Mean That Information is 100% Secure?
May 10, 2011 Added by:Dejan Kosutic
ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks...
Comments (1)
PCI QSA Re-Certification – 2011 Edition
May 10, 2011 Added by:PCI Guru
Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...
Comments (0)
PCI Security Compliance: Q and A with Anton Chuvakin
April 22, 2011 Added by:Anton Chuvakin
PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...