Items Tagged with "Security Audits"


Why Data Centers Don't Need SSAE 16

August 24, 2011 Added by:david barton

I agree that DCs provide certain fundamental general controls that may impact the systems that are maintained there. But even those general controls do not constitute Internal Controls over Financial Reporting (ICFR) which is clearly a requirement for performing a SOC 1 (SSAE 16) review...

Comments  (9)


Auditing: Remote Access Security in 2011

August 15, 2011 Added by:Enno Rey

When the standards were written, endpoints were supposed to be mostly company managed Windows systems. In the meantime most organizations face an unmanaged mess composed of a growing number of smartphones and tablets, some company managed, while some are predominantly free floating...

Comments  (0)


How Cyrano de Bergerac Portends the Compliance Assessment

August 06, 2011 Added by:Thomas Fox

Enhanced Compliance Obligations build upon concepts which have been articulated for some time. By utilizing the annual compliance assessment a company more nimbly move towards a best practices program by determining if it currently has these concepts incorporated into the program...

Comments  (0)


Native Auditing In Modern Relational Database Management

August 03, 2011 Added by:Alexander Rothacker

Modern databases provide powerful built-in auditing capabilities that are often underestimated. There are downsides of native auditing like the ability for a malicious user to manipulate the audit trail. Overall, this feature allows customers to monitor database activity at a very granular level...

Comments  (3)


Some Opinions On PCI Self-Assessment Questionnaires

July 12, 2011 Added by:PCI Guru

Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?

Comments  (0)


Infosec and Internal Audit Working Together

July 11, 2011 Added by:Robb Reck

The difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do...

Comments  (3)


What is a Kernel Level Audit Trail?

July 11, 2011 Added by:Jamie Adams

Few people understand how audit records are generated or the difference between a kernel level audit trail and an application event log. It is critical to configure auditing and logging mechanisms to capture the right data to safeguard the data to prevent it from being modified...

Comments  (0)


Cynical Security Cliches

June 17, 2011 Added by:Javvad Malik

Auditors are always trying to pin something on security departments. They’ll doggedly pursue every lead, using their statement of work as an all-access pass to the security procedures. Worse, the cynic can even find himself becoming a chief suspect in his own investigation...

Comments  (1)


Cloud Computing, Security, and You

June 16, 2011 Added by:Global Knowledge

There are many benefits of cloud computing, yet cloud computing also brings significant security concerns when moving critical applications and sensitive data to public and shared cloud environments. Here are five things to keep in mind when considering cloud based services...

Comments  (0)


PCI Self-Assessment Questionnaires

June 09, 2011 Added by:PCI Guru

Where most organizations go wrong with the original SAQ C is when they have an integrated POS that connects back to a corporate network. Remote management is allowed in this environment, but the entity that remotely connects must not have uncontrolled access to the POS environment...

Comments  (0)


Draft PCI DSS v2.0 “Scorecard” Released

May 18, 2011 Added by:PCI Guru

The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...

Comments  (0)


How to Use Your FCPA Audit

May 18, 2011 Added by:Thomas Fox

In short, do not be afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”. After you have completed the FCPA audit, what steps should you take? This post will explore some of the issues related to the evaluation and response...

Comments  (0)


Auditing Security, Measuring Risk, and Promoting Compliance

May 11, 2011 Added by:Ben Rothke

In most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network...

Comments  (0)


Does ISO 27001 Mean That Information is 100% Secure?

May 10, 2011 Added by:Dejan Kosutic

ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks...

Comments  (1)


PCI QSA Re-Certification – 2011 Edition

May 10, 2011 Added by:PCI Guru

Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...

Comments  (0)


PCI Security Compliance: Q and A with Anton Chuvakin

April 22, 2011 Added by:Anton Chuvakin

PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...

Comments  (0)

Page « < 2 - 3 - 4 - 5 - 6 > »