Tom Olzak

Posts Tagged ‘federal’

PCI DSS is a get out of jail free card

In Business Continuity, Cybercrime, Data Security, PCI DSS, Piracy Legislation, Risk Management on April 2, 2009 at 08:21

The problem with security standards is they often are a get out of jail free card for organizations which believe in doing only the bare minimum necessary to stay out of trouble.  Some standards, like the PCI DSS, add some value when protecting sensitive information, but they don’t go far enough.  They become something management can point to and say, “See.  We’re secure.”

Apparently it takes a congressional hearing to sort this out.

The PCI standard, long touted as one of the private sector’s best attempts to regulate itself on data security, is increasingly showing signs of coming apart at the seams.

At a hearing in the U.S. House of Representatives Wednesday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little thus far to stop payment-card data thefts and fraud.

Source: PCI security standard gets flayed at House hearing, Jaikumar Vijayan, Computerworld, 1 April 2009

No, Congress is certainly not the right body to control cybersecurity.  However, in this case I think they got it right by simply stating the obvious.

PCI DSS Compliance Made Easier, but Upside Down

In Data Security, PCI DSS, Risk Management on March 16, 2009 at 17:18

Most companies required to jump on the PCI DSS wagon are SMBs.  So implementing security controls to protect cardholder information is not an easy task.  And the difficulties begin when business owners and managers realize they don’t even know where to start.

The PCI Security Standards Council, using information from security breaches, security assessors, and forensics investigators, recently released a set of tools to help jumpstart the process.  Although the council’s tools are useful, I disagree with how some of the compliance tasks are prioritized.

Read the rest of this entry »

The Internet Police Cometh

In Government, Piracy Legislation on March 15, 2009 at 16:04

The French government is trying to push through legislation–and it looks like it will pass–to punish those who participate in software piracy online.

happyfeetburn

Maybe we should use the threat of space aliens next

In Business Continuity, Cyber Terrorism, Risk Management on March 14, 2009 at 04:00

I read a shload of feeds every day, and the one thing I can always count on is reading some of the old tired assertions over, and over, and over…  Take, for example, the following:

Traditional security systems may be ineffective and become obsolete in warding off Web attacks launched by countries, according to Val Smith, founder of Attack Research. New attack trends include blog spam and SQL injections from Russia and China, Smith said during his talk at the Source Boston Security Showcase on Friday.

“Client-side attacks are where the paradigm is going,” Smith said. “Monolithic security systems no longer work.”

Hackers use Web browsers as exploitation tools to spread malware and collect sensitive information. Smith used examples from clients of his company, which analyzes and researches computer attacks, to demonstrate the threat posed by blog spam and SQL attacks.

Source: Foreign Web Attacks Change Security Paradigm, Fred O’Connor, CIO, 13 March 2009

Read the rest of this entry »

The DoD still doesn’t get it

In FISMA Audit, Government on March 11, 2009 at 07:28

The U.S. Office of Management and Budget (OMB) released the 2008 FISMA grades for Federal agencies.  FISMA contains regulatory requirements for protecting information and critical systems managed by government agencies.  I was pleasantly surprised.

All but one agency received a grad of Satisfactory or better, including Health and Human Services.  The HHS rating is interesting because, although it has consistently received poor or failing FISMA grades over the past several years, it is responsible for enforcing the HIPAA.  For those of you who don’t have to protect health care information, the HIPAA contains pages of standards and guidelines with which those of us protecting patient information had to comply several years ago.  The only dark cloud in this FISMA report hovered over the Department of Defense.

Read the rest of this entry »

%d bloggers like this: