Archive for April, 2008

Privacy and Security Lost And Found

Monday, April 14th, 2008

Today I’ve been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.
Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been “activated,” may have been turned in to the hotel’s lost and found.


Policy VALUE versus Policy COST

Sunday, April 13th, 2008

I’ve been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a frequently occurring topic throughout many of those conversations, and I just wanted to get it out of my mind and on the blog, perhaps to reference later…


Effectively Working with IT Auditors

Thursday, April 10th, 2008

The April edition of my “IT Compliance in Realtime” e-journal is now available!
There are three papers within this month’s issue. The first is, “Effectively Working with IT Auditors.”
Communicating well with your IT auditors will help ensure that your audit goes smoothly and provides as much value as possible for your business. within this article I explain what to ask for before, during, and after your audit.
Downlowd the PDF version of the e-journal to not only get the nicest looking version of the article, along with much information in tables and additional short items I included within sidebar boxes throughout the article, but also to get all three of the articles I wrote for this month.
The following is an unformatted version of “Effectively Working with IT Auditors”…


Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside

Wednesday, April 9th, 2008

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.


One Word Makes A World Of Difference…To Auditors and To Practitioners

Monday, April 7th, 2008

I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?


Misquotes and Misinformation on PCI DSS Log Management

Sunday, April 6th, 2008

I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I could have added or expanded upon.
So, I was interested to see that Dr. Anton Chuvakin read one of my recent PCI DSS logging compliance papers and posted to his blog about it.
However, he made a significant misquote and provided misinformation, which provide good topics for discussion…


Going Topless…I Like It!

Thursday, April 3rd, 2008

A few weeks ago I was at a meeting for a professional organization I belong to, giving a talk about privacy breach response, and the audience was great; around 40 in attendance, all visibly listening and interested and participating. I love to look and see everyone’s faces as I am talking; seeing if they are confused, in agreement, or otherwise are reacting to the ideas and recommendations I am talking about.
I was around 20 minutes into my talk when someone’s cell phone started ringing…playing a John Phillip Sousa march. LOUDLY. I kept talking, and everyone was still listening…trying to listen…but the darn phone kept playing! People then started looking around…and finally I stopped and said, “Does someone need to get that?” One of the folks then reached down and answered it; and then left the room. Quite an unnecessary interruption.


Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers’, Records is Generally a Bad Idea

Wednesday, April 2nd, 2008

I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion!
I recently got a very good and interesting question from a healthcare provider that all organizations really need to put some thought into. With this in mind, the following is the de-identified message I recieved, along with my slightly edited reply…


Using PCI DSS-Compliant Log Management to Identify Insider Access Abuse

Tuesday, April 1st, 2008

Today I just finished writing the last of a three paper series, “The Essentials Series: PCI Compliance,” in which I discuss and demonstrate three ways in which meeting the PCI DSS requirements for logging also benefits businesses by putting into place log management practices that: