The second article in this month’s IT Compliance in Realtime Journal is, “Smart Business Leaders Support Log Management.”
I wrote this with an audience of information security and privacy personnel, along with IT managers, in mind.
Download the formatted PDF version to get the full content, not to mention a nicer looking document.
Here is the unformatted version…
Archive for the ‘Privacy and Compliance’ Category
Smart Business Leaders Support Effective Log Management Practices and Necessary Resources
Thursday, April 24th, 2008My Information Security and Privacy Convergence Webcast Now Available
Wednesday, April 23rd, 2008Yesterday the ISSA posted on their website a free webcast I did, “Information Security and Privacy Convergence”
Here is the synopsis…
Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law
Thursday, April 17th, 2008Last fall I blogged about Microsoft’s HealthVault, “Why Would You Trust Microsoft To Store Your Sensitive Health Information?”
It didn’t take long before Google got in on the game.
Today an interesting story ran in the New York Times, “Warning on Storage of Health Records” that also points out the concerns with having huge amounts of health information stored in some mega-multi-services-products types of monolith company. The issues are the same for any organization storing such information, though; but putting health information in the same corporate systems that contain the records of billions of people really open up quite a Pandora’s box of privacy breach possibilities.
Here are some excerpts from the news story that make some good points…
Addressing Application Vulnerabilities With PCI DSS Log Management Compliance
Wednesday, April 16th, 2008The third and final paper in my PCI DSS log management compliance series is now available!
I encourage you to download the much nicer-looking formatted PDF version. 🙂
However, the following is the unformatted version of “Addressing Application Vulnerabilities with PCI Log Management Compliance“…
Privacy and Security Lost And Found
Monday, April 14th, 2008Today I’ve been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.
Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been “activated,” may have been turned in to the hotel’s lost and found.
Policy VALUE versus Policy COST
Sunday, April 13th, 2008I’ve been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a frequently occurring topic throughout many of those conversations, and I just wanted to get it out of my mind and on the blog, perhaps to reference later…
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside
Wednesday, April 9th, 2008The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
One Word Makes A World Of Difference…To Auditors and To Practitioners
Monday, April 7th, 2008I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?
Misquotes and Misinformation on PCI DSS Log Management
Sunday, April 6th, 2008I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I could have added or expanded upon.
So, I was interested to see that Dr. Anton Chuvakin read one of my recent PCI DSS logging compliance papers and posted to his blog about it.
However, he made a significant misquote and provided misinformation, which provide good topics for discussion…
Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers’, Records is Generally a Bad Idea
Wednesday, April 2nd, 2008I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion!
I recently got a very good and interesting question from a healthcare provider that all organizations really need to put some thought into. With this in mind, the following is the de-identified message I recieved, along with my slightly edited reply…
