Posts Tagged ‘awareness and training’

« Older Entries
Newer Entries »

Addressing Application Vulnerabilities With PCI DSS Log Management Compliance

Wednesday, April 16th, 2008

The third and final paper in my PCI DSS log management compliance series is now available!
I encourage you to download the much nicer-looking formatted PDF version. 🙂
However, the following is the unformatted version of “Addressing Application Vulnerabilities with PCI Log Management Compliance“…

(more…)

Tags:, , , , , , , , , ,
Posted in Information Security, Privacy and Compliance | No Comments »

Great New Risk Management Document From The U.S. GAO

Tuesday, April 15th, 2008

There is a new document from the U.S. Government Accountability Office (GAO), “STRENGTHENING THE USE OF RISK MANAGEMENT PRINCIPLES IN HOMELAND SECURITY
It includes discussions of current risk management practices from non-government industries that are really quite interesting, not to mention some great risk management ideas and descriptions of risk management practices.
Check it out!

Tags:, , , , , , ,
Posted in Information Security | 2 Comments »

Privacy and Security Lost And Found

Monday, April 14th, 2008

Today I’ve been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.
Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been “activated,” may have been turned in to the hotel’s lost and found.

(more…)

Tags:, , , , , , , , , , ,
Posted in Information Security, Privacy and Compliance | No Comments »

Policy VALUE versus Policy COST

Sunday, April 13th, 2008

I’ve been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a frequently occurring topic throughout many of those conversations, and I just wanted to get it out of my mind and on the blog, perhaps to reference later…

(more…)

Tags:, , , , , ,
Posted in Information Security, Privacy and Compliance | No Comments »

Effectively Working with IT Auditors

Thursday, April 10th, 2008

The April edition of my “IT Compliance in Realtime” e-journal is now available!
There are three papers within this month’s issue. The first is, “Effectively Working with IT Auditors.”
Communicating well with your IT auditors will help ensure that your audit goes smoothly and provides as much value as possible for your business. within this article I explain what to ask for before, during, and after your audit.
Downlowd the PDF version of the e-journal to not only get the nicest looking version of the article, along with much information in tables and additional short items I included within sidebar boxes throughout the article, but also to get all three of the articles I wrote for this month.
The following is an unformatted version of “Effectively Working with IT Auditors”…

(more…)

Tags:, , , , , , , ,
Posted in Miscellaneous | No Comments »

Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside

Wednesday, April 9th, 2008

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.

(more…)

Tags:, , , , , , , , , , ,
Posted in Privacy and Compliance | No Comments »

One Word Makes A World Of Difference…To Auditors and To Practitioners

Monday, April 7th, 2008

I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?

(more…)

Tags:, , , , , , , , , , , , ,
Posted in Information Security, Privacy and Compliance | No Comments »

Misquotes and Misinformation on PCI DSS Log Management

Sunday, April 6th, 2008

I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I could have added or expanded upon.
So, I was interested to see that Dr. Anton Chuvakin read one of my recent PCI DSS logging compliance papers and posted to his blog about it.
However, he made a significant misquote and provided misinformation, which provide good topics for discussion…

(more…)

Tags:, , , , , , , , , , , , ,
Posted in Privacy and Compliance | 2 Comments »

Going Topless…I Like It!

Thursday, April 3rd, 2008

A few weeks ago I was at a meeting for a professional organization I belong to, giving a talk about privacy breach response, and the audience was great; around 40 in attendance, all visibly listening and interested and participating. I love to look and see everyone’s faces as I am talking; seeing if they are confused, in agreement, or otherwise are reacting to the ideas and recommendations I am talking about.
I was around 20 minutes into my talk when someone’s cell phone started ringing…playing a John Phillip Sousa march. LOUDLY. I kept talking, and everyone was still listening…trying to listen…but the darn phone kept playing! People then started looking around…and finally I stopped and said, “Does someone need to get that?” One of the folks then reached down and answered it; and then left the room. Quite an unnecessary interruption.

(more…)

Tags:, , , , , , , , , , , , , , ,
Posted in Training & awareness | 2 Comments »

Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers’, Records is Generally a Bad Idea

Wednesday, April 2nd, 2008

I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion!
I recently got a very good and interesting question from a healthcare provider that all organizations really need to put some thought into. With this in mind, the following is the de-identified message I recieved, along with my slightly edited reply…

(more…)

Tags:, , , , , , , , ,
Posted in Privacy and Compliance | No Comments »

« Older Entries
Newer Entries »