Posts Tagged ‘PCI DSS’
Thursday, April 10th, 2014
In the past couple of weeks I’ve gotten a couple dozen questions from my clients that are small to midsized covered entities (CEs) or business associates (BAs) under HIPAA, in addition to several small to midsized start-ups that provide services in other industries. And, while some of these concerns are arising out completely erroneous advice, regrettably, some of the questions resulted from my own mea culpa of writing a confusing sentence in my last blog post, for which I’ve since provided a clarification within. (Lesson: I need to spend more time double-checking/editing text prior to posting after doing edits to cut the length.) I apologize for any confusion or alarm that may have arisen as a result.
However, this does provide a good opportunity to examine in more depth the compliance issues related to Windows XP use, and the related questions I’ve received. The following are the most common questions I’ve answered in the past several days. (more…)
Tags:awareness, compliance, cybersecurity, data protection, HIPAA, IBM, Information Security, infosec, midmarket, non-compliance, PCI DSS, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, upgrade, Windows XP, XP upgrade
Posted in HIPAA | No Comments »
Monday, June 8th, 2009
There has been much written in the past week about Merrick Bank suing the audit firm, Savvis, because a breach occurred at CardSystems in 2005 even though Savvis had given passing marks for the CardSystems audit that Merrick Bank hired them to perform in 2004 to ensure they were following Visa’s Cardholder Information Security Program (CISP); basically a forerunner of the current PCI DSS program. Savvis found that CardSystems was following the CISP requirements. Within a year after the audit, CardSystems experienced a major breach that basically put them out of business.
I have had the great privilege to work as an IT auditor early in my career, for a while as an internal auditor at a large multi-national financial and insurance company, and then doing periodic audits since in various organizations in a wide range of industries since. All wonderful learning experiences!
There are a couple of important points that the judge in this situation should consider, and the lawyers in this case should understand:
(more…)
Tags:awareness and training, CardSystems, CISP, Information Security, IT compliance, IT training, Merrick Bank, PCI DSS, policies and procedures, privacy training, risk management, Savvis, security training
Posted in Information Security, Privacy and Compliance | 1 Comment »
Tuesday, December 2nd, 2008
{Wow…love a chance to use 3 initializations in a row… 🙂 }
Over the past week I have been getting my holiday shopping done, almost entirely all online. I love to find unique stores, often small and medium sized businesses (SMBs) with interesting items, and I found one small store in Florida that makes some great, creative photo items at a reasonable price. Their online site was a little hard to navigate, though, so I spent a little time doing a bit of research about the store. They have been around since the 1980’s, and I could find no complaints about them. Their order form encrypted the input, but it was hard to figure out how to fill it in; I couldn’t get more than one photo uploaded to order more than one ornament, coffee mug, etc., at one time…
(more…)
Tags:awareness and training, credit card security, ecommerce security, email security, Information Security, IT compliance, IT training, PCI DSS, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations | 1 Comment »
Wednesday, April 16th, 2008
The third and final paper in my PCI DSS log management compliance series is now available!
I encourage you to download the much nicer-looking formatted PDF version. 🙂
However, the following is the unformatted version of “Addressing Application Vulnerabilities with PCI Log Management Compliance“…
(more…)
Tags:awareness and training, Information Security, IT compliance, Kevin Beaver, log compliance, log management, PCI DSS, policies and procedures, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance | No Comments »
Wednesday, April 9th, 2008
The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
(more…)
Tags:awareness and training, certify, compliant, Information Security, IT compliance, log management, PCI DSS, policies and procedures, QSA, risk management, security awareness, security training
Posted in Privacy and Compliance | No Comments »
Monday, April 7th, 2008
I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?
(more…)
Tags:Anton Chuvakin, awareness and training, certify, compliant, HIPAA, Information Security, IT compliance, log management, PCI DSS, policies and procedures, QSA, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance | No Comments »
Sunday, April 6th, 2008
I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I could have added or expanded upon.
So, I was interested to see that Dr. Anton Chuvakin read one of my recent PCI DSS logging compliance papers and posted to his blog about it.
However, he made a significant misquote and provided misinformation, which provide good topics for discussion…
(more…)
Tags:Anton Chuvakin, awareness and training, certify, compliant, HIPAA, Information Security, IT compliance, log management, PCI DSS, policies and procedures, QSA, risk management, security awareness, security training
Posted in Privacy and Compliance | 2 Comments »
Tuesday, April 1st, 2008
Today I just finished writing the last of a three paper series, “The Essentials Series: PCI Compliance,” in which I discuss and demonstrate three ways in which meeting the PCI DSS requirements for logging also benefits businesses by putting into place log management practices that:
(more…)
Tags:awareness and training, Information Security, insider threat, IT compliance, log management, PCI DSS, policies and procedures, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance | No Comments »
Wednesday, November 7th, 2007
The PCI Security Standards Council announced today the release of draft for a new standard for payment application software; the Payment Application Data Security Standard (PA-DSS).
(more…)
Tags:awareness and training, Information Security, IT compliance, PA-DSS, PCI DSS, PCI Security Standards Council, policies and procedures, privacy, risk management, security training
Posted in Information Security | No Comments »
Sunday, October 28th, 2007
One of the basic privacy principles is to limit the collection of personally identifiable information (PII) to only that which is necessary for the business purpose for which it is being collected. These privacy principles, built largely around the OECD privacy principles, are the basis for most data protection and privacy laws throughout the world.
(more…)
Tags:awareness and training, ID theft, identity theft, Information Security, IT compliance, OECD, PCI DSS, policies and procedures, privacy, privacy principles, privacy training, risk management, security training, SSN
Posted in Information Security, Privacy and Compliance, Training & awareness | No Comments »