Compliance
Call Centers and PCI Compliance
June 28, 2012 Added by:PCI Guru
In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data. Only cardholder data after authorization or decline is covered by the PCI DSS...
Comments (2)
Breaking the Enigma Code: Creating a Functioning Compliance Culture
June 25, 2012 Added by:Thomas Fox
New York Times reporter Adam Bryant recently profiled Angie Hicks, one of the co-founders of Angie’s List, who has some interesting observations on leadership that I found applicable to creating a functional compliance effort within an organization, from compliance professionals to ethical leadership...
Comments (0)
Control Systems Company Resolves Criminal Violations
June 25, 2012 Added by:Headlines
Data Systems & Solutions LLC, a company based in Reston, Virginia, that provides design, installation, maintenance, and other services at nuclear and fossil fuel power plants, has agreed to pay an $8.82 million criminal penalty to resolve FCPA compliance violations...
Comments (0)
More on PCI Scoping
June 22, 2012 Added by:PCI Guru
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope"...
Comments (1)
Bill Gates, the Perfect Game and Your Compliance Program
June 17, 2012 Added by:Thomas Fox
Collins has been looking at corporations for over 25 years to unlock the mystery of what makes a great company tick and discusses twelve questions that leaders must grapple with if they truly want to excel. This list is a good summary of questions that you can and should be posing to your compliance team...
Comments (0)
PCI DSS and Compliance: Just a Tick Box Exercise?
June 13, 2012
According to Neira Jones, Head of Payment Security at Barclaycard, compliance should be a natural byproduct of good risk management and information security practice...
Comments (0)
The Failure Of PCI?
June 13, 2012 Added by:PCI Guru
The biggest problem with PCI DSS standards comes down to the fact that humans are averse to being measured or assessed. Why? It makes people responsible and accountable for what they do, and few people want that sort of accountability – we all much prefer wiggle room in how our jobs are assessed...
Comments (1)
Pink Floyd’s "The Wall" and Compliance
June 12, 2012 Added by:Thomas Fox
Compliance: One of the most important things is that sometimes you just hit a brick wall. You can carefully plan a strategy, implement the planned strategy and then measure the results, but it can still fall completely flat. In other words, you hit the proverbial wall...
Comments (0)
POS Skimming: Bad News for Banks and Merchants
June 12, 2012 Added by:Robert Siciliano
EFTPOS skimming — which stands for “electronic funds transfers at the point of sale” — involves either replacing the self-swipe point of sale terminals at cash registers with devices that record credit and debit card data, or remotely hacking a retailer’s POS server...
Comments (0)
We Hope SOC 2 Fails...
June 11, 2012
SOC 2 has the potential to unify the risk assurance industry by consolidating multiple audits, standards, and compliance requirements under one umbrella engagement. However, if the market is allowed to define anything as internal controls over financial reporting (ICFR), SOC 2 is destined to fail...
Comments (0)
Can You Use Dropbox for Storing Healthcare Data?
June 11, 2012 Added by:Danny Lieberman
The short answer is that you should not store PHI (protected health information) on Dropbox since they share data with third party applications and service providers - but the real reason is you should not use Dropbox for sharing information with patients is simply that it is not private by design...
Comments (0)
PCI’s Money Making Cash Cow Not So Good for the Industry
June 07, 2012 Added by:Andrew Weidenhamer
The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to accentuate it with the advent of the ISA program. The false sense of confidence the ISA program gives individuals is insanely bad for the industry. Like any other certification, the test isn’t difficult..
Comments (1)
How to Keep Healthcare Secrets Online
June 06, 2012 Added by:Danny Lieberman
When we share medical information with our healthcare provider, we trust their information security as being strong enough to protect our medical information from a data breach. Certainly – as consumers of healthcare services, it’s impossible for us to audit the effectiveness of their security portfolio...
Comments (0)
How the DOJ Looks at Compliance Programs Part 2
May 31, 2012 Added by:Thomas Fox
The ABA Primer notes that an effective compliance program consists of documentation that an organization “exercise[s] due diligence to prevent and detect criminal conduct; and otherwise promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law”...
Comments (0)
FTC MySpace Settlement: Say What You Do and Do What You Say
May 30, 2012 Added by:David Navetta
The settlement bars MySpace from making future misrepresentations regarding the extent to which it protects users’ personal information, requires it to implement a comprehensive privacy program and requires it to undergo biennial, independent, third party privacy assessments for the next 20 years...
Comments (0)
NIST Workshop: Safeguarding Health Information
May 30, 2012 Added by:Infosec Island Admin
The HIPAA Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards...
Comments (0)
- Improving Security by Failing Faster
- BYOD: Should It Be the Wave of the Future?
- Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox