Compliance
Why Should Data Centers Have to Choose Between SSAE 16 and SOC 2?
April 17, 2012 Added by:Jon Long
Why do Data Centers Have to Choose Between SSAE 16 and SOC 2? If SSAE 16 is applied correctly, non-ICFR controls should not be included in the report. This means that at the very least Physical Security and Environmental Controls have to be removed from the SSAE 16 report...
Comments (0)
An Enterprise Compliance Dialogue
April 17, 2012 Added by:Thomas Fox
Management must “walk the talk” through both discipline and a system of rewards. The discipline must be clear and delivered decisively. The rewards must be not only direct financial remuneration but also the internal promotion of persons who do business in an ethical manner...
Comments (0)
Three Keys to the Role of a Chief Compliance Officer
April 11, 2012 Added by:Thomas Fox
There is an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the CCO from that of the General Counsel. Before a company can answer this question, it must meet No. 6 of the DOJ's minimum best practices requirement...
Comments (0)
When Will PCI SSC Stop the Mobile Payment Insanity?
April 10, 2012 Added by:PCI Guru
The merchant is left to their own devices to know whether any of these mobile payment processing solutions can be trusted. I am fearful that small merchants, who are the marketing target of these solutions, will be put out of business should the device somehow be compromised...
Comments (0)
Assurance : Don't Worry, I've Got This...
April 06, 2012 Added by:Jon Long
There is nothing that changes faster than technology, and if you are not ahead of it, you are ancient history. Within the category of technology, security is at the forefront of rapid change, and there is nothing more critical to ensure that we understand as auditors...
Comments (0)
Barbara Tuchman and Compliance Programs
April 04, 2012 Added by:Thomas Fox
Compliance professionals are continually try to get the message out at corporations. Here is some wisdom that Tuchman advocated and how it might help the compliance professional convey the essence of doing business in compliance across a corporation...
Comments (0)
Financial Institutions – Your Time is Coming
April 04, 2012 Added by:PCI Guru
Most financial institutions purchase their software applications from third party development firms. With all of the regulatory changes going on in the financial institution industry, these software firms have been focused on those regulatory changes and not PCI compliance...
Comments (0)
NIST: Technical Guidance for Evaluating Electronic Health Records
April 03, 2012 Added by:Infosec Island Admin
“This guidance can be a useful tool for EHR developers to demonstrate that their systems don’t lead to use errors... It will provide a way for developers and evaluators to objectively assess how easy their EHR systems are to learn and operate, while maximizing efficiency...”
Comments (0)
On PCI DSS Compliance Certificates
March 28, 2012 Added by:PCI Guru
All of you processors and acquiring banks that think the only proof of PCI compliance is some mystical PCI DSS Compliance Certificate, stop demanding them. They do not exist and never have. The document you need for proof of PCI compliance is the Attestation Of Compliance, period...
Comments (0)
Innovation and Compliance
March 26, 2012 Added by:Thomas Fox
Can compliance be innovative? Or can innovation inform your compliance program? Innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices...
Comments (0)
Incident Response and PCI Compliance
March 25, 2012 Added by:Chris Kimmel
One question you should be asking your penetration testing company is, “Do you also test my incident response?” This is an important piece of PCI compliance. As stated by section 12.9 of the PCI DSS v2, a company must implement an IRP and be prepared to respond to an incident...
Comments (0)
Is a W-2 Considered PHI Under HIPAA?
March 25, 2012 Added by:Rebecca Herold
The question was framed as meaning the entire W-2 form was being “submitted” for financial assistance to pay for healthcare, so with this in mind, we will consider it as one document containing several information items that are necessarily grouped together...
Comments (0)
A Seat at the Table: Compliance in the Contract Tender Process
March 21, 2012 Added by:Thomas Fox
A mature compliance program can be a great benefit for a company, not only in evaluating risk from the compliance perspective but also preparing the necessary steps so that if a contact is awarded, it can be executed in an efficient manner. But it must have a seat at the table...
Comments (0)
Compliance: Moving Off Dead Center
March 19, 2012 Added by:Mary Shaddock Jones
The cost of implementing a compliance program will vary, however, it isn’t expensive enough to find yourself in front of the DOJ explaining why you spend money on air travel or paper clips than you do on a compliance program. Trust me, you don’t want to be in that position...
Comments (0)
Understanding Cloud Security Part Two
March 14, 2012 Added by:Neira Jones
Organisations need to ask cloud providers to disclose security controls and how they are implemented, and consuming organisations need to know which controls are needed to maintain the security of their information. Lack of thoroughness can lead to detrimental outcomes...
Comments (0)
What They Don't Teach You in "Thinking Like the Enemy" Classes
March 06, 2012 Added by:Pete Herzog
The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. Among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal...
Comments (1)
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox
- The Emperor Is Naked!
- Infographic: Keeping Web Applications Safe
- Do You Have a Vendor Security Check List? You Should!