One of the core requirements of the ISO 27001 standard for information security is that organizations perform a formal risk assessment that identifies, analyzes and evaluates the risks facing an organization. Recent revisions to the standard removed requirements that dictated the specific process an organization must follow to achieve those standards, but organizations adopting ISO may consider using the ISO 31000 risk management process. ISO 31000 proposes a three-stage process for risk management that conforms to industry-accepted best practices.
Read the full story: Three stages of the ISO 31000 risk management process
Published November 6, 2014 on SearchSecurity.com
Are you thinking about deploying next generation firewall technology to better protect your agency against advanced persistent threats? It’s hard to spend any time in information security circles without hearing about the new features of these devices and the promise that they hold for bolstering perimeter defenses against increasingly sophisticated and well-fundedcyberattackers.
The next generation firewall (NGFW) adopts a comprehensive approach to information security management by combining many different security technologies within a single device. They perform the basic firewall protection that we expect from a perimeter protection device but supplement this stateful inspection approach with intrusion prevention, content filtering and application control features. Security administrators benefit from a single management interface and the agency benefits by having these diverse security technologies operate in a coordinated fashion. In this article, we examine four strategies that you can use to ensure a successful NGFW deployment in your agency.
Published October 2014 in FedTech Magazine
The clock is ticking for enterprises that have not yet upgraded their payment card processing systems to be compliant with PCI DSS 3.0. While the new version of the standard went into effect January 1, 2014, merchants have the option to certify compliance under the old version throughout 2014. When the calendar page turns, this option goes away and all merchants must validate compliance with PCI DSS 3.0. Are you ready for the change? In this tip we take a look at three of the major changes in PCI 3.0 and explain the steps you can take to bring your organization into compliance on time.
As PCI DSS is a contractual obligation, rather than a law, the standard does not directly apply to entities that have not entered into credit card merchant agreements. However, most organizations rely upon services provided by others for some portion of their credit card processing. PCI DSS extends to these entities by considering them as service providers and requiring that merchants enter into written agreements with any service providers that store, process or transmit credit card information on their behalf. These written agreements must require that service providers comply with the provisions of PCI DSS.
Published September 28, 2014 on SearchSecurity.com
Million-dollar penalties are drawing the attention of HIPAA-covered entities around the nation. To avoid running afoul of HIPAA regulations, there are a few steps organizations should take immediately to learn from these incidents and ensure the privacy and security of protected health information.
Read the full story: Three steps to avoiding massive HIPAA violation fines
Published September 3, 2014 on SearchSecurity.com.
Cyberwarfare: Information Operations in a Connected World puts students on the real-world battlefield of cyberspace! It reviews the role that cyberwarfare plays in modern military operations — operations in which it has become almost impossible to separate cyberwarfare from traditional warfare.
Part 1 discusses the history of cyberwarfare and the variety of new concerns its emergence has fostered–from tactical considerations to the law of armed conflict and protection of civilians.
Part 2 discusses how offensive cyberwarfare has become an important part of the modern military arsenal. The rise of the advanced persistent threat has changed the face of cyberwarfare, and military planners must now be conscious of a series of cyberwarfare actions. In response, the defensive strategies that militaries use have evolved to protect themselves against cyber attacks. The concept of defense-in-depth is critical to building a well-rounded defense that will stand up to cyberwarfare events.
Part 3 explores the future of cyberwarfare; its interaction with military doctrine; and the Pandora’s box opened by recent events, which have set the stage for future cyber attacks.
Listening in on conversations around the water cooler at organizations of all sizes gives the impression that compliance awareness is at an all-time high. However, we continue to see news reports of compliance breaches that result from the inadvertent actions of employees unfamiliar with the consequences of their actions. Organizations that build and maintain a robust compliance training program can mitigate this risk and reduce the likelihood that a routine error will lead to a major compliance issue.
As you begin to put together your compliance training program, you’ll need to gather the human and financial resources that you’ll need to develop a robust approach to training and assessment. As with any commitment of resources, this is easiest to achieve if you have executive support. Building a strong business case for your training program and gaining the support of organizational leaders is an effective way to remove barriers and obtain the funding and time commitment necessary to design, implement and deploy a training initiative.
Read more: Compliance 101: What do enterprises need to include in compliance training?
Entities seeking to secure their email environments should establish a comprehensive strategy designed to protect both the email infrastructure and its users from the wide variety of mail-related threats. The challenge facing technologists is that they must create a flexible solution that meets the organization’s security and operational needs in an effective and efficient manner while respecting financial constraints.
Read the full white paper: Email Security: Defending the Enterprise
The 2014 Verizon PCI Compliance Report assessed the state of PCI DSS compliance around the world. Surprisingly, it found that requirement 11 (regularly test security systems and processes) was the least complied with, despite the fact that many security professionals consider it one of the more straightforward requirements. In this tip, we take a look at the two specific areas that Verizon highlighted as being stumbling blocks to compliance and talk about how you can build them into your PCI DSS compliance program.
As you likely know, PCI DSS requires that you perform penetration testing of your environment following an industry-accepted approach, such as NIST SP 800-115. These tests must be performed on an annual basis, as a minimum, and also must be repeated after any major changes to the cardholder data environment. The first issue that Verizon discovered is that 60% of organizations failed to provide evidence that they had conducted penetration testing within the past year. Remember, maintaining documentation of the penetration test is almost as important as actually conducting the test when it comes to PCI compliance. Auditors are not willing to take your word for it; they want to see artifacts!
Published June 15, 2014 on SearchSecurity.com
The IT job market is starting to heat up and security professionals are one of the career fields in high demand. The recent rash of high profile security breaches is causing executives and boards to demand an increased focus on cybersecurity practices and IT shops are struggling to keep up. Earning a security certification can help you land a great job in an exciting field, but it’s important to know which certifications will really set you apart and make your resume jump to the top of the hiring manager’s pile.
The Certified Information Systems Security Professional (CISSP) certification remains the premier certification for security practitioners. If you’re looking for a position as a mid-level security professional, particularly as a generalist, this certification is a must have. It’s often used by Human Resources departments as a screening test to weed out job candidates who lack a strong background in information security. Earning a CISSP is no easy task. You must pass a multiple-choice examination covering ten broad domains of information security. Perhaps the most significant hurdle, however, is that you must have five years of information security work experience.
Read more: Standing Out with a Security Certification
Published June 2014 in Certification Magazine.
Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.