The clock is ticking for enterprises that have not yet upgraded their payment card processing systems to be compliant with PCI DSS 3.0. While the new version of the standard went into effect January 1, 2014, merchants have the option to certify compliance under the old version throughout 2014. When the calendar page turns, this option goes away and all merchants must validate compliance with PCI DSS 3.0. Are you ready for the change? In this tip we take a look at three of the major changes in PCI 3.0 and explain the steps you can take to bring your organization into compliance on time.
As PCI DSS is a contractual obligation, rather than a law, the standard does not directly apply to entities that have not entered into credit card merchant agreements. However, most organizations rely upon services provided by others for some portion of their credit card processing. PCI DSS extends to these entities by considering them as service providers and requiring that merchants enter into written agreements with any service providers that store, process or transmit credit card information on their behalf. These written agreements must require that service providers comply with the provisions of PCI DSS.
Published September 28, 2014 on SearchSecurity.com
Million-dollar penalties are drawing the attention of HIPAA-covered entities around the nation. To avoid running afoul of HIPAA regulations, there are a few steps organizations should take immediately to learn from these incidents and ensure the privacy and security of protected health information.
Read the full story: Three steps to avoiding massive HIPAA violation fines
Published September 3, 2014 on SearchSecurity.com.
Cyberwarfare: Information Operations in a Connected World puts students on the real-world battlefield of cyberspace! It reviews the role that cyberwarfare plays in modern military operations — operations in which it has become almost impossible to separate cyberwarfare from traditional warfare.
Part 1 discusses the history of cyberwarfare and the variety of new concerns its emergence has fostered–from tactical considerations to the law of armed conflict and protection of civilians.
Part 2 discusses how offensive cyberwarfare has become an important part of the modern military arsenal. The rise of the advanced persistent threat has changed the face of cyberwarfare, and military planners must now be conscious of a series of cyberwarfare actions. In response, the defensive strategies that militaries use have evolved to protect themselves against cyber attacks. The concept of defense-in-depth is critical to building a well-rounded defense that will stand up to cyberwarfare events.
Part 3 explores the future of cyberwarfare; its interaction with military doctrine; and the Pandora’s box opened by recent events, which have set the stage for future cyber attacks.
Listening in on conversations around the water cooler at organizations of all sizes gives the impression that compliance awareness is at an all-time high. However, we continue to see news reports of compliance breaches that result from the inadvertent actions of employees unfamiliar with the consequences of their actions. Organizations that build and maintain a robust compliance training program can mitigate this risk and reduce the likelihood that a routine error will lead to a major compliance issue.
As you begin to put together your compliance training program, you’ll need to gather the human and financial resources that you’ll need to develop a robust approach to training and assessment. As with any commitment of resources, this is easiest to achieve if you have executive support. Building a strong business case for your training program and gaining the support of organizational leaders is an effective way to remove barriers and obtain the funding and time commitment necessary to design, implement and deploy a training initiative.
Read more: Compliance 101: What do enterprises need to include in compliance training?
Entities seeking to secure their email environments should establish a comprehensive strategy designed to protect both the email infrastructure and its users from the wide variety of mail-related threats. The challenge facing technologists is that they must create a flexible solution that meets the organization’s security and operational needs in an effective and efficient manner while respecting financial constraints.
Read the full white paper: Email Security: Defending the Enterprise
The 2014 Verizon PCI Compliance Report assessed the state of PCI DSS compliance around the world. Surprisingly, it found that requirement 11 (regularly test security systems and processes) was the least complied with, despite the fact that many security professionals consider it one of the more straightforward requirements. In this tip, we take a look at the two specific areas that Verizon highlighted as being stumbling blocks to compliance and talk about how you can build them into your PCI DSS compliance program.
As you likely know, PCI DSS requires that you perform penetration testing of your environment following an industry-accepted approach, such as NIST SP 800-115. These tests must be performed on an annual basis, as a minimum, and also must be repeated after any major changes to the cardholder data environment. The first issue that Verizon discovered is that 60% of organizations failed to provide evidence that they had conducted penetration testing within the past year. Remember, maintaining documentation of the penetration test is almost as important as actually conducting the test when it comes to PCI compliance. Auditors are not willing to take your word for it; they want to see artifacts!
Published June 15, 2014 on SearchSecurity.com
The IT job market is starting to heat up and security professionals are one of the career fields in high demand. The recent rash of high profile security breaches is causing executives and boards to demand an increased focus on cybersecurity practices and IT shops are struggling to keep up. Earning a security certification can help you land a great job in an exciting field, but it’s important to know which certifications will really set you apart and make your resume jump to the top of the hiring manager’s pile.
The Certified Information Systems Security Professional (CISSP) certification remains the premier certification for security practitioners. If you’re looking for a position as a mid-level security professional, particularly as a generalist, this certification is a must have. It’s often used by Human Resources departments as a screening test to weed out job candidates who lack a strong background in information security. Earning a CISSP is no easy task. You must pass a multiple-choice examination covering ten broad domains of information security. Perhaps the most significant hurdle, however, is that you must have five years of information security work experience.
Read more: Standing Out with a Security Certification
Published June 2014 in Certification Magazine.
Open source software provides organizations with a community-developed, inexpensive alternative to commercial products. Many enterprises have turned to open source solutions, particularly embracing the use of Linux operating systems, Apache web servers and MySQL databases. In a recent RSA presentation, security professionals from Urbane Security proposed a PCI DSS compliance model composed of open source solutions.
The argument for open source is straightforward – you don’t need to pay license fees for the software you use and the applications are community-driven. If you’d like a new feature, you can develop it yourself. The counterargument to the open source approach is that installing and configuring open source software can be tricky and time-consuming. Depending upon the product, support options may be limited to community discussion forums or require the payment of a premium support fee.
Published June 1, 2014 on SearchSecurity.com
With the HIPAA Omnibus Rule in full effect, one of the big changes introduced is the newfound liability heaped on business associates. While covered entities have always been required to enter into business associate agreements (BAAs) with service providers, the Omnibus Rule extends the government’s regulatory reach through those agreements. Service providers who sign BAAs are now subject to the direct regulatory authority of the Department of Health and Human Services (HHS). In addition, covered entities now share liability for the actions of business associates.
Hospitals, health insurers, medical practices and other HIPAA covered entities often rely upon a range of outside service providers to assist them with administrative, patient care and other tasks where the provider comes into contact with protected health information (PHI). In those cases, the provider is considered a business associate under the HIPAA regulation and the covered entity is required to enter into a Business Associate Agreement (BAA) with the provider.
Published May 15, 2014 on SearchSecurity.com
“Boss, I think that someone stole sensitive information from my system.” Those are words that no computer user ever wants to utter and no manager ever wants to hear. Unfortunately, they are heard in offices around the world every day. In a recent study, the Center for Strategic and International Studies discovered that cybercrime costs American businesses $100 billion in lost revenue and 508,000 lost jobs. Nobody wants their computer to become a part of that statistic.
Protecting systems against hackers is not the daunting challenge that it may seem. The vast majority of system compromises occur because of failures to apply basic security measures. The tools and techniques taught in security certification programs are tried-and-true ways to fortify your systems against attack. The challenge facing IT and business professionals is successfully moving these ideas out of the certification textbook and applying them consistently across their organizations. In this article, we examine five specific ways that hackers can infiltrate your systems and explain how you can protect yourself against these attacks. Think of these five tips as your entry-level certification for safe computing!
Published in the May 2014 issue of Certification Magazine
Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.