Information Security Leader, Author, Instructor and Speaker

PCI DSS Compliance Health Check

How are you doing with PCI DSS compliance? Have you taken a close look at your controls recently to ensure that you’re dotting your i’s and crossing your t’s? A recent study by Verizon revealed that only 11.1% of companies subject to PCI DSS actually comply with all twelve requirements. Are you among this small slice of compliant firms or do you run the risk that non-compliant payment card operations will result in fines, reputational loss and/or operational disruption for your organization? In this article, we take a look at three common areas where companies fail to achieve compliance and provide practical advice on addressing those issues.

Read more: PCI DSS Compliance Health Check

Published December 2014 in BizTech Magazine

Posted in Articles | Tagged , , , | 1 Comment

Three stages of the ISO 31000 risk management process

One of the core requirements of the ISO 27001 standard for information security is that organizations perform a formal risk assessment that identifies, analyzes and evaluates the risks facing an organization. Recent revisions to the standard removed requirements that dictated the specific process an organization must follow to achieve those standards, but organizations adopting ISO may consider using the ISO 31000 risk management process. ISO 31000 proposes a three-stage process for risk management that conforms to industry-accepted best practices.

Read the full story: Three stages of the ISO 31000 risk management process

Published November 6, 2014 on

Posted in Articles | Tagged , | Leave a comment

Getting Started with Automated Penetration Testing

The automated penetration test plays an important role in the security professional’s toolkit. As part of a comprehensive security program, these tools can quickly evaluate the security of systems, networks and applications against a wide variety of threats. Security pros should view them as a supplement, rather than a replacement, for traditional manual testing techniques.

What is automated penetration testing?

During a penetration test, security professionals conduct deliberate attacks on systems and applications to determine whether it is possible to gain unauthorized access. The goal of these tests is to assume the “hacker mindset” and probe for security vulnerabilities using the same tools and techniques employed by real attackers. Penetration testing is widely considered the best test of a system’s security, as it most closely approximates real world attacks. Conducting these tests properly requires time-consuming work by highly skilled individuals. Ideally, the engineers performing the tests have a level of skill equal to or exceeding the skill level of the likely attacker.

Read More: Getting Started with Automated Penetration Testing

Published November 3, 2014 on

Posted in Articles | Tagged , , , , | Leave a comment

Four Strategies for Successful Next Generation Firewall Deployments

Are you thinking about deploying next generation firewall technology to better protect your agency against advanced persistent threats? It’s hard to spend any time in information security circles without hearing about the new features of these devices and the promise that they hold for bolstering perimeter defenses against increasingly sophisticated and well-fundedcyberattackers.

The next generation firewall (NGFW) adopts a comprehensive approach to information security management by combining many different security technologies within a single device. They perform the basic firewall protection that we expect from a perimeter protection device but supplement this stateful inspection approach with intrusion prevention, content filtering and application control features. Security administrators benefit from a single management interface and the agency benefits by having these diverse security technologies operate in a coordinated fashion. In this article, we examine four strategies that you can use to ensure a successful NGFW deployment in your agency.

Read more: Four Strategies for Successful Next Generation Firewall Deployments

Published October 2014 in FedTech Magazine

Posted in Articles | Tagged , | Leave a comment

The final countdown to PCI DSS 3.0 mandatory implementation

The clock is ticking for enterprises that have not yet upgraded their payment card processing systems to be compliant with PCI DSS 3.0. While the new version of the standard went into effect January 1, 2014, merchants have the option to certify compliance under the old version throughout 2014. When the calendar page turns, this option goes away and all merchants must validate compliance with PCI DSS 3.0. Are you ready for the change? In this tip we take a look at three of the major changes in PCI 3.0 and explain the steps you can take to bring your organization into compliance on time.

As PCI DSS is a contractual obligation, rather than a law, the standard does not directly apply to entities that have not entered into credit card merchant agreements. However, most organizations rely upon services provided by others for some portion of their credit card processing. PCI DSS extends to these entities by considering them as service providers and requiring that merchants enter into written agreements with any service providers that store, process or transmit credit card information on their behalf. These written agreements must require that service providers comply with the provisions of PCI DSS.

Read more: The final countdown to PCI DSS 3.0 mandatory implementation

Published September 28, 2014 on

Posted in Articles | Tagged , , , | Leave a comment

Three steps to avoiding massive HIPAA violation fines

Million-dollar penalties are drawing the attention of HIPAA-covered entities around the nation. To avoid running afoul of HIPAA regulations, there are a few steps organizations should take immediately to learn from these incidents and ensure the privacy and security of protected health information.

Read the full story: Three steps to avoiding massive HIPAA violation fines

Published September 3, 2014 on

Posted in Articles | Tagged , , , | Leave a comment

Cyberwarfare: Information Operations in a Connected World

cyberwarfareCyberwarfare: Information Operations in a Connected World puts students on the real-world battlefield of cyberspace! It reviews the role that cyberwarfare plays in modern military operations — operations in which it has become almost impossible to separate cyberwarfare from traditional warfare.

Part 1 discusses the history of cyberwarfare and the variety of new concerns its emergence has fostered–from tactical considerations to the law of armed conflict and protection of civilians.

Part 2 discusses how offensive cyberwarfare has become an important part of the modern military arsenal. The rise of the advanced persistent threat has changed the face of cyberwarfare, and military planners must now be conscious of a series of cyberwarfare actions. In response, the defensive strategies that militaries use have evolved to protect themselves against cyber attacks. The concept of defense-in-depth is critical to building a well-rounded defense that will stand up to cyberwarfare events.

Part 3 explores the future of cyberwarfare; its interaction with military doctrine; and the Pandora’s box opened by recent events, which have set the stage for future cyber attacks.

Key Features:

  • Incorporates hands-on activities, relevant examples, and realistic exercises to prepare readers for their future careers
  • Examines the importance of information as a military asset, from the days of Sun Tzu and Julius Caesar to the present
  • Discusses cyberwarfare in light of the law of war and international conventions, and the new questions it is raising
  • Reviews the various methods of attack used in recent years by both nation-state and nonstate actors
  • Outlines strategies for defending endpoints, networks, and data
  • Offers predictions on the future of cyberwarfare and its interaction with military doctrine
  • Provides fresh capabilities information drawn from the Snowden NSA leaks
Posted in Books | Tagged , | Leave a comment

Compliance 101: What do enterprises need to include in compliance training?

Listening in on conversations around the water cooler at organizations of all sizes gives the impression that compliance awareness is at an all-time high. However, we continue to see news reports of compliance breaches that result from the inadvertent actions of employees unfamiliar with the consequences of their actions. Organizations that build and maintain a robust compliance training program can mitigate this risk and reduce the likelihood that a routine error will lead to a major compliance issue.

Gathering Resources

As you begin to put together your compliance training program, you’ll need to gather the human and financial resources that you’ll need to develop a robust approach to training and assessment. As with any commitment of resources, this is easiest to achieve if you have executive support. Building a strong business case for your training program and gaining the support of organizational leaders is an effective way to remove barriers and obtain the funding and time commitment necessary to design, implement and deploy a training initiative.

Read more: Compliance 101: What do enterprises need to include in compliance training?

Posted in Articles | Tagged , , | Leave a comment

Email Security: Defending the Enterprise

Entities seeking to secure their email environments should establish a comprehensive strategy designed to protect both the email infrastructure and its users from the wide variety of mail-related threats. The challenge facing technologists is that they must create a flexible solution that meets the organization’s security and operational needs in an effective and efficient manner while respecting financial constraints.

Read the full white paper: Email Security: Defending the Enterprise

Posted in White Papers | Tagged , , | Leave a comment

PCI DSS compliance and the trouble with requirement 11

The 2014 Verizon PCI Compliance Report assessed the state of PCI DSS compliance around the world. Surprisingly, it found that requirement 11 (regularly test security systems and processes) was the least complied with, despite the fact that many security professionals consider it one of the more straightforward requirements. In this tip, we take a look at the two specific areas that Verizon highlighted as being stumbling blocks to compliance and talk about how you can build them into your PCI DSS compliance program.

As you likely know, PCI DSS requires that you perform penetration testing of your environment following an industry-accepted approach, such as NIST SP 800-115. These tests must be performed on an annual basis, as a minimum, and also must be repeated after any major changes to the cardholder data environment. The first issue that Verizon discovered is that 60% of organizations failed to provide evidence that they had conducted penetration testing within the past year. Remember, maintaining documentation of the penetration test is almost as important as actually conducting the test when it comes to PCI compliance. Auditors are not willing to take your word for it; they want to see artifacts!

Read more: PCI DSS compliance and the trouble with requirement 11

Published June 15, 2014 on

Posted in Articles | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography