Tag Archives: compliance

Touchdown Task for June: Document Cleanup

Posted on by
2

With the beginning of a new fiscal year on the immediate horizon for many, it reminds us that it’s time to clean up our books and our filing. And by that we mean both our digital and physical files! If you don’t already have a written document retention policy, one needs to be drafted. It should be tailored to your business needs and meet the requirements identified in local, state or federal laws and regulations that apply to your particular industry. 

As a part of your document retention plan, you will establish a document retention schedule of what to keep and for how long. Once you have this identified, it’s time to dive into the files, both paper and electronic, to see what should be properly destructed. 

It is critical that paper documents are either incinerated or shredded. Electronic files must be properly sanitized and purged. Purging can be accomplished a variety of secure erasing tools. A quick Google will turn up several free or low cost solutions. Clearing electronic data is often accomplished by overwriting existing data using software that incorporates a fixed sequence of characters. 
Whatever the processes are that you elect to perform, it is imperative that you stick to the schedule and destroy your documents per your written guidelines in your document retention policy.

Thanks to Teresa West for this post.

MSI Strategies & Tactics Talk Episode 5: Is Compliance-centric Security The Way To Go?

Posted on by
Reply

“Compliance-centric security is bleeding us dry.” – Brent Huston, CEO and Security Evangelist for MSI

Listen in as our tech team discusses compliance-centric security, including:

  • What is compliance-centric security?
  • Why is it a problem?
  • How it creates a “do-the-minimum mentality”
  • What is the alternative to compliance-centric security?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

What Helps You with PCI?

Posted on by
Reply

Yesterday, at RSA much press attention was paid to a metric that 41% of all organizations tested needed temporary compensating controls to meet even the minimum security provided by PCI DSS compliance.

This led us to this discussion. If so many organizations need temporary controls to do the minimum, then what controls, in your experience, are the most worthwhile for those struggling to meet PCI?

Please leave a comment and tell us what controls you find most useful, easiest to leverage and worth the investment for PCI compliance.

As always, thanks for reading and we look forward to your input.

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Posted on by
Reply

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce  that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…