Security Awareness: Looking Beyond Regulations

Size: px
Start display at page:

Download "Security Awareness: Looking Beyond Regulations"

Transcription

1 Security Awareness: Looking Beyond Regulations Over the years, security experts have religiously advocated that people are the weakest link in information security. Although the importance of security awareness to address this weakest link is common knowledge, the result of our efforts thus far is not very encouraging. The seventh annual security research study, by the Computer Technology Industry Association (CompTIA) in , found that the primary cause of security breaches is unintentional human error. Security awareness efforts are failing royally for some reason. Naturally Aware of the Basics Human beings are naturally an aware species. We often teach our children to never speak to or accept anything from strangers. We teach them to lock the doors of our homes when we sleep, and to be careful and look both ways when crossing the street. Essentially, we teach our children everything they need to know to enhance their personal security. Human beings have a natural tendency towards practicing and advocating better awareness. And yet, moving this natural tendency from personal security awareness to information security awareness stands today as a significant challenge. The Culprit: Regulatory Pressures Regulatory compliance is seen as one of the major driving factors of information security 2 today. It is no surprise then that security awareness efforts often result in unsatisfactory results and increased skepticism about security awareness. Consequently, budget allocations for security awareness are often further reduced. In times when information security budgets are evershrinking, the amount that is allocated to security awareness is often up for internal debate. Yet, lack of security awareness, in fact, is one of the most overlooked aspects of information security 3 and the root cause of many security breaches It is true that many current regulations require security awareness efforts: Gramm-Leach Leach-Bliley Act (GLBA) Financial product/service providers governed by the GLBA are required to implement IT security awareness training. Health Insurance Portability and Accountability Act (HIPAA) Health plans, healthcare clearinghouses, and healthcare providers are governed by HIPAA. Personnel involved with the handling of Electronic Protected Health Information (ephi) or Protected Health Information (PHI) need to be provided security awareness training on an ongoing basis.

2 Sarbanes-Oxley Act All publicly-traded companies in the United States must comply with the Sarbanes-Oxley Act. These companies are required to establish ongoing IT security awareness efforts. Federal Information System Security Managers Act (FISMA) The FISMA requires federal government agencies to establish security awareness training for personnel, including contractors. The agencies need to report annually on their security awareness and training efforts. Payment Card Industry Data Security Standard (PCI DSS) While the PCI DSS is not a regulation, if you were ever to issue credit cards bearing the logo of one of the founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. you would need to comply with the PCI DSS. The standard requires educating employees upon hire and at least annually on the importance of cardholder data security and how employees can maintain and enhance internal security controls. Today s regulations requiring security awareness affect a wide array of industries, so it is very likely that any organization would encounter at least one of these regulations. And regulatory compliance usually takes precedence over all else. When the compliance bells toll, time and money are as scarce as ever and a fix-it-quick approach is often taken towards security awareness. Employee attitudes towards information security awareness efforts then simply follow suit. As a result, security awareness is seldom seen apart from a law that requires it. If regulatory compliance is the main aim of security awareness efforts at an organization, it will invariably end up becoming a mechanical procedure rather than a beneficial learning experience. This perfunctory approach towards security awareness by top management always seeps down to the lower rungs in the hierarchy. Compliance: A By-Product People are the first line of defense in any organization against threats to information security. Think about it. These people often have the authorization to bypass all the technical security mechanisms in place. How else would you conduct business? If you spend hours applying the latest patches to all technical infrastructure components in your organization, it is equally wise to apply up-to-date patches to the people in your organization on an ongoing basis. Compliance is best viewed as a by-product of an organization s security awareness efforts. To get desirable results from the investment you put into security awareness look beyond the prism of compliance toward the greater good for your organization. Compliance will then naturally follow. The Organization-Centric Approach The right approach to security awareness is an organization-centric approach. The first step should always involve the effort to understand the organization s security awareness needs. This can be done using evaluation tools such as questionnaires, interviews, and quizzes. Even judgment calls can be very helpful at this stage because nobody knows your employees better than yourself.

3 Formal evaluation models such as the COBIT Maturity Model can also be employed to inject greater accuracy and objective data in the evaluations. The model helps evaluate organizational maturity to give an indication of how well an organization manages information security. It utilizes a six-point scale ranging from the non-existent (0) maturity level to the optimized (5) maturity level. At the end of your evaluations, you should be able to point out specific security awareness areas that need improvement. Once this list is complete, prioritize these areas based on their importance to the organization for minimizing the risk of information security compromise. Security Awareness Program Once you have a reasonably clear picture of the areas where your organization lacks in security awareness, the next step is to plan a security awareness program to address these specific areas. A security awareness program is a series of campaigns that aims to steadily infuse the right attitude towards information security in the minds of employees. To reinforce the importance of this approach, top management should formally communicate the details of the organization s security awareness program to the employees. A security awareness program should be well-planned with specific details such as the date, topic, intended audience, expected resources, and the method that will be used. A number of methods can be used, including; Articles/newsletters posted on the organization s intranet Webcasts and podcasts Security awareness posters (and note that humor makes them eye-catching and interesting) Security awareness seminars and training events Live demonstrations that illustrate how things can go wrong Booklets and brochures. Coffee mugs, pens, pencils, notepads, stickers, etc. bearing awareness messages. Ensure that the topics of security awareness communications are addressed in the order of the priority list identified previously. It is also important that these communications are in harmony with the organization s information security policies and procedures. An Ongoing Process Once a security awareness program is in place and underway, periodic evaluations should be performed to measure the progress and make necessary improvements and adjustments. Metrics such as the number of employees attending the training sessions, the number of security incidents caused by human error, the number of hits received by the intranet pages, etc. can often help in these measurements. Social Engineering engagements can also be extremely helpful at this stage. These engagements are performed by professional social engineers who perform tests to evaluate how hack-able the people of an organization are.

4 The Larger Awareness Approaching security awareness at your organization with the right attitude and approach is vital. If you manage these two mission-critical aspects, then compliance will easily follow. Compliance will then be a by-product, not an end-product. While security awareness by itself is quite an underrated tool in the information security arsenal, an even larger awareness is probably the need of the hour the awareness that security awareness needs a healthier consideration that goes beyond regulatory requirements. References

5 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134

End of the SAS 70 Era

End of the SAS 70 Era End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing

More information

Banking Industry Regulations: Don t Burn A Hole In Your Pocket

Banking Industry Regulations: Don t Burn A Hole In Your Pocket Banking Industry Regulations: Don t Burn A Hole In Your Pocket If you ever mention the word compliance in a social gathering of bankers, you will evoke very animated responses from even the dullest of

More information

VoIP Security: Do You Have a Good Voice over IP?

VoIP Security: Do You Have a Good Voice over IP? VoIP Security: Do You Have a Good Voice over IP? Voice Over Internet Protocol (VoIP) services was first introduced in 2004, but it was six years later when first criminal was charged with hacking 1. The

More information

A Walk In The Clouds

A Walk In The Clouds 0101010 1010101 0101010 1010101 A Walk In The Clouds Security Issues To Watch In Cloud Computing Some things never change. From when personal computers first came around, you might remember a colleague

More information

You Need To Comply With HIPAA And You Probably Don t Even Know It!

You Need To Comply With HIPAA And You Probably Don t Even Know It! You Need To Comply With HIPAA And You Probably Don t Even Know It! If a hospital or healthcare institution is one of your customers/clients, I hope you changed the way you approached the Health Insurance

More information

Identity Theft: Are You Really You?

Identity Theft: Are You Really You? Identity Theft: Are You Really You? We are pleased to inform you of the final announcement that you are one of our New Year Winners of the UNITED KING- DOM ONLINE PROMO AWARDS, held on 26th January, 2009.

More information

Social Engineering: People Hacking

Social Engineering: People Hacking Social Engineering: People Hacking Historically speaking, humans have always been great social engineers. You d have to agree that it probably started out around the time when the first caveman husband

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

PCI DSS READINESS AND RESPONSE

PCI DSS READINESS AND RESPONSE PCI DSS READINESS AND RESPONSE EMC Consulting Services offers a lifecycle approach to holistic, proactive PCI program management ESSENTIALS Partner with EMC Consulting for your PCI program management and

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

SecurityMetrics. PCI Starter Kit

SecurityMetrics. PCI Starter Kit SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service

More information

Guided HIPAA Compliance

Guided HIPAA Compliance Guided HIPAA Compliance HIPAA Solutions for Office Managers and Practitioners SecurityMetrics We protect business Since its founding in 2000, privately-held SecurityMetrics has grown from a small security

More information

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts. Building A Framework-based Compliance Program Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.com Agenda The compliance process Assembling requirements Useful frameworks

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

PAI Secure Program Guide

PAI Secure Program Guide PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you

More information

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman

More information

Brown Smith Wallace, LLC

Brown Smith Wallace, LLC Brown Smith Wallace, LLC Successful Software Selection Whitepaper Series How to Adhere to Payment Card Industry Data Security Standards By Ron Schmittling, CPA/CITP, QSA, CISA, CIA To learn more about

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Payment Card Industry Standard - Symantec Services

Payment Card Industry Standard - Symantec Services Payment Card Industry Standard - Symantec Services The Payment Card Industry Data Security Standard (PCI, or PCI DSS) was developed by the PCI Security Standards Council to assure cardholders that their

More information

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,

More information

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

WHITE PAPER. PCI Compliance: Are UK Businesses Ready? WHITE PAPER PCI Compliance: Are UK Businesses Ready? Executive Summary The Payment Card Industry Data Security Standard (PCI DSS), one of the most prescriptive data protection standards ever developed,

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

The State of Security and Compliance for E- Commerce and Retail

The State of Security and Compliance for E- Commerce and Retail The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against

More information

PCI Security Compliance

PCI Security Compliance E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

SecurityMetrics. history products expertise team awards

SecurityMetrics. history products expertise team awards SecurityMetrics history products expertise team awards Our company [history] Who we are and where we came from Proud moments in SecurityMetrics History 2000 - Founded by Brad Caldwell 2001 - First bank

More information

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600 Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle

More information

A Compliance Overview for the Payment Card Industry (PCI)

A Compliance Overview for the Payment Card Industry (PCI) A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This

More information

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 atsec information security, 2010 About This Presentation About PCI assessment

More information

{Are you protected?} Overview of Cybersecurity Services

{Are you protected?} Overview of Cybersecurity Services {Are you protected?} Overview of Cybersecurity Services Why Plante Moran is built on thousands of success stories. CLIENT FOCUS The confidence that the client s needs are put ahead of the firm s by a professional

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

More information

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

PCI DSS Compliance in a hosted infrastructure

PCI DSS Compliance in a hosted infrastructure PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by

More information

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Contents. Facts. Contact. Company Biography...4. Qualifications & Accolades...5. Executive Leadership Team...6. Products & Services...

Contents. Facts. Contact. Company Biography...4. Qualifications & Accolades...5. Executive Leadership Team...6. Products & Services... Contents Company Biography...4 Qualifications & Accolades...5 Executive Leadership Team...6 Products & Services...8 Company History...10 Facts Founded: 2000 CEO: Brad Caldwell Website: www.securitymetrics.com

More information

HOW TO PREPARE FOR A PCI DSS AUDIT

HOW TO PREPARE FOR A PCI DSS AUDIT Ebook HOW TO PREPARE FOR A PCI DSS AUDIT 8 TOP COMPLIANCE TIPS FROM QSAS 2015 SecurityMetrics HOW TO PREPARE FOR A PCI DSS AUDIT 8 TOP COMPLIANCE TIPS FROM QSAS INTRODUCTION Payment Card Industry Data

More information

Achieving Regulatory Compliance through Security Information Management

Achieving Regulatory Compliance through Security Information Management www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations

More information

John B. Dickson, CISSP October 11, 2007

John B. Dickson, CISSP October 11, 2007 PCI Compliance for Your Organization PCI Compliance for Your Organization John B. Dickson, CISSP October 11, 2007 Learning objectives for today s session Overview of PCI who, what, why Overview of PCI

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data

More information

And Take a Step on the IG Career Path

And Take a Step on the IG Career Path How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015

Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015 Security Awareness Compliance Requirements Last Updated: Oct 01, 2015 info@securingthehuman.org http://www.securingthehuman.org 1. Executive Summary The purpose of this document is to identify different

More information

Introduction to Compliance:

Introduction to Compliance: Introduction to Compliance: Protecting Customer Information Presented by Joshua Schafer & Rachel Fisher Introductions Joshua Schafer has over 10 years experience in information technology and is currently

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

Third-Party Access and Management Policy

Third-Party Access and Management Policy Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and

More information

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements. Supplement for PCI Forensic Investigators (PFIs)

Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements. Supplement for PCI Forensic Investigators (PFIs) Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements Supplement for PCI Forensic Investigators (PFIs) Version 2.0 November 2012 Document Changes. Date Version Description November

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007 Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =

More information

[Insert Company Logo]

[Insert Company Logo] [Insert Company Logo] Business Continuity and Disaster Recovery Planning (BCDRP) Manual 1 Table of Contents Critical Business Information 4 Business Continuity and Disaster Recover Planning (BCDRP) Personnel

More information

Managing Vulnerabilities For PCI Compliance

Managing Vulnerabilities For PCI Compliance Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF

More information

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry Data Security Standard (PCI DSS) v1.2 Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview

More information

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements DataSunrise, Inc. https://www.datasunrise.com Note: the latest copy of this document is available at https://www.datasunrise.com/documentation/resources/

More information

Credit Card Processing Through ROI Solutions: Simpler, Secure & More Cost Effective

Credit Card Processing Through ROI Solutions: Simpler, Secure & More Cost Effective Credit Card Processing Through ROI Solutions: Simpler, Secure & More Cost Effective Why Should You Consider this? First, the Rules.. ROI Solutions is Certified PCI DSS Compliant. PCI DSS stands for Payment

More information

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford E Pay A Case Study in PCI Compliance Illinois State Treasurer Dan Rutherford What is PCI? The Payment Card Industry s Data Security Standard states: PCI Data Security Requirements applies to all members,

More information

June 19, 2013. Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

June 19, 2013. Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance. RIVERSIDE: AUDIT & ADVISORY SERVICES June 19, 2013 To: Bobbi McCracken, Associate Vice Chancellor Financial Services Subject: Internal Audit of PCI Compliance Ref: R2013-03 We have completed our audit

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) Compliance Guide for Merchants Presented by: www.complianceforge.com Copyright 2015. BlackHat Consultants, LLC Table of Contents PAYMENT CARD INDUSTRY

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

HIPAA and HITRUST - FAQ

HIPAA and HITRUST - FAQ A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are

More information

This article describes the history of the Payment Card

This article describes the history of the Payment Card Copyright 2007 ISACA. All rights reserved. www.isaca.org. Achieving Compliance With the PCI Data Security Standard By Alex Woda, CISA, QDSP, QPASP This article describes the history of the Payment Card

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,

More information

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors. About PSC With offices in the USA, Canada, UK and Australia, PSC is a leading PCI, PA DSS, and P2PE assessor, PCI Forensics Company and Approved Scanning Vendor. PSC is one of an elite few companies qualified

More information

Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY

Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Federal Trade Commission, Plaintiff, v. Wyndham Worldwide

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

BRAND-NAME is What COUNTS!!!

BRAND-NAME is What COUNTS!!! BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015 Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN

More information

See page 16. Thomas A. Vallas

See page 16. Thomas A. Vallas Compliance TODAY July 2014 a publication of the health care compliance association www.hcca-info.org What s the key to successfully merging two large hospital systems? an interview with Michael R. Holper

More information

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012 Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York

More information