Posted on July 29, 2016 by kellyk
Jerry Beasley, Security Services Manager
A common misconception held by many is that an automated vulnerability scan is equivalent to a penetration test. While both are useful tools and essential parts of an organization’s risk management program, they are not interchangeable and there are clear distinctions between the two.
Vulnerability scans work by rapidly interrogating network ports and services in order to determine types and versions of those services and any obvious configuration
Posted on July 14, 2016 by lexi
If any requirement of the PCI DSS is confusing for organizations, it’s penetration testing.
It’s complicated, time intensive, and must be carried out by highly skilled and experienced personnel if it’s going to be done properly.
But on the other hand, penetration testing is widely understood to be an extremely high-value security process. After all, what better way to keep attackers out than by attacking on your own infrastructure and learning from the results?
We’ve said repeatedly during
Posted on July 7, 2016 by lexi
It’s come round again, just like every year.
An automatic email ends up in your inbox, telling you it’s time to complete your annual information security training course.
So you follow the link and wind up in an online portal. You’re told to read through each page thoroughly and confirm your understanding.
Next. Next. Next. Agree. Time to forget about it for another year.
Sound familiar? It should.
This is how the vast majority of organizations treat their information security and PCI
Posted on June 28, 2016 by lexi
In this series, we’ve already talked several times about the need to go beyond compliance with the PCI DSS.
This is doubly true for policy.
Once everything has been setup and documented, there’s a tendency to treat policy as a box ticking exercise. After all, assuming you have the necessary systems and processes in place, how important can the actual policy document be?
Sadly, as with all security matters, many organizations don’t find out the answer to this question until after something
Posted on November 13, 2015 by lexi
The Federal Financial Institutions Examination Council (FFIEC) has updated their Management Booklet, which is part of the FFIEC Information Technology Examination Handbook used by examiners to ensure institutions are addressing risk management. One of the main updates focuses on the expectation that executives and boards of directors will review and approve IT plans that include cybersecurity strategies.
Some feel that board involvement in cybersecurity has been a long time coming.
Posted on June 16, 2015 by lexi
PCI DSS 3.1 and supporting supplemental guidance, PCI Information Supplement: Penetration Testing Guidelines become effective July 1, 2015. The revisions include minor updates and clarifications and address vulnerabilities within the SSL encryption protocol that can put payment data at risk. According to requirements 11.3.1 and 11.3.2, penetration testing must be performed at least annually or after any significant change. What is deemed “significant” is highly dependent on an entity’s risk
Posted on March 2, 2015 by ashley
Wes Withrow, IT Security Expert
At some point in every IT security professional’s career they will be asked their opinion on the merits of compliance and how soon it will be before compliance frameworks get to the point that organizations are “hack proof.”
The response almost invariably goes like this: “Compliance isn’t perfect but at least it’s forcing us to talk about security. Nothing is hack proof unless it’s powered off, unplugged from the network, and destroyed with hammers. Even then
Posted on December 18, 2014 by ashley
This word cloud was provided by the RSA Conference during its December 15th, 2014 webinar and reflects the most frequent terms used across more than 1700 speaking submissions. The largest words are those most commonly cited in conference session titles that were submitted for consideration to be included in this year’s RSA Conference agenda.
During this December 15th RSAC webinar, Britta Glade, Senior Content Manager and Hugh Thompson, Program Committee Chair, for RSA Conferences shared
Posted in Incident Response Management, IT Audit Management, IT Compliance and Regulatory Change Management, IT GRC, IT Risk Management and Risk Assessments, Policy Management, Security Awareness Training, Social Engineering, Vendor Risk Management, Vulnerability Management
Posted on September 9, 2014 by ashley
Due to recent data breaches and exposure of consumer information, Congress is paying special attention to cyber security issues. As a result, regulators must ensure that the organizations they regulate are aware of cyber security issues at the very top of their organizations. To do so, regulators, such as the Federal Financial Institutions Examination Council (FFIEC), are incorporating cyber security risk assessments into their IT examination process and forcing institutions to think
Posted on June 6, 2014 by ashley
Mark Thorburn, Security Services Manager
Kayla Campbell, Delivery Director
Meeting compliance requirements is a challenge for many credit unions. Not only is it an overwhelming task to sift through compliance documentation, but it is also time-consuming to keep up with the credit union’s compliance posture on a consistent basis. Given these two hindrances, it is very common for credit unions to put these compliance challenges on the back-burner until they are no longer possible to ignore.