Category Archives: IT Compliance and Regulatory Change Management

Exploring the Differences between Vulnerability Scanning and Penetration Testing

Posted on July 29, 2016 by kellyk

Jerry Beasley, Security Services Manager

A common misconception held by many is that an automated vulnerability scan is equivalent to a penetration test. While both are useful tools and essential parts of an organization’s risk management program, they are not interchangeable and there are clear distinctions between the two.

Vulnerability scans work by rapidly interrogating network ports and services in order to determine types and versions of those services and any obvious configuration

Read More...

Posted in Cybersecurity, IT Compliance and Regulatory Change Management, Vulnerability Management

How To Conduct PCI Penetration Tests for Security & Compliance

Posted on July 14, 2016 by lexi

If any requirement of the PCI DSS is confusing for organizations, it’s penetration testing.

It’s complicated, time intensive, and must be carried out by highly skilled and experienced personnel if it’s going to be done properly.

But on the other hand, penetration testing is widely understood to be an extremely high-value security process. After all, what better way to keep attackers out than by attacking on your own infrastructure and learning from the results?

We’ve said repeatedly during

Read More...

Posted in Cybersecurity, IT Compliance and Regulatory Change Management

Why Most PCI Training Programs Are Ineffective… And What To Do About It

Posted on July 7, 2016 by lexi

It’s come round again, just like every year.

An automatic email ends up in your inbox, telling you it’s time to complete your annual information security training course.

So you follow the link and wind up in an online portal. You’re told to read through each page thoroughly and confirm your understanding.

Next. Next. Next. Agree. Time to forget about it for another year.

Sound familiar? It should.

This is how the vast majority of organizations treat their information security and PCI

Read More...

Posted in IT Compliance and Regulatory Change Management, Security Awareness Training

How To Manage Your PCI DSS Security Policy… And Why That Isn’t Enough

Posted on June 28, 2016 by lexi

In this series, we’ve already talked several times about the need to go beyond compliance with the PCI DSS.

This is doubly true for policy.

Once everything has been setup and documented, there’s a tendency to treat policy as a box ticking exercise. After all, assuming you have the necessary systems and processes in place, how important can the actual policy document be?

Sadly, as with all security matters, many organizations don’t find out the answer to this question until after something

Read More...

Posted in IT Compliance and Regulatory Change Management, Policy Management

Updated FFIEC Guidelines Encourage Executives to Invest More in Cybersecurity

Posted on November 13, 2015 by lexi

The Federal Financial Institutions Examination Council (FFIEC) has updated their Management Booklet, which is part of the FFIEC Information Technology Examination Handbook used by examiners to ensure institutions are addressing risk management. One of the main updates focuses on the expectation that executives and boards of directors will review and approve IT plans that include cybersecurity strategies.

Some feel that board involvement in cybersecurity has been a long time coming.

Read More...

Posted in Cybersecurity, IT Compliance and Regulatory Change Management

cprlorca PCI Penetration Testing Meets PCI DSS 3.1

Posted on June 16, 2015 by lexi

PCI DSS 3.1 and supporting supplemental guidance, PCI Information Supplement: Penetration Testing Guidelines become effective July 1, 2015. The revisions include minor updates and clarifications and address vulnerabilities within the SSL encryption protocol that can put payment data at risk. According to requirements 11.3.1 and 11.3.2, penetration testing must be performed at least annually or after any significant change. What is deemed “significant” is highly dependent on an entity’s risk

Read More...

Posted in Cybersecurity, IT Compliance and Regulatory Change Management, Social Engineering, Vulnerability Management

Security and Compliance: A Balancing Act of Inequalities

Posted on March 2, 2015 by ashley

balance

Wes Withrow, IT Security Expert

At some point in every IT security professional’s career they will be asked their opinion on the merits of compliance and how soon it will be before compliance frameworks get to the point that organizations are “hack proof.”

The response almost invariably goes like this: “Compliance isn’t perfect but at least it’s forcing us to talk about security. Nothing is hack proof unless it’s powered off, unplugged from the network, and destroyed with hammers. Even then

Read More...

Posted in Information Security, IT Compliance and Regulatory Change Management

Your First Look into Trends and Topics at the 2015 RSA Conference (RSAC)

Posted on December 18, 2014 by ashley

RSAC 2015 Word Cloud

This word cloud was provided by the RSA Conference during its December 15th, 2014 webinar and reflects the most frequent terms used across more than 1700 speaking submissions. The largest words are those most commonly cited in conference session titles that were submitted for consideration to be included in this year’s RSA Conference agenda. 

During this December 15th RSAC webinar, Britta Glade, Senior Content Manager and Hugh Thompson, Program Committee Chair, for RSA Conferences shared

Read More...

Posted in Incident Response Management, IT Audit Management, IT Compliance and Regulatory Change Management, IT GRC, IT Risk Management and Risk Assessments, Policy Management, Security Awareness Training, Social Engineering, Vendor Risk Management, Vulnerability Management

Data Breaches Drive Information Security and Compliance into the C-Suite

Posted on September 9, 2014 by ashley

Due to recent data breaches and exposure of consumer information, Congress is paying special attention to cyber security issues. As a result, regulators must ensure that the organizations they regulate are aware of cyber security issues at the very top of their organizations. To do so, regulators, such as the Federal Financial Institutions Examination Council (FFIEC), are incorporating cyber security risk assessments into their IT examination process and forcing institutions to think

Read More...

Posted in IT Compliance and Regulatory Change Management

Meet Compliance Challenges with TraceCSO

Posted on June 6, 2014 by ashley

Mark Thorburn, Security Services Manager

Kayla Campbell, Delivery Director

Meeting compliance requirements is a challenge for many credit unions.  Not only is it an overwhelming task to sift through compliance documentation, but it is also time-consuming to keep up with the credit union’s compliance posture on a consistent basis.  Given these two hindrances, it is very common for credit unions to put these compliance challenges on the back-burner until they are no longer possible to ignore.  

Read More...

Posted in IT Compliance and Regulatory Change Management

Test de Penetrare, Scanare de Vulnerabilitati, MoldovaTeste de Penetrare, Scanari de Vulnerabilitati, MoldovaPenetration Testing Moldova, Penetration Test Moldova, LogicalPoint