Security Management Strategies for the CIO
Email Alerts
-
Compliance and risk modeling
You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to... E-Zine
-
Reviews of six top Web application firewalls
In this month's issue of Information Security magazine, get 16 tips to help you navigate the changes to FRCP and avoid millions in fines. Read a case study about how one organization deployed full disk encryption on every machine, an increasingly pop... E-Zine
-
Editor’s desk: A chat with Peter G. Neumann
Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures. Feature
-
Cloud Compliance: Tackling Compliance in the Cloud
Moving to a cloud environment brings compliance challenges, but they’re not insurmountable. Feature
-
GRC Management and Critical Infrastructure Protection
GRC needs to adapt to become a truly effective risk management tool for critical infrastructure. Feature
-
Network security audit guidelines: Inside the importance of audit planning
In this SearchSecurity.com mini learning guide you will learn the ins and outs of network security audit guidelines, as well as the importance of audit planning, and how to perform and prepare for an audit. Learning Guide
-
Quiz: Building a compliance scorecard
How much have you learned about building a compliance scorecard? Find out with this short quiz. Quiz
-
Quiz: How to pass a PCI assessment
How much have you learned about the PCI assessment process? Test your knowledge in this short quiz. Quiz
-
Risk-based audit methodology: How to achieve enterprise security
Discover how using a risk-based audit methodology can achieve better enterprise security. Learn how to develop an internal IT audit program, implement risk mitigation methods and develop controls and ensure they are effective. Learning Guide
-
Conclusion: The Risk Mitigation Challenges of the "12 PCI Commandments"
Understanding which requirements of the "12 commandments" are the most challenging can keep your organization from wasting time, money and effort on the wrong ideas or technical implementations. In this guide, Craig Norris draws some important PCI c... Learning Guide
-
PCI DSS Requirement 3: Protecting stored data
One of the biggest problems with PCI DSS requirement 3 is that merchants must accurately know where credit card data flows from its inception, where it traverses the network and resides, and what its "state" is along the way. Craig Norris explains ho... Learning Guide
-
PCI DSS Requirement 11: Regularly test security systems and processes
Craig Norris explains why internal and external network scans are necessary to complete Requirement 11 of the PCI Data Security Standard, one that frequently baffles security professionals. Learning Guide
- See more Essential Knowledge on IT Security Audits
-
Black Hat 2012: Limited release for tool allowing smart meter hacks
Don Weber of InGuardians is releasing his smart meter hacking tool, but only to utilities, vendors and vendor-vetted researchers. News | 25 Jul 2012
-
How to manage the compliance cycle to improve your compliance strategy
Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue. News | 06 Mar 2012
-
Cost of non-compliance outweighs cost of maintaining compliance, report finds
A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million. Article | 31 Jan 2011
-
The security-compliance tug-of-war
Bryan E. Simon, a senior systems and security specialist, talks about the daily struggles security pros face, including the need to balance security demands with compliance requirements. News | 15 Oct 2010
-
MasterCard increases PCI compliance requirements for some merchants
Company now requires merchants that process one million to six million transactions annually to have onsite assessment by a PCI QSA. Visa says it won't follow suit. Article | 29 Jun 2009
-
Forensic accounting success depends on information security support
A forensic accounting expert explains how information security teams can ensure the success of forensic accounting and fraud assessment. News | 29 Apr 2009
-
PCI DSS Q&A: Answering your questions
Payment Card Industry Data Security Standard (PCI DSS) expert Ed Moyle of CTG recently joined SearchSecurity.com for a live Q&A to address your questio... Interview | 08 Apr 2009
-
PCI QSA assurance program penalizes assessors
Two firms certified to conduct PCI assessments have been placed into the PCI Council's remediation program for violating the QSA Validation Requirements. Article | 05 Mar 2009
-
Cybersecurity expert sees PCI DSS problems ahead for retailers
It could cost millions of dollars for retailers to rip and replace outdated systems and devices still using Wired Equivalent Privacy (WEP) to secure 802.11 wireless networks, according to a security expert tracking cybersecurity in the retail industr... Interview | 18 Nov 2008
-
IT security pros focus on internal threats during tough economy
Rough economic times are often associated with an increase in layoffs, mergers and acquisitions. The increased activity has the potential to weaken data security, but most security experts agree that large firms have the right procedures to follow to... Interview | 21 Oct 2008
- See more News on IT Security Audits
-
How to use compliance automation to reduce compliance risk
Tony UcedaVelez offers tips for automating compliance tasks to reduce IT security and compliance risk while easing the pain of arduous compliance audits. Tip
-
Forrester's GRC framework: Using three lines of defense
Chris McClean of Forrester Research provides a GRC framework. It offers three lines of defense to boost participation rates and define clear roles. Tip
-
Key steps to perform a successful information security gap analysis
Need to assess the holes in your organization’s network? Learn how an information security gap analysis can help you find network security weaknesses. Tip
-
SEC disclosure rules: Public company reporting requirements explained
Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules. Tip
-
Building a compliance culture means learning from mistakes
In this bonus to our "Compliance scorecard" Security School lesson, Eric Holmquist covers the importance of learning from failure by assessing how and why mistakes happen. Tip
-
Windows MBSA scan demo: Conducting a Windows security review
In this screencast, Mike McLaughlin shows how a Windows MBSA scan can help determine client and server patch status during a Windows security review. Tip
-
Application log management: Enabling application security compliance
Expert Michael Cobb discusses how application audits and information and event management can save you time and energy with application security compliance. Tip
-
Auditing virtualization: Security training for infosec pros
This chapter discusses auditing virtualized environments, and begins with an overview of common virtualization technologies and key controls. Tip
-
A primer for user privilege management in Windows Server 2008
Privilege management can be a troublesome endeavor, but Windows Server 2008 introduces a multi-level privilege attribute system with better limits for standard users. Expert Randall Gamby explains the options in Windows Server 2008 for user privilege... Tip
-
Assessment success: PCI DSS standards and secure data storage
PCI DSS standards for secure data storage are specific and detailed, but there are two key steps that can significantly reduce the pain of an assessment. PCI DSS expert Anton Chuvakin explains. Tip
- See more Tips on IT Security Audits
-
Choosing an external auditor: What to look for in an auditing firm
Expert Mike Chapple advises enterprises on how to choose an external auditor, focusing on four major qualities to look for in an auditing firm. Answer
-
Complying with MasterCard's new PCI Level 2 assessment requirements
Expert Mike Chapple breaks down how Level 2 merchants can comply with MasterCard's new requirement for PCI self-assessments. Answer
-
Four compliance IT management tips to improve employee engagement
Mike Chapple offers four tips for improving employee collaboration and creativity with an enterprise's compliance program. Answer
-
How an assessor validates the PCI DSS scope of compliance
Expert Mike Chapple explains the four tests a QSA performs to validate that an organization has properly defined their PCI DSS scope of compliance. Answer
-
Most common IT audit findings and how to remediate them
Expert Mike Chapple uncovers some of the most common -- and embarrassing -- IT audit findings and explains how to remediate each one. Answer
-
How to manage feedback in the compliance review process
The compliance review process can be complicated, especially when getting input from others. Mike Chapple offers advice to streamline the process. Answer
-
Security vs. compliance: Moving beyond a 'checkbox security' mentality
Mike Chapple discusses the compliance vs. security challenge and why a "checkbox security" mentality may actually be a good thing. Answer
-
Do I need GRC or compliance management software?
Is it necessary to purchase pricey GRC or compliance management software to meet PCI DSS and HIPAA compliance requirements? Mike Chapple discusses. Answer
-
Advice for developing a vendor compliance checklist for a vendor review process
Charles Denyer offers advice for developing a vendor compliance checklist to support a vendor review process or a third-party vendor audit. Answer
-
What is ISO certified vs. ISO compliant?
Expert Charles Denyer explains the difference between an ISO 27002 certification report and an ISO 27002 compliant report. Answer
- See more Expert Advice on IT Security Audits
-
Certified Information Systems Auditor (CISA)
The Certified Information Systems Auditor (CISA) is a certification issued by the Information Systems Audit and Control Association (ISACA). Definition
-
RSA 2011 preview: Compliance
In this RSA Conference 2011 preview video, SearchSecurity.com News Director Robert Westervelt moderates a discussion on a wide variety of compliance issues. Speakers include SearchSecurity.com Senior Site Editor Eric Parizo, and Research Director Jos... Video
-
How to perform a third-party risk assessment for compliance
Afraid of non-compliant business partners? Learn how to perform a third-party risk assessment to prevent non-compliance. Video
-
PCI compliance requirement 11: Testing
PCI Requirement 11 is a popular one, according to Diana Kelley. Learn why in this instructional video. Video
-
Using IAM tools to improve compliance
Provisioning and password management tools can ease complexity, reduce help desk calls and save money. But they also have an added benefit: They can help ease enterprise compliance woes. Video
-
How to use compliance automation to reduce compliance risk
Tony UcedaVelez offers tips for automating compliance tasks to reduce IT security and compliance risk while easing the pain of arduous compliance audits. Tip
-
Compliance and risk modeling
You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting compliance as a necessary evil, but aggressively teaming with their internal compliance and audit teams to... E-Zine
-
Editor’s desk: A chat with Peter G. Neumann
Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures. Feature
-
Choosing an external auditor: What to look for in an auditing firm
Expert Mike Chapple advises enterprises on how to choose an external auditor, focusing on four major qualities to look for in an auditing firm. Answer
-
Complying with MasterCard's new PCI Level 2 assessment requirements
Expert Mike Chapple breaks down how Level 2 merchants can comply with MasterCard's new requirement for PCI self-assessments. Answer
-
Four compliance IT management tips to improve employee engagement
Mike Chapple offers four tips for improving employee collaboration and creativity with an enterprise's compliance program. Answer
-
How an assessor validates the PCI DSS scope of compliance
Expert Mike Chapple explains the four tests a QSA performs to validate that an organization has properly defined their PCI DSS scope of compliance. Answer
-
Cloud Compliance: Tackling Compliance in the Cloud
Moving to a cloud environment brings compliance challenges, but they’re not insurmountable. Feature
-
GRC Management and Critical Infrastructure Protection
GRC needs to adapt to become a truly effective risk management tool for critical infrastructure. Feature
-
Most common IT audit findings and how to remediate them
Expert Mike Chapple uncovers some of the most common -- and embarrassing -- IT audit findings and explains how to remediate each one. Answer
- See more All on IT Security Audits
About IT Security Audits
Be prepared for your next IT security audit. Check out our resources on audit planning, tools, reports, mistakes, procedures, management standards, and how to work with auditors and audit validation.