Security Management Strategies for the CIO- ISO 17799
- Gramm-Leach-Bliley Act (GLBA)
- PCI Data Security Standard
- HIPAA
- Sarbanes-Oxley Act
- IT Security Audits
- Data Privacy and Protection
- FFIEC Regulations and Guidelines
- COBIT
Email Alerts
-
Benefits of ISO 27001 and ISO 27002 certification for your enterprise
If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask. Learn about the potential benefits of ISO 27001 and 27002 certification with this expert advice.Tip
-
Tony Spinelli: Prioritize Information Security over Compliance
Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.Feature
-
How to write a risk methodology that blends business, security needs
One security professional describes a homegrown risk methodology currently being used by a large university and a private corporation.Feature
-
IT auditing applications and tools for ISO 27002 certification
Gaining ISO 27002 certification can be a daunting process, so what auditing tools can help? David Mortman weighs in on how to choose the best auditing tool for your organization.Ask the Expert
-
Security survey finds increase in security standards adoption
Ernst & Young's 2008 Global Information Security Survey finds both positive and negative trends in information security depending on how you look at the numbers.Article | 30 Oct 2008
-
Mix of Frameworks and GRC Satisfy Compliance Overlaps
Three organizations reveal how they use a combination of frameworks such as COBIT or ISO 27001 along with GRC tools satisfy overlapping industry and federal regulatory demands.Feature
-
GRC: Over-Hyped or Legit?
Governance, risk and compliance (GRC) is being used as a catch-all phrase for most information security strategies and tagged onto various products, adding even more confusion in the market as to what it truly means or promises to corporations.Feature
-
Is the Orange Book still relevant for assessing security controls?
Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it.Ask the Expert
-
How do ISO 17799 and SAS 70 differ?
ISO 17799 and SAS 70 are two different policies that help organizations achieve compliance best practices. In this Q&A, Mike Rothman defines the policies and unveils the their differences.Ask the Expert
-
How to apply ISO 27002 to PCI DSS compliance
The Payment Card Industry Data Security Standard may be fairly straightforward, but it's lacking in defining the processes that will ultimately lead to PCI DSS compliance. In this tip, expert Richard Mackey explains why the ISO 27002 can not only help organizations comply with PCI DSS, but also provide more structure to an organization's overall compliance program.Tip
- VIEW MORE ON : ISO 17799
-
Due diligence processes for cloud computing compliance
Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.Feature
-
GLBA compliance and emerging technologies
In order to meet GLBA requirements, companies must analyze the risks before moving customer information into new technologies like VoIP and cloud computing.Tip
-
Regulators issue standardized privacy notice form for GLBA compliance
Model form aims to make it easier for consumers to understand banks' privacy policies and help financial institutions meet GLBA requirementsArticle | 17 Nov 2009
-
Implement security and compliance in a risk management context
CFOs live in a world where risk management is the lingua franca. CISOs have to join the conversation.Feature
-
Getting compliance on the GRID
The Object Management Group is attempting to build a database that may one day serve as a clearinghouse for all the world's IT-related regulations. Some say it's impossible, but others say it's badly needed to keep companies secure and out of the legal crosshairs.Article | 17 Jan 2008
-
Insuring compliance: Nationwide tackles GLBA
GLBA requires all financial institutions to design, implement and maintain safeguards to protect customer information. This case study reveals Nationwide's biggest task for GLBA compliance.Tip
-
IBM to boost security spending, push PCI DSS program
IBM plans to invest $1.5 billion on security research in 2008. The company is also using recent acquisitions to introduce a PCI DSS program.Article | 01 Nov 2007
-
ISO 27001 could bridge the regulatory divide, expert says
Karen Worstell, former CISO at Microsoft and AT&T Wireless, recently joined the advisory board of Neupart A/S, a five-year-old European security risk management and awareness firm that just launched a North American office in the Seattle area. The company's specialty is promoting industry awareness of ISO 27001, a standard that defines the components of a security management plan to monitor, measure and control information security. As American businesses emerge from their Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley compliance projects, Neupart is hoping security pros are ready to take a fresh look at ISO 27001. In this Q&A, Worstell explains how ISO 27001 can be used to help companies comply with a variety of regulations and standards, and where her former employer, Microsoft, fits in.Interview | 11 Jul 2007
-
Policies and regulatory compliance
An overview of the type of policies needed for regulatory compliance.Information Security maga
-
Where hard drives go to die, or do they?
A number of enterprises are using asset disposal firms to ensure sensitive corporate data is destroyed, but the process is hardly foolproof. In fact, a convicted felon could have his hands on your data right now.Article | 04 May 2006
- VIEW MORE ON : Gramm-Leach-Bliley Act (GLBA)
-
P2P encryption for mobile is not an technology endorsement, says PCI Council
The PCI Council will continue to issue recommendations for mobile payment security, according to Bob Russo, general manager of the PCI SSC.News | 25 May 2012
-
Download presentations from Information Security Decisions 2012
At ISD 2012, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies.Conference supplement
-
PCI Council urges P2P encryption for mobile payments
A PCI Council guidance document requires merchants to use a validated PIN entry device or secure card reader to accept payments using mobile devices.News | 16 May 2012
-
SSC's new PCI point-to-point encryption guidance outlines testing procedures
New PCI DSS guidance on point-to-point encryption outlines product testing requirements, and urges more merchant-acquirer collaboration.News | 02 May 2012
-
PCI DSS 12 requirements
PCI DSS 12 requirements is a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).Definition
-
PCI DSS 2.0
PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.0) is the second version of the Payment Card Industry Data Security Standard (PCI DSS).Definition
-
PCI DSS User Group
The PCI DSS User Group is a London-based user group for merchants and retailers who must comply with the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS).Definition
-
PCI assessor and CISO: Work together for the best PCI ROC
In a session at the SOURCE Boston conference, a PCI assessor and a CISO explain that there are ways to arrive at a report on compliance they can both appreciate.News | 19 Apr 2012
-
PDF download: Information Security magazine April 2012
In this issue, read about enterprise requirements for unified threat management systems. Also read about tokenization and AMI security issues.Magazine
-
Can a PCI Level 2 merchant perform a PCI self-assessment?
Expert Mike Chapple clarifies whether a PCI Level 2 merchant can carry out an annual PCI self-assessment questionnaire.Tip
- VIEW MORE ON : PCI Data Security Standard
-
HIPAA compliance: How to prepare for upcoming KPMG HIPAA audits
KPMG HIPAA audits will hit 150 companies this year. What if yours is one of them? Mike Chapple explains how to handle the HIPAA compliance hot seat.Tip
-
Video: PCI liability, HIPAA enforcement rule, breach notification laws
Attorney David Navetta discusses why PCI liability matters to card brands, the effect of the HIPAA enforcement rule and breach notification laws.Video
-
HIPAA encryption requirements: How to avoid a breach disclosure
Charles Denyer explains the necessity of encrypting customer data with respect to HIPAA encryption requirements and squares out what enterprises should expect.Answer
-
Proposed HIPAA privacy rules changes may demand new tools, processes
Proposed HIPAA privacy rules changes may require companies to keep closer tabs on electronic health records. Charles Denyer explains what it may mean for enterprise compliance.Tip
-
Best practices for enterprise database compliance
Successful enterprise database compliance means, for starters, access must be tightly controlled and monitored. Charles Denyer covers key database compliance essentials.Tip
-
Using standardized enterprise security practices to secure and defend your network
PCI DSS, HIPAA, ISO and other enterprise compliance guidelines offer a foundation to build repeatable information security processes and procedures. Marcos Christodonte II explains how.Tip
-
Medical device security: Does IEC 80001 go far enough?
Networked medical devices introduce new risks but does a new standard go far enough in addressing the problem?Magazine
-
Federal electronic health records: Benefits and challenges abound
Incidents surrounding the Jan. 8, 2011 shooting spree in Ariz. served as a conspicuous reminder of a top concern about digitized medical records: the potential for security and privacy breaches.Misc
-
Due diligence processes for cloud computing compliance
Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.Feature
-
Rite Aid to pay $1 million in HIPAA settlement
In its settlement agreement with the HHS over alleged HIPAA violations, the pharmacy chain will pay $1 million and must establish procedures for disposing of protected health information (PHI).News | 28 Jul 2010
- VIEW MORE ON : HIPAA
-
SOX compliance checklist: Five ways to refine a SOX compliance program
SOX compliance is still too burdensome for many enterprises. Expert Charles Denyer offers five ways to streamline a lagging SOX compliance program.Tip
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads.Information Security Book
-
Due diligence processes for cloud computing compliance
Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.Feature
-
Demystifying governance, risk and compliance
GRC aims to bring together disparate compliance efforts in the enterprise, but the concept has been stymied by a lack of clarity. Developing a GRC program requires three key steps.Feature
-
Frameworks to support SOX compliance requirements
Enterprises have had to deal with SOX regulatory compliance for several years, but many lack clear direction that will address SOX compliance requirements from an IT process perspective. Learn how enterprises can use IT and security tools within COSO and COBIT frameworks to meet SOX compliance requirements.Tip
-
SOX data retention policies: What to do with old software archives
What do you do when sensitive data is stored on old versions of software? In this expert response, Ernie Hayden discusses how to make sure you retain data correctly for Sarbanes Oxley compliance purposes.Ask the Expert
-
Technology to automate SOX compliance according to COBIT frameworks
How effective are automated compliance solutions at easing a enterprise's compliance burden? In this expert response, learn what resources can be most helpful for your enterprise when complying with SOX.Ask the Expert
-
SOX compliance burdens midmarket security teams
Smaller public companies bear significantly higher pain in terms of revenue and costs per employee complying with Sarbanes-Oxley.Feature
-
Is Word document-comparison software SOX compliant?
The SOX audit process can be daunting, especially when it comes to finding SOX-compliant software. In this expert response, learn whether Word document-comparison software is SOX compliant.Ask the Expert
-
Audit requirements drive demand for privileged account management
SOX compliance requirements and data security concerns are accelerating growth of the privileged account management marketArticle | 21 Aug 2009
- VIEW MORE ON : Sarbanes-Oxley Act
-
Key steps to perform a successful information security gap analysis
Need to assess the holes in your organization’s network? Learn how an information security gap analysis can help you find network security weaknesses.Tip
-
How to manage the compliance cycle to improve your compliance strategy
Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue.News | 06 Mar 2012
-
SEC disclosure rules: Public company reporting requirements explained
Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.Tip
-
Advice for developing a vendor compliance checklist for a vendor review process
Charles Denyer offers advice for developing a vendor compliance checklist to support a vendor review process or a third-party vendor audit.Answer
-
Building a compliance culture means learning from mistakes
In this bonus to our "Compliance scorecard" Security School lesson, Eric Holmquist covers the importance of learning from failure by assessing how and why mistakes happen.Tip
-
What is ISO certified vs. ISO compliant?
Expert Charles Denyer explains the difference between an ISO 27002 certification report and an ISO 27002 compliant report.Answer
-
Application log management: Enabling application security compliance
Expert Michael Cobb discusses how application audits and information and event management can save you time and energy with application security compliance.Tip
-
Auditing virtualization: Security training for infosec pros
This chapter discusses auditing virtualized environments, and begins with an overview of common virtualization technologies and key controls.Tip
-
Network security audit guidelines: Inside the importance of audit planning
In this SearchSecurity.com mini learning guide you will learn the ins and outs of network security audit guidelines, as well as the importance of audit planning, and how to perform and prepare for an audit.Learning Guide
-
Microsoft's internal auditor discusses the company's IT security outlook
Scott Charney is Microsoft's internal auditor, see what he and his team control.Misc
- VIEW MORE ON : IT Security Audits
-
A bold view on prioritizing computer security laws
The number of computer security laws in the U.S. can be daunting. One bold lawyer suggests a way to prioritize the laws and avoid most legal battles.News | 24 May 2012
-
How regulation should -- and shouldn't -- influence cybersecurity policy
Recent breaches display the importance of cybersecurity policy, and regulations provide a decent data protection roadmap. But compliance does not automatically equal security.Tip
-
Should the new Google privacy policy concern enterprises?
Google’s tentacles reach deep into most enterprises, but should enterprises worry about the new Google privacy policy? Expert Michael Cobb discusses.Tip
-
EU cookie regulations: Advice for firms in the US and other countries
Expert Alan Calder responds to a reader’s question: Must companies outside the EU change their websites to comply with EU cookie regulations?Answer
-
For U.S. companies, EU cookie compliance calls for website changes
With recent changes to European data privacy laws, U.S. enterprises must make website changes to meet EU cookie compliance deadlines.Tip
-
Changes to European privacy laws foreshadow serious business impact
Changes to the data protection regulations are on the way for the European Union, and the fallout in Europe serves as a good case study for U.S. businesses.News | 08 Mar 2012
-
Robert Westervelt, News Director
Robert Westervelt is News Director for the TechTarget Security Media Group.News Director
-
Why businesses should care about proposed Protect IP, SOPA pirating laws
Legislation is aimed at stopping piracy, but security professionals and industry groups say it could weaken security, hamper innovation and limit competition among small businesses and startups.News | 20 Dec 2011
-
The ongoing debate over a federal breach notification law
Lawmakers continue to wrangle over creation of a national data breach notification standard.Magazine
-
SEC guidelines push companies to disclose potential breaches
The U.S. Securities and Exchange Commission guidelines help companies determine how security breaches should be disclosed to potential investors.News | 17 Oct 2011
- VIEW MORE ON : Data Privacy and Protection
-
Updated Bank Secrecy Act compliance exam guide focuses on risk
FFIEC makes it clear that financial institutions' anti-money laundering programs must account for changing risks. In this expert tip, Dan Fisher explains how to ensure your BSA program meets examiners' scrutiny.Tip
-
N.C. firm charged with AML violations
A North Carolina-based firm with mostly foreign customers failed to identify and verify customer identities, officials say.News | 09 Sep 2010
-
Data security implications of financial services regulatory reform
Industry experts weigh in on the possible ramifications of the sweeping legislation on information security and compliance professionals.Article | 29 Jul 2010
-
FFIEC security requirements: Physical security management and logging
In this expert response from Ernie Hayden, learn about FFIEC security requirements for creating physical security logs.Ask the Expert
-
Aite Group: Take action now to manage remote deposit capture risks
Fraud losses involving RDC technology have the potential to skyrocket if banks don't work proactively to deal with the risks, research firm says.Article | 11 May 2010
-
Regulators revisit authentication advice to thwart online banking fraud
t's been nearly five years since the Federal Financial Institutions Examination Council (FFIEC) issued its authentication guidance for online banking. Since then, cybercriminals have developed sophisticated malware that can circumvent multifactor authentication to hijack and loot online bank accounts. In the wake of the online banking fraud surge, which has targeted small and midsize businesses, federal regulators are revisiting their 2005 authentication guidance. SearchFinancialSecurity.com met with Jeffrey Kopchik, a senior policy analyst at the FDIC, to learn more about the effort.Interview | 25 Mar 2010
-
FTC Red Flags Rules: How to create an identity theft prevention plan
Under FTC's Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. But who is a creditor and what is a covered account? Learn more in this expert tip.Tip
-
Don't forget the cleaning crew in your vendor management program
Banks often overlook non-IT vendors in their vendor management program, putting their organization and customers' data at risk, experts sayArticle | 05 Oct 2009
-
This May Day, banks wave the Red Flags
The Red Flags Rule, which mandates companies develop methods by which they will identify, detect and respond to identity theft incidents, is set to go into effect May 1.News | 14 Apr 2009
-
Protecting data in a merger and acquisition
Upheaval in the financial-services industry has put the spotlight on financial information security. Experts share ways to keep sensitive information secure during an M&A.News | 14 Apr 2009
- VIEW MORE ON : FFIEC Regulations and Guidelines
-
COBIT 5: A first look at the recent updates
In this tip, learn how to integrate the new management practices from COBIT 5 into current IT security framework implementations.Tip
-
Forrester offers new guide for information security program development
The research firm's new 123-point maturity model is intended to go beyond COBIT as a more comprehensive way to help companies find and fix gaps in their infosec programs.Article | 30 Jul 2010
-
How to use COBIT for compliance
While the COBIT framework has been around for a long time, it can still be very useful in terms of understanding goals and benchmarks for a security program that can, in turn, aid compliance with many regulations.Tip
-
Tony Spinelli: Prioritize Information Security over Compliance
Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.Feature
-
Security survey finds increase in security standards adoption
Ernst & Young's 2008 Global Information Security Survey finds both positive and negative trends in information security depending on how you look at the numbers.Article | 30 Oct 2008
-
Mix of Frameworks and GRC Satisfy Compliance Overlaps
Three organizations reveal how they use a combination of frameworks such as COBIT or ISO 27001 along with GRC tools satisfy overlapping industry and federal regulatory demands.Feature
-
GRC: Over-Hyped or Legit?
Governance, risk and compliance (GRC) is being used as a catch-all phrase for most information security strategies and tagged onto various products, adding even more confusion in the market as to what it truly means or promises to corporations.Feature
-
Is the Orange Book still relevant for assessing security controls?
Is the Orange Book still the be-all and end-all for assessing security controls in the enterprise? Security management expert Mike Rothman explains what happened to the Orange Book, and the Common Criteria for Information Technology Security Evaluation that replaced it.Ask the Expert
-
Does SOX provision email archiving?
Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention.Ask the Expert
-
COSO and COBIT: The value of compliance frameworks for SOX
In an attempt to blaze a path through the myriad of compliance regulations and requirements, organizations are looking to frameworks like COSO and COBIT. In this tip, contributor Mike Rothman examines these compliance paradigms and offers insights on how they can help organizations and auditors speak the same language.Tip
- VIEW MORE ON : COBIT