Archive for September, 2010

21
Sep
10

Policy over Product

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Have you purchased all of the right products for your network?  Do you have your firewall, switch, security server, SAN, WAP, and Two-Factor authentication device?  Great then aren’t you all set for security?

Truth is you have a lot of stuff and that is it.  Without developing policies and procedures on how information should be handled and what is and is not allowed you don’t really have much of anything.

Let’s say you have a Web Blocker installed to stop traffic, but you never monitor what is being done on the allowed sites.

Let’s say you have an email security and DLP device, but rules around what should be stopped are never created or tested.

Let’s say you have a state of the art SAN configured, but the security was never applied to those sensitive folders.

The actual purchases of the products are only the beginning.  Now here comes the configuration and policy development.  Make sure your IT staff has a deep understanding of what they need to do and they are trained and thoroughly understand the devices.

20
Sep
10

Tokenization

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance and Risk Management
Tags: , , , ,

Trends in the security industry suggest that something called tokenization is the future of security.  So what is tokenization?

Well a general explanation is this.  Let’s say you take the work DATA ad you want to send that word to another computer (Like when you transmit cardholder data, PHI, PII, etc.)  The word gets broken up into separate letters D A T A.  Each letter is then changed with a secret word that can be decoded on the remote server, for example D becomes ;lk;k%%%.  The word is then reassembled on the remote end, processed, and sent on.

Some of us think this is the way text messages look with all the codes and abbreviations.  Kidding aside this technology is really cool.  If we can secure every character or symbol then reassemble it we can secure almost anything.  But be careful of vendors selling buzz this word.  The technology is new and only a few players are really good at this.

17
Sep
10

Changes are Coming for CHD

By John Stengel Leave a Comment
Categories: PCI Compliance, Security Assessments and User Awareness Training
Tags: , , , , ,

The PCI Security Standards Council is ready to introduce new standards this October.  A summary of the proposed changes was published recently on their site.  The changes when enacted will take effect right away and companies need to prepare for them.  The changes, while not major, clarify several points that are redundant or otherwise gray and add some more security.

What are you doing for ongoing security to maintain PCI?  PCI is not a typical regulation, meaning it is actively enforced.  Private industry has designed the standards and requires companies to be compliant.  Noncompliance will result in revocation of your ability to process credit and debit transactions.

Protecting CHD is not hard.  Basic security practices just need to be followed in a timely manner.  Here is a summary of all 12, in regular terms.

  • Build and Maintain a Secure Network – Have firewall, change passwords, etc.
  • Protect Cardholder Data – Don’t store data in the open.  CHD is the credit card numbers, Expiration, name, etc.
  • Maintain a Vulnerability Management Program – This refers to having AV, malware protection, develop and maintain secure systems (i.e. don’t use the homemade application your cousin made for you 12 years ago).
  • Implement Strong Access Control Measures – Keep people from accessing the information unless they need it.
  • Regularly Monitor and Test Networks – You can’t set a network up and walk away.  You should be assessing regularly and making sure nothing is out of the ordinary.
  • Maintain an Information Security Policy – Maintain security policies so your data doesn’t walk off.  All the products in the world will not keep you secure if you don’t use policies around them.  Train your employees or hire someone too.  They don’t think about these things like you do.

Summary of Changes

Video of Requirements

14
Sep
10

WatchGuard Training

By John Stengel Leave a Comment
Categories: Security Training and User Awareness Training

We have two seats left for our WatchGuard XTM training class next week in Charlotte, NC.  I think they will sell out this week.  If you are interested email info@jstengel.net or visit our site .  It promises to be a great class with a great group of people.

03
Sep
10

The Cost of Inaction

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Think about these questions in the context of inaction:

What if you don’t renew your auto insurance?

What if you don’t lock your car and leave a laptop on the seat?

What if you eat at that restaurant with the failing health score?

What if you don’t train your employees on the new MRI machines you just purchased?

What if your employees never call back customers?

What if you don’t secure your email until after the audit?

What if you don’t worry about patient confidentiality until after a lawsuit is filed?

Not doing something pro-actively is actually more costly than being doing it ahead of time.  Diligence is paramount in any organization.  Too often I see concerns over money up front cause a project to fail.  More money is then spent on the backend to fix the mistakes with the original install.

Assess, train, and happen to something.  Don’t wait for it to happen to you.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers