It’s great that organizations are thinking about compliance. However, we need more emphasis on security. A security product will fail if it’s not implemented and maintained correctly. So every penny and minute that goes into choosing and maintaining the right product is worth it.
Too often, data breaches exploit shared privileged account passwords used for administrative logins, privileged service accounts, and application-to-application communications. The requirements of mandates such as PCI DSS, HIPAA, Sarbanes-Oxley and others require that these powerful passwords be audited and updated regularly to prevent abuse
The recently announced NIST framework is a lot of useless and redundant verbiage that collects existing standards that have existed for at least a decade. There is nothing fundamentally new, revolutionary or even effective in the framework.
Generally speaking, IT audits historically focused on identifying shortfalls in regulatory compliance, but without the authority to help select an appropriate mitigation when security shortcomings are discovered. For auditors to achieve any real improvements in reducing security risk, the auditors themselves need a broader mission and better training so that they…
Here’s where privileged identity management helps with regulatory compliance. These products inventory all systems, accounts and passwords – and track where they’re used.
Last month’s announcement of Payment Card Industry Data Security Standard 2.0 (PCI-DSS v. 2.0) created a flurry of news reports in the IT media. In reality, though, it changed little about the way that businesses guard sensitive cardholder information on their networks. Originally PCI-DSS required organizations to implement both operational…
Security awareness operates on a principle where companies are only willing to fix their problems when they are being fined, or when their lack of security lands them in the newspaper. But, just as memories fade in time, the commitment to security fades quickly when breaches blow over and everyone moves on. Hopefully, more companies will begin to realize that regulatory compliance and IT security are not necessarily the same things.
The poor state of security at banks and financial institutions continue to make headlines, with cases like the HSBC breach bringing embarrassing attention to this already beleaguered industry. This problem is the result of a fragmented feudal system of homegrown IT development that has evolved over the last 30 years, though not for the better.
Rodney Gedda of CSO Magazine recently posted an excellent description of a security phenomenon known as the “trust time bomb”. In his article Gedda explained how, over time, employees build up an incredible number of privileges that grant them dangerous access. This is akin to the problem with database administrators (DBA) who retain DBA superuser privileges indefinitely, as well as IT staff using the same password on every system in the company as a matter of convenience.