There are a number of significant changes in PCI-DSS 3.2. We’ll just take a look at the new aspects that directly affect security controls. Here are the highlights of those new requirements.
IT Auditing Compliance Reports
It’s great that organizations are thinking about compliance. However, we need more emphasis on security. A security product will fail if it’s not implemented and maintained correctly. So every penny and minute that goes into choosing and maintaining the right product is worth it.
There are serious issues with treating IT security as a set of policies. They can all be captured in one thought – security is a battle, not a concept.
The recently announced NIST framework is a lot of useless and redundant verbiage that collects existing standards that have existed for at least a decade. There is nothing fundamentally new, revolutionary or even effective in the framework.
Generally speaking, IT audits historically focused on identifying shortfalls in regulatory compliance, but without the authority to help select an appropriate mitigation when security shortcomings are discovered. For auditors to achieve any real improvements in reducing security risk, the auditors themselves need a broader mission and better training so that they…
In recent years we have witnessed more and more organizations fail to adequately secure their systems. When examining the evidence, there are common practices that have lead to these failed IT audits and security breaches. How many of the top five are you guilty of?
CAG Control 12 (formerly CAG 8) lists precisely the minimum controls necessary – and the actions you’ll need to take – to secure privileged credentials.
For the most part, PCI-DSS is a good idea that improved the overall security of credit card payment handlers. However, PCI security flaws exist.
Security awareness operates on a principle where companies are only willing to fix their problems when they are being fined, or when their lack of security lands them in the newspaper. But, just as memories fade in time, the commitment to security fades quickly when breaches blow over and everyone moves on. Hopefully, more companies will begin to realize that regulatory compliance and IT security are not necessarily the same things.