President's blog focused on industry trends and best practices.

Credit Card Handling Liabilities

November 11, 2006

What are the liabilities of handling credit card data? The Payment Card Industry (PCI) has a standard promulgated by the PCI Security Standards Council known as the PCI Data Security Standard version 1.1. This is a harmonized standard that spans Visa, Mastercard, American Express, Discover and JCB credit cards. The standard and associated documents do not express the liabilities, fines, actions or incident handling requirements pertaining to this standard, so I've provided some guidance below with reference to public sources with additional information.

[full article...]

Evaluating Firewall Change Requests for Applications in Large Organizations

October 27, 2006 (adapted from April 14, 2005)

Evaluating firewall change requests for applications, in large organizations, in a timely and risk-effective manner can be challenge. Having a procedure before you are faced with sudden pressures from business groups will help to ensure the success of your mandate and your relationships. Unfortunately, there isn't much practical advice available in the public domain.

Risk management standards such as the AS NZS 4360, the ISO TR 13335-3 (GMITS) and the ISO 17799 don't provide operational guidance on security change management. And the ITIL books don't help with the specifics of this matter either. So, here is an outline towards an "open procedure" for evaluating firewall change requests in large organizations.

[full article...]

The Purpose and Value of Threat-Risk Assessment in the Corporate Environment

October 27, 2006 (adapted from May 6, 2006)

The process and work of Risk Assessment (RA) and/or Threat-Risk Assessment (TRA) is most helpful in helping people understand the threats and risks involved. I favour gap assessment, but sometimes a business process owner will challenge you to explain the risks:

  • why does that policy apply in this case?
  • why should we spend $75k on that change to meet the baseline [or to exceed it]?
  • why shouldn't we wait 1 year until they release a new version with additional features?).
[full article...]