Group items tagged

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

"Sun Microsystems, Inc. and Deloitte today announced a collaborative initiative to help companies develop efficient, cost-effective and sustainable technology and business processes to address their unique regulatory compliance and technology governance challenges. As part of this initiative, Sun and Deloitte today announced their plans for the Center for Technology Governance and Compliance (CTGC), which combines Deloitte's consulting and advisory services with Sun's IT management solutions and services, including its Information Lifecycle Management (ILM) and Identity Management technology portfolios. Access to the professionals and services within the CTGC is available through Sun Solution Centers. To learn more, please visit http://www.sun.com/compliance or http://www.deloitte.com/ . As a worldwide leader in network computing systems, Sun provides scalable solutions designed to protect and manage business-critical information through its lifecycle. The combination of Deloitte and Sun brings together complementary competencies to deliver a business-driven, technology-enabled framework for creating and implementing technology governance and compliance strategies and programs."

eBook: Compliance 2.0: Comprehensive, Scalable and Sustainable Systems http://go.techtarget.com/r/6705298/226727/1 Enterprises are moving towards a top-down approach to compliance that starts with risk assessment and prioritization, experts agree. In this expert e-book gain insight from senior IT and security officers who are taking a holistic approach to compliance for long-term sustainability and cost reduction. Learn which quantitative tools you can use to prioritize your efforts, maximize your investments and get key business executives to support your next project. Learn how to: ** Bring your data into governance ** Understand and manage your risk exposure ** Get the right people on board to support your strategy and policies Start building your true compliance infrastructure: http://go.techtarget.com/r/6705299/226727/2

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

"Despite concerns from some privacy groups and U.S. lawmakers about behavioral advertising, most large advertising networks generally comply with a set of privacy and data-handling standards adopted by the Network Advertising Initiative a year ago, the NAI said in a report released Wednesday." ...NAI, whose members include Google, Yahoo and Advertising.com, should be praised for doing a compliance report after skipping it for several years, said Ari Schwartz, vice president and chief operating officer CDT. However, the group should consider using a third party to audit compliance of its privacy guidelines, instead of having NAI staff do the audits, he said. In addition, while NAI members appear to be following most of the guidelines, some of the privacy safeguards are "weak," including the data retention standard, he said. "There's no maximum for data retention -- they just have to state what their data retention policy is," Schwartz added. The NAI report doesn't lessen the need for new privacy laws, Schwartz said. Several online advertising networks are not members of NAI, and the recent public pressure has led to the NAI updating 8-year-old guidelines last year and issuing a compliance report for the first time in several years, although the group had promised regular reports, he said. "It seems that when there's regulatory pressure, they actually do comply with what they said they were going to do," he said. "We certainly wouldn't want to see any regulatory pressure lifted."

Worth a read. The story changes quite a bit from the top to bottom of the story.

The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six "milestones" that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines. When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told SCMagazineUS.com on Friday. The tool, to be published Tuesday on the council's website, also helps retailers and their acquiring banks demonstrate and measure progress. Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place. "You take care of Milestone One and you've significantly reduced the risk in the event of a data breach because, where's the data?" de Veyra said.

* Name Compliance Week * Location Boston, MA * Web http://www.compli... * Bio Compliance Week is an information service on corporate compliance and risk. Twitterers include editor-in-chief Matt Kelly and publisher Scott Cohen.

It's time to comply. Nov. 1 is here, and financial institutions throughout the U.S. are still scrambling to meet their Identity Theft Red Flags Rule compliance deadline. For the past year, we've done what we can to guide your efforts with articles, interviews, research, webinars and white papers. You can see the fruits of our efforts here. These are the resources you need to ensure not just your own compliance, but that of your third-party service providers and key business partners. Within this special guide, please find: * A summary of the final rule and guidelines, including a listing of all 26 red flags; * A detailed look at the examination procedures for the new rule; * Insights from federal regulators and banking practitioners on what to expect post-Nov. 1; * Analysis of what compliance means to your institution and its customers for years to come.

This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009. More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA. Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments. Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well. With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time. Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement." What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn. At many companies, GRC is about much more than compliance these days.

A National Security Agency eavesdropping program exceeded legal limits intended to safeguard privacy, and officials have taken steps to bring the intercepts program into compliance, the Justice Department said Wednesday. The department, in a statement, said problems with the NSA program were uncovered as the Justice Department and National Security Agency were conducting routine oversight of intelligence activities to ensure compliance with laws and court orders. Attorney General Eric Holder has sought court approval to renew the NSA program after instituting new safeguards. The House intelligence committee was informed of the compliance issues and is conducting an inquiry, a House congressional official said. The New York Times on Wednesday reported on its Web site that the program intercepted private email messages and phone calls of Americans. However, intelligence officials have described the program as primarily searching for information based on data about communications, such as email addresses, subject headers and the time a message or phone call was placed. The Justice Department said officials notified the Foreign Intelligence Surveillance Court of the problems with the NSA program and took "comprehensive steps" to correct the matter. "The Justice Department takes its national security oversight responsibilities seriously and works diligently to ensure that surveillance under established legal authorities complies with the nation's laws, regulations and policies, including those designed to protect privacy interests and civil liberties," the department said.

Like this http://www.hdfilmsaati.net Film,dvd,download,free download,product... ppc,adword,adsense,amazon,clickbank,osell,bookmark,dofollow,edu,gov,ads,linkwell,traffic,scor,serp,goggle,bing,yahoo.ads,ads network,ads goggle,bing,quality links,link best,ptr,cpa,bpa. www.killdo.de.gg

Industry Insiders Discuss HIT and HIPAA Issues March 30, 2009 by Astrid Fiano, Writer A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996--protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act--protecting identifiable information being used to analyze patient safety events. So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees. Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit. Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations

Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law. According to Nevada's new law, if a data collector doing business in that state accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of PCI DSS, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization. Is it a Game-Changer? As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.

When the OCEG released Red Book version 1.0 back in 2005--it seems like a long time ago--the whole idea of GRC applications was still new. There was definitely a need for a COSO-like guide to internal GRC implementations. The focus back then was compliance and that is where the Red Book offered the most value. Four years later, the landscape has morphed a bit, and no one should be surprised that version 2.0 is concerned with the R and G as much as the C. The heart of the new version--a public exposure draft has been released--is something called the GRC Capability Model, which the OCEG markets as a "comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system (e.g., compliance, training, hotline, investigations)." Eventually, OCEG members will be able to access the resource online to "create custom reports drawing from the Model and additional OCEG resources."

Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. "We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation. Chris Konrad, senior vice president of client services at Fortrex, did not return a phone call seeking comment. Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification." The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process. Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.

In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward. Speaker David Sherry CISSP, CISM - CISO, Brown University As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.

The new Obama Administration and a stronger Democratic party control of Congress set in the midst of a struggling economy and foreign policy issues, has created an interesting environment for legislation and regulations affecting customer interactions both federally and at state levels. While contact center-and-direct marketing-affecting issues such as offshoring, privacy, and telemarketing may haven been pushed offstage, they are not out of the hall. Ironically, economic pressures may shove them back into the spotlight as governments, especially states, seek ways to keep jobs and revenue sources, which contact centers provide. Federal Legislation Here is an examination of federal industry issues that lawmakers and regulators are and may be addressing in 2009: * Offshoring Federal lawmakers may reintroduce a bill similar to HR 1776, The Call Center Consumer's Right to Know Act, which would require contact center agents to disclose the physical location of such employee at the beginning of inbound and outbound calls. Firms would also have to annually certify to the Federal Trade Commission (FTC (News - Alert)) their compliance with such requirement. HR 1776 is an attempt to restrict offshoring by making customers aware that their calls may be going to or originating out of country. The bill's supporters hope customers and negative publicity would pressure firms to bring such jobs back to the U.S. The downsides are that such bills may significantly add to contact center costs in both onshoring and time spent location disclosing and in compliance, which would ultimately be paid for by consumers. In doing so bills like it that hike contact center expenses may also be self-defeating as they may result in fewer domestic jobs. "The particular type of disclosure contemplated by HR 1776 is a burdensome additional disclosure without clear benefit to the consumer," American Teleservices Association (ATA) CEO Tim Searcy told the House Energy and Commerce subcom

From the Heartland data breach to the new Massachusetts data protection law, privacy is the hot topic in business and government. In an exclusive interview, Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP), discusses: The top privacy topics in business and government; How organizations are tackling these issues; The potential impact of state and federal privacy legislation; The value of the Certified Information Privacy Professional (CIPP) credential. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally.

Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format. Presenters: Mark Merrill, Facility Engineer, Deaconess Health System Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System Scott Ream, President, Virtual Corporation Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H