Archive for the “compliance” category

What Boards Want in Security Reporting

by adam on August 22, 2016

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are (…)

Read the rest of this entry »

PCI & the 166816 password

by adam on June 22, 2015

This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave (…)

Read the rest of this entry »

Analyzing The Army’s Accidental Test

by adam on April 3, 2013

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a (…)

Read the rest of this entry »

Compliance Lessons from Lance, Redux

by adam on October 23, 2012

Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to (…)

Read the rest of this entry »

Compliance Lessons from Lance

by adam on September 17, 2012

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the (…)

Read the rest of this entry »

Checklists and Information Security

by adam on April 10, 2012

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such (…)

Read the rest of this entry »

Kudos to Ponemon

by adam on January 23, 2012

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be (…)

Read the rest of this entry »

Block Social Media, Get Pwned

by adam on November 17, 2011

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that (…)

Read the rest of this entry »

Gunnar’s Flat Tax: An Alternative to Prescriptive Compliance?

by alex on January 14, 2011

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to (…)

Read the rest of this entry »