Archive for the ‘Governance, Risk Management & Compliance’ Category

In my work, I’m often engaged with merchants in different verticals, doing PCI assessments. This  frequently involves assisting them with their PCI Self-Assessment Questionnaires (SAQ). It’s an interesting process because the merchants run the gamut from Level 2 through 4, size-wise, in terms of annual number of transactions. Visa defines these merchants as less than or equal to six million transactions annually.

With the larger merchants or enterprises, say a University or Corporation, I’ll often find a well-organized PCI compliance group. They usually treat completing their SAQ like it’s a Report on Compliance (ROC), reserved for Level 1 merchants (6 million + transactions annually) and often appreciate the need (not a requirement) to have supporting evidence for each of the control questions in the 12 PCI Requirements. This supporting evidence includes network diagrams, cardholder environment diagrams, router and firewall Access Control Lists, system build checklists, change management checklists, various screenshots, access control, domain policy, policies and procedures, and many other items. all of these are items I’d request if I was doing an on-site audit.

The smaller merchants, on the other hand, have problems ranging from understanding what the PCI-DSS is and why they have to do a SAQ (because their Acquiring Bank says so) to, more importantly, truthfully answering the control questions. Because the SAQ process is a self-assessment, merchants who don’t understand what the Requirements mean, or are asking, are tempted to simply answer ‘Yes’ to the more-technical questions because they simply don’t know. I’ve found that the latter is often because they have outsourced IT staff and can’t afford the time and cost to engage them in answering the technical questions. Or, they are the IT staff, as well as the Business Owner, especially true for the very small merchants.

Compounding this lack-of-resources problem, in some cases, are the payment application vendors. They often provide their client, the merchant, with their Payment Application Data Security Standard (PA-DSS) Implementation Guide. This tells the merchant basically, ‘if you installed it correctly and did this and that the right way, this is how your application meets PCI requirements’. I usually ask merchants if they have their PA-DSS and while many do, many do not and need to call their vendor. Having the PA-DSS while completing a PCI SAQ is invaluable because it helps answer sections of Requirements 3, 4, 7 and 8 in particular. Remember though, you’ll only see a PA-DSS Implementation Guide with payment applications, not payment hardware like a swipe terminal.

So, a part of my time is engaged in bootstrapping the merchants who need it, by providing basic education on what the PCI Requirements are all about. I’m soft of a ‘tour-guide’ to the PCI-DSS and as a PCI-DSS Qualified Security Assessor (QSA), feel that this is appropriate. In a sense, I’m raising security awareness and hopefully, helping these merchants become not just compliant, but more secure. I work with them to help translate what the technical jargon means and why it matters.  During the Remediation phase, I offer suggestions as to how they can meet the control objectives and minimize their compliance burden.

For those merchants who complete their SAQs without assistance from consultants like myself, or in-house resources like a PCI Security Standards Council-trained Internal Security Assessor, I’ve found myself wondering how real their SAQs actually are, in terms of security truth versus wishful thinking and best-guesses. And, since their acquiring, or merchant banks are accepting these SAQs annually, I’m also interested in whether or not these banks follow-up with the merchants. Do any of the banks ever find themselves thinking ‘Seriously?’ when they review the SAQ?

While my job is focused on compliance, be it PCI, GLBA, or HIPAA/HITECH, my overarching goal is security.

And that’s what it’s all about, for all of us.

Be well.

Bill Wildprett


Read Full Post »

2012 has been a very busy year for me, so far. Last winter I took and passed the ISACA Certified Information Security Manager (CISM) exam and in February, got a plane ride to Orlando to attend PCI-DSS Qualified Security Assessor (QSA) training from the PCI Security Standards Council.

I’m currently reading Christopher Hadnagy’s excellent book on social engineering; even if you weren’t in our profession, this book would be a fine resource because we all use social engineering to influence others. I wholeheartedly recommend his book and website at www.social-engineer.org!

Currently, most of my time is spent working to help merchants with their PCI-DSS compliance. I once thought I knew something about the PCI-DSS, but it’s like the iceberg, a LOT is under the surface. I’ve come to rely upon the outstanding Navigating the PCI DSS v2.0 document from the PCI Security Standards Council. It explains what the intent of the requirements are, which helps when you’re trying to translate this to a non-technical audience.

Recently, I decided to challenge myself in a different direction by volunteering to be the Communications Director for the ISACA Puget Sound Chapter. Being a member of a Board of Directors is a good-thing, career-wise and it’s nice to be involved in helping one of the professional organizations I belong to.

That’s it for now gentle readers!

Be well, and Be Happy.


Read Full Post »

As I’ve said before, one of the main things I love about information security is the need to keep learning ~ the field keeps expanding, Big Bang-like and it behooves one to stretch themselves, out of their comfort zones and in new directions.

Friends of mine had been recommending I learn more about IT auditing, to gain a better perspective on how controls are applied, and why.  To that end, I took a three-day Certified Information Systems Auditor (CISA) training course from CertTest in early November.

Wow, that was pretty cool!  I learned a lot of new stuff and reviewed things like NIST SP-800-53 and ISO 27002 that I knew something about, but not in the same depth.  So, I’m now embarked on a study cruise towards the June 2010 CISA exam from ISACA.  Maybe I’ll work as an IT auditor, maybe not, but either way, I’ll know a lot more about the business side of the proverbial ‘house’ and it’s GRC drivers.

All this dovetails with my ongoing study of CobIT 4.1, NIST SP-800-53, and the ISO 27K series ~ I’m focused on becoming the best Governance, Risk Management & Compliance professional I can be!

If you have any helpful hints, suggestions, study advice, please ping me.

Shouts-out and props to Dave Cannon at CertTest for being an awesome and inspiring instructor!

And, I ate some Serious ‘Que at the Hard Eight in Irving TX with my CertTest classmates…

Later friends!

Read Full Post »

I was quite fortunate to attend this year’s RSA Conference.   I applied for, and was awarded one of the 24 ISC2.org scholarships to attend, so with that support, it was off to San Francisco for the week.

Like my last two years at RSA, what a fabulous experience it is!  If you aren’t a good networker though, it can be intimidating; the size of Moscone Center and the scope of it all are a bit of a head-rush.

I spent my time mostly between the Professional Development and Hacker Techniques sessions, with some time at the Innovation Sandbox, Crypto Commons and Peer2Peer sessions.

At the Innovation Sandbox, I ran into Dr. Hugh Thompson before his whiteboard session.  Hugh has opened the closing keynotes the past few years with his hilarious and informative ‘The Hugh Thompson Show‘.  After the IS presentations by innovative new companies, I saw him again and chatted him up.  We agreed to get together later in the week and cognate together, visit, hang, etc.,  Hugh was very gracious and gave me an hour of his time, sharing career growth insights, humorous anecdotes, and some ‘wisdom of the ages’.  We also LinkedIn.

I also ran into some of the local Seattle area security folks, which was cool, including David Matthews (City of Seattle), Frank Simorjay (Microsoft), and Dan Kaminsky from IOActive.

My favorite session presentation was Ed Skoudis and Johannes UllrichThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next‘.  ‘Pass-the-Hash, Super-flexible Pivoting, Wireless from compromised client into corporate, Problems with SSL, and VoIP systems among others.  I can’t wait to listen to the session recordings because it was SRO in the room and hard to take notes from the balcony…

I ran into Ed again at the CodeBreakers Bash and we chatted for a bit.  He’s always very approachable and open.  In 2004, I took his Incident handling and hacker Techniques course from the SANS Institute and loved it.

I spent some good time cruising the exhibition floor during lunchtime, vast and crowded.  The swag was tempting, but too much to tote back, so ‘travel lightly’ is always good advice at trade shows…  I did visit with some nice recruiters and focused a bit on GRC software vendors.

The first full day of the conference, it was 93 degrees Fahrenheit outside!  To quote from ‘Young Frankenstein‘ , that’s ‘Abby-Normal‘ for S.F. in April

Some have said that this year, RSA lacked sustenance.  I enjoyed it though.  The opening keynotes were a bit humdrum compared to past years, except for the Cryptographers Panel and Lieutenant General Keith B. Alexander from the NSA.  Melissa Hathaway on Wednesday looked at her notes and talked to us like we were members of the Press Corps – the general reaction I heard was like, ‘Lady, we’re smart security geeks, not journalists.  We don’t need to know that the Administration has been planning to do stuff, just tell US what it is!’ Yawners.

James Bamford’s talk on the NSA was very good.

The opening number rocked!

NB – open the keynote webcast page, then select Opening Ceremony, View Video Webcast, Opening Ceremony Performance

Read Full Post »