Feeds:
Posts
Comments

Archive for the ‘IT Auditing’ Category

In my work, I’m often engaged with merchants in different verticals, doing PCI assessments. This  frequently involves assisting them with their PCI Self-Assessment Questionnaires (SAQ). It’s an interesting process because the merchants run the gamut from Level 2 through 4, size-wise, in terms of annual number of transactions. Visa defines these merchants as less than or equal to six million transactions annually.

With the larger merchants or enterprises, say a University or Corporation, I’ll often find a well-organized PCI compliance group. They usually treat completing their SAQ like it’s a Report on Compliance (ROC), reserved for Level 1 merchants (6 million + transactions annually) and often appreciate the need (not a requirement) to have supporting evidence for each of the control questions in the 12 PCI Requirements. This supporting evidence includes network diagrams, cardholder environment diagrams, router and firewall Access Control Lists, system build checklists, change management checklists, various screenshots, access control, domain policy, policies and procedures, and many other items. all of these are items I’d request if I was doing an on-site audit.

The smaller merchants, on the other hand, have problems ranging from understanding what the PCI-DSS is and why they have to do a SAQ (because their Acquiring Bank says so) to, more importantly, truthfully answering the control questions. Because the SAQ process is a self-assessment, merchants who don’t understand what the Requirements mean, or are asking, are tempted to simply answer ‘Yes’ to the more-technical questions because they simply don’t know. I’ve found that the latter is often because they have outsourced IT staff and can’t afford the time and cost to engage them in answering the technical questions. Or, they are the IT staff, as well as the Business Owner, especially true for the very small merchants.

Compounding this lack-of-resources problem, in some cases, are the payment application vendors. They often provide their client, the merchant, with their Payment Application Data Security Standard (PA-DSS) Implementation Guide. This tells the merchant basically, ‘if you installed it correctly and did this and that the right way, this is how your application meets PCI requirements’. I usually ask merchants if they have their PA-DSS and while many do, many do not and need to call their vendor. Having the PA-DSS while completing a PCI SAQ is invaluable because it helps answer sections of Requirements 3, 4, 7 and 8 in particular. Remember though, you’ll only see a PA-DSS Implementation Guide with payment applications, not payment hardware like a swipe terminal.

So, a part of my time is engaged in bootstrapping the merchants who need it, by providing basic education on what the PCI Requirements are all about. I’m soft of a ‘tour-guide’ to the PCI-DSS and as a PCI-DSS Qualified Security Assessor (QSA), feel that this is appropriate. In a sense, I’m raising security awareness and hopefully, helping these merchants become not just compliant, but more secure. I work with them to help translate what the technical jargon means and why it matters.  During the Remediation phase, I offer suggestions as to how they can meet the control objectives and minimize their compliance burden.

For those merchants who complete their SAQs without assistance from consultants like myself, or in-house resources like a PCI Security Standards Council-trained Internal Security Assessor, I’ve found myself wondering how real their SAQs actually are, in terms of security truth versus wishful thinking and best-guesses. And, since their acquiring, or merchant banks are accepting these SAQs annually, I’m also interested in whether or not these banks follow-up with the merchants. Do any of the banks ever find themselves thinking ‘Seriously?’ when they review the SAQ?

While my job is focused on compliance, be it PCI, GLBA, or HIPAA/HITECH, my overarching goal is security.

And that’s what it’s all about, for all of us.

Be well.

Bill Wildprett

Advertisements

Read Full Post »

Change is good.  Sometimes it can be painful and it may take a while to get some perspective and realize you’ve grown.  It’s all part of the process and I’ve learned to embrace or at least accept it.

What’s new?  I did a stint as an incident response handler earlier this year, then moved into SOX compliance and finally fell into a wormhole and emerged as an IT Security Auditor.  Not a stretch per se, but my information security talents have been stretched, in a good way, growth-wise.

So now I’m immersed in GLBA/FFIEC compliance engagements and have eyes on PCI-DSS and NERC-CIP work.  I’m thinking about adding another certification, possibly a CISM.

I’ve recently seen some friends in our industry brutalized by bad management, and then upon abrupt exits, become reborn and renewed, with a new sense of purpose and drive infusing their love of infosec.  In the past, many people helped me when I was ‘dazed and confused‘; if you find yourself able, reach out to someone and ask them ‘what’s the good word?’  Shower them with positivity and possibility!

Always keep moving and remember, even when you go one step forward, two steps back, you’re still making progress…

image courtesy of Impact Lab

Peace y’all

 

Read Full Post »

January is a time of reflection and renewal, thinking about the past year and the present one.  We use this time to measure ourselves and set or renew goals, pointing our inner compass needles towards our own True North.

Looking back, 2010 was a successful year for me.  I didn’t get to do some things or attend all the conferences I wanted, but other items were handily accomplished and some good work got done!

Foremost, I partnered with IOActive, Consciere, and Insyndia to do consulting work.  This led to interesting security audit, risk assessment and vulnerability assessment work and I was fortunate to meet and work with some great people.  Shouts-out to Erin Jacobs, Glenn Kaleta, David Baker, Tab Pierce, and Joel Scambray in particular!

I also earned my CISA which gives me a stronger understanding of formally auditing information security environments.  Now, I’m thinking of how to use this new-found knowledge and where I’ll go next.

What will 2011 bring?  As I chart this year’s course, I intend to visit new shores, make new acquantances, and continue to grow as a person and infosec professional.  I welcome the journey and it’s challenges!

Be well friends…

by Bill Wildprett, Suspicious Minds blog, Copyright 2011

Read Full Post »

No, I’m not thinking about porn or any other nasty stuff, just reflecting that like during Fall when we clean our house gutters, it’s appropriate to think about how we think and remove clogs and other impediments.

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

After waiting two months to the day following the Certified Information Systems Auditor exam (CISA), I just learned that I PASSED!

Now I need to submit my Application for Certification to ISACA and wait another two months (so they say) for it to be approved before I can use my new certification title.

Reviewing my test scores by subject area told me that I didn’t do as well in some areas and better in others.  So, more studying is in order…

Oh Happy Day!  🙂

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Image courtesy of Pentax Salon

Read Full Post »

The calendar says its Summer although here in the Pacific Northwest, we’re not sure ~ its a cool Summer, which makes it fine for reading security books in the hammock or doing laptop stuff from the deck.

So what’s cooking?  I re-encountered a tool I first learned about from Russ McRee’s Toolsmith column in the September 2008 ISSA Journal ~ Practical Threat Analysis.  I’d looked at it before, but not in enough detail so have embarked on using it for a deeper understanding.

The 2010 Verizon Data Breach Investigations Report is out and its chock-full of good statistics and commentary.  I especially like the partnership with the U.S. Secret Service and the shared incident data.  Another nice tool from Verizon Business is VerIS, the Verizon Incident Sharing Framework which presents how metrics are captured and used in preparation of the DBIR.

I took the Certified Information Systems Auditor (CISA) exam on June 12, 2010 and am patiently waiting to learn my fortune or fate!  The process stimulated a new appreciation of ISACA Auditing Standards, Procedures and Guidelines  and CobiT 4.1, prompting me to send the former to FedEx for printing and to order the latter in book form from the ISACA Bookstore.  My wife picks it up and says “Can’t you find a good novel to read?  Its Summer!”

I guess you had to be there to appreciate it…

Cheers mates!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

It’s a cool, rainy Spring here in the Pacific Northwest, a fine time to stay indoors and read instead of cleaning gutters, gardening, mowing the verdant expanse out back, etc.,

Reading and study efforts have been and are focused on preparing for the June 12th CISA exam first and foremost.

Following that, here’s what’s top-of-mind for me:

OSSTMM 3 updates

Security Tools Screencast Demos from SearchSecurity.com

Never Eat Alone – Keith Ferrazzi: Building personal networks isn’t about how many connections you have in LinkedIn, it’s about maintaining and growing relationships in meaningful ways.

As the old saw goes, ‘All Work and No Play…’ so breaks in the ‘Blue Room‘ are taken with Daisy:

One Happy Golden!

Read Full Post »

Older Posts »