Blog Posts Tagged with "Security Audits"


Ten Guidelines for Effective Security Audits

March 29, 2011 Added by:Danny Lieberman

The security auditor expectation gap has sometimes been depicted as an issue to be addressed by educating users to the audit process. This is not unlike the notion that security awareness programs are effective data security countermeasures for employees that willfully steal data...

Comments  (0)


The Biggest Shortcomings of ISO 27001

March 28, 2011 Added by:Dejan Kosutic

This standard will certainly need to change - the current version of is now six years old, and hopefully the next revision will address most of these issues. Although these shortcomings can often cause confusion, I think that the positives of the standard outweigh the negative in large measure...

Comments  (0)


Five Security Secrets Network Administrators Keep Quiet

March 22, 2011 Added by:Headlines

Network administrators may be conducting their own personal risk assessments in the course of their daily duties. They may be weighing factors such as performance pay incentives, the thoroughness of security audits, and time constraints when deciding what is or is not a priority...

Comments  (0)


Complete PCI DSS Log Review Procedures Part 18 FINAL

March 22, 2011 Added by:Anton Chuvakin

For log exceptions copied from log aggregation tool or from the original log file, make sure that the entire log is copied, especially its time stamp, which is likely to be different from the time of this record, and the system from which it came from - what/when/where, etc...

Comments  (0)


Writing Mandatory Procedures for ISO 27001 / BS 25999-2

March 21, 2011 Added by:Dejan Kosutic

By implementing the procedures in a proper way, not only will you have your documentation up-to-date and under control, but you will also ensure that your internal audit makes sense and runs smoothly, and that you always improve your system in a systematic way...

Comments  (3)


Insider Threats and IRS Network Security Controls

March 16, 2011 Added by:Headlines

The report indicates the IRS failed to limit employee access to sensitive information in accordance with employee's job duties, leaving the agency vulnerable to insider threats. The report also found that the IRS had failed to update critical database software and enable key auditing capabilities...

Comments  (0)


Complete PCI DSS Log Review Procedures Part 17

March 11, 2011 Added by:Anton Chuvakin

Periodic Operational Task Summary: The following contains a summary of operational tasks related to logging and log review. Some of the tasks are described in detail in the document above; others are auxiliary tasks needed for successful implementation of PCI DSS log review program...

Comments  (0)


On Cloud Logging Standards and Unique IDs

March 07, 2011 Added by:Anton Chuvakin

Cloud computing, as defined by NIST, has inherent multi-tenancy, elasticity, immediate provisioning and other fun properties, not found in traditional applications and platforms – whether distributed or not. All of these happen to affect accountability, auditability and transparency...

Comments  (0)


Five Questions to Ask Your PCI Auditor Before You Hire Them

March 06, 2011 Added by:Aleksandr Yampolskiy

PCI DSS was created to enforce a set of minimum security standards. If your company accepts credit cards as a form of payment, then it must comply with the PCI standard. You want to use PCI compliance to tighten the security in your company, You don’t want a QSA to let you off easy...

Comments  (0)


First Annual (Possibly Semi-Annual) OSSTMM Forum

March 02, 2011 Added by:Rod MacPherson

OSSTMM is very high level, and the thing that everyone seems to be in agreement on is the need for applied OSSTMM documents outlining how it can be applied to different realms, such as web applications, computer networks, system hardening, etc...

Comments  (4)


Application Vulnerabilities are Like Landmines

March 02, 2011 Added by:Ron Lepofsky

Application owners sometimes get confused when doing a follow-up audit after they have implemented all recommendations made in an original audit. Some owners think they can save money on a subsequent audit simply by having an auditor validate the mitigation recommendations were implemented correctly...

Comments  (0)


ISO 22301 to Replace BS 25999-2

March 01, 2011 Added by:Dejan Kosutic

The management part of BS 25999-2 will also be transferred to the new standard - document control, internal audit, management review, corrective and preventive actions, human resources management, etc. These elements exist in all other management standards - ISO 9001, ISO 14001, ISO 27001...

Comments  (0)


Security Information and Event Management (SIEM) Implementation

February 24, 2011 Added by:Ben Rothke

Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details...

Comments  (0)


Proactive and Continuous Compliance? For Real?

February 24, 2011 Added by:Anton Chuvakin

Is continuous compliance a reality at your organization? Are you doing something 9, 6, 3 months before the annual PCI DSS assessment? Do you meet the auditor once a year? Or do you make an effort to stay compliant?

Comments  (0)


Complete PCI DSS Log Review Procedures Part 15

February 22, 2011 Added by:Anton Chuvakin

Finally, it is useful to create a “PCI Compliance Evidence Package” based on the established and implemented procedures to show it to the QSA. It will help establish your compliance with three key of PCI DSS logging requirements...

Comments  (0)


Complete PCI DSS Log Review Procedures Part 14

February 18, 2011 Added by:Anton Chuvakin

The logbook establishes the follow-up required in item 10.6.a of PCI DSS validation procedures, which states “Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required"...

Comments  (1)

Page « < 3 - 4 - 5 - 6 - 7 > »