[metaslider id=2951] … Read More
Archives for January 2013
[Excerpted from “How to Conduct an Effective IT Security Risk Assessment,” a new report posted this week on Dark Reading’s Risk Management Tech Center.]
Many security and compliance projects begin with a simple idea: assess the organization’s risk of vulnerabilities and breaches. Indeed, implementing an IT security risk assessment is absolutely critical to the overall security posture of your organization.
An effective security risk assessment can prevent breaches, reduce the impact of realized breaches and keep your company’s name from appearing in the spotlight for all the wrong reasons. Regular IT security risk assessments also enable organizations to build up a cache of historical data that can be used to effectively gauge and communicate monetary impact related to risks –and, hopefully, convince upper management to take decisive action to reduce the organization’s threat surface.
It’s important to note that not every IT security risk assessment is alike — or even remotely close. Indeed, there are many ways to perform IT security risk assessments, and the results may vary widely depending on the method used. It should also be noted that performing a risk assessment is a very small part of the overall risk management process.
The requirements of the Payment Card Industry Data Security Standard (PCI DSS) can be complex. However, taking a deeper look into some of its parts, particularly event log management, can help clarify some terms.
Many companies believe that logging is specified in PCI DSS so that they can discover threats to their networks. While this may be an ancillary benefit, logging was put into PCI for the benefit of the card brands. In the early years of credit card security, card brands put significant effort into determining the attack vectors of credit card breaches. Unfortunately, when they sent teams into retailers to find the root cause of breaches, they discovered only meager evidence to use in tracing attacks. Therefore, the brands introduced logging requirements into their individual cardholder protection efforts so they could find out what happened when a breach occurred. Eventually these requirements found their way into the PCI DSS. Understanding this as the intent of the logging requirements can help companies understand how to implement event log management to best meet PCI DSS compliance requirements.