Privacy software: Who are the early leaders? – software, security, privacy, ControlCase, Consult2Comply, brinQa, Avior Computing, Archer, applications, Agiliance – Security & Email – PC World Business
Together they form what I’d call the “privacy GRC” market, where GRC stands for “governance, risk and compliance.” GRC makes up most of what privacy people do. It’s not a big market. To put things into perspective, Gartner is only in its third year of analyzing the nascent IT GRC market. The privacy GRC market [...]
PCI Update Gets Mixed Reviews
There’s one section in the standard that is more important than any other, says Tom Wills, security and fraud senior analyst at Javelin Strategy and Research. Requirement 6.2 – “apply a risk-based approach for addressing vulnerabilities” – needs to become the over-arching requirement in the entire standard, he says. “This would mean all security controls [...]
13 essential steps to integrating control frameworks – CSO Online
# The organization must understand which frameworks or framework elements are needed to address, at a minimum, the critical security concerns. When addressing control requirements, more is not necessarily better, and each additional control entity represents an investment in time, money, and effort. # Choose a base framework to use. An organization should identify a [...]
IRS fails to identify contractors with access to taxpayer data
The Internal Revenue Service risked disclosing taxpayer information when it failed to identify contractors that had access to financial records and to fix known security weaknesses at facilities where files are stored. According to an audit released on Tuesday by the Treasury Inspector General for Tax Administration, the IRS did not identify all the vendors [...]
Security Rule Draft Guidance
The Office for Civil Rights (OCR) is responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.) This series of guidance documents will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability [...]
OCR drafts guidelines for security risk analysis
The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information. via In the News.
OWASP Top10 2010 Released
Today, OWASP has released an updated report capturing the top ten risks associated with the use of web applications in an enterprise. This colorful 22 page report is packed with examples and details that explain these risks to software developers, managers, and anyone interested in the future of web security. Everything at OWASP is free [...]
CloudAudit targets automated risk assessment, management
CloudAudit, launched in January 2010, brings together cloud computing providers, integrators and consultants in an effort to create a common interface and namespace. The volunteer initiative aims to help with an automated risk assessment and audit of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) environments. via Q&A: CloudAudit targets automated risk assessment, management.
Squeezing More Value From Your PCI Assessment
Often, merchants prepare a thoughtful risk assessment and then file it away (a.k.a., “shelfware”) until their QSA returns the next year, at which time it gets dusted off, reviewed and, hopefully, updated. If that describes your situation, you could be missing a golden opportunity to reduce your PCI scope, lower your risk and cut your [...]
PCI and the Art of the Compensating Control
Information in this chapter: * What is a Compensating Control? * Where are Compensating Controls in PCI DSS? * What a Compensating Control Is Not * Funny Controls You Didn't Design * How to Create a Good Compensating Control via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.
