The Gramm-Leach-Bliley Act or GLBA is also known as the Financial Modernization Act of 1999. The GLBA requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of consumer’s financial information. As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires […]
Today, we look at 2 dangers of shared accounts. Many compliance requirements, for example PCI DSS, require users to have unique accounts and prohibits the use of shared accounts. However, rather than blindly complying with the requirement, let’s take a look at why this is important. First, shared accounts have shared passwords. In other words, […]
In today’s blog, we are going to take a look at a key concept in information security: nonrepudiation. Simply put, nonrepudiation is the assurance that someone cannot deny an action they took. This can apply to an email, for example. If the sender sends the message with a digital signature, this proves that the sender […]
Measuring the effectiveness of a penetration test is tough. Everyone has a different method to determine if a penetration test was “effective”. We recently completed an assessment for a client that came back with over 100 vulnerabilities. They had the exact same penetration test performed the prior year by a different firm and had less […]
In this blog, we’re going to do a quick review of PCI DSS Requirement 12.11 and provide some strategies for service providers who need to maintain PCI compliance. As you may have guessed from context clues in the first sentence of this blog, this requirement only applies to service providers and does not need to […]
The users who are in your domain administrators group have the keys to the kingdom. With few exceptions (non-Windows systems), they can access any system and any file in your network. This includes the privacy information, HR information, and intellectual property that you are trying to protect. As such, the domain administrators group must be […]
As we continue our series of blogs hitting on some tips to help your organization maintain PCI compliance, we’re going to take a look at network documentation. When preparing for an initial PCI-related audit or trying to maintain your compliance program over time, an important part of that is your network documentation. This includes things […]
Ever wonder how companies get away with selling dirt cheap penetration tests? Odds are they are outsourcing the work to offshore engineers in other countries. I’m sure there are some great penetration testing companies that are using offshore resources and I know there are great companies that are headquartered in places besides the United States, […]
Today we’re going to tackle a consistent issue we see with companies trying to meet and maintain PCI compliance, creating evidence. When we talk about creating evidence for compliance purposes, we’re really talking about all the different ways you are proving that you are compliant. For example, it’s great that you tell me as an […]
No one likes to talk about documentation. And for good reason, it’s boring, tedious, and generally doesn’t accomplish any of your tasks or goals, it’s just ancillary support work. When it comes to PCI Compliance though, the more thorough your documentation is the easier your QSA onsite assessment will be or the more honestly you’ll […]
