Measuring the effectiveness of a penetration test is tough. Everyone has a different method to determine if a penetration test was “effective”. We recently completed an assessment for a client that came back with over 100 vulnerabilities. They had the exact same penetration test performed the prior year by a different firm and had less […]
In this blog, we’re going to do a quick review of PCI DSS Requirement 12.11 and provide some strategies for service providers who need to maintain PCI compliance. As you may have guessed from context clues in the first sentence of this blog, this requirement only applies to service providers and does not need to […]
The users who are in your domain administrators group have the keys to the kingdom. With few exceptions (non-Windows systems), they can access any system and any file in your network. This includes the privacy information, HR information, and intellectual property that you are trying to protect. As such, the domain administrators group must be […]
As we continue our series of blogs hitting on some tips to help your organization maintain PCI compliance, we’re going to take a look at network documentation. When preparing for an initial PCI-related audit or trying to maintain your compliance program over time, an important part of that is your network documentation. This includes things […]
Ever wonder how companies get away with selling dirt cheap penetration tests? Odds are they are outsourcing the work to offshore engineers in other countries. I’m sure there are some great penetration testing companies that are using offshore resources and I know there are great companies that are headquartered in places besides the United States, […]
Today we’re going to tackle a consistent issue we see with companies trying to meet and maintain PCI compliance, creating evidence. When we talk about creating evidence for compliance purposes, we’re really talking about all the different ways you are proving that you are compliant. For example, it’s great that you tell me as an […]
No one likes to talk about documentation. And for good reason, it’s boring, tedious, and generally doesn’t accomplish any of your tasks or goals, it’s just ancillary support work. When it comes to PCI Compliance though, the more thorough your documentation is the easier your QSA onsite assessment will be or the more honestly you’ll […]
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, […]
PCI’s new Secure Software Lifecycle (SLC) assessment standard has been released. This new Secure SLC standard, released alongside the Software Security Framework (SSF) that we’ll talk about in a separate blog, provides a framework for assessing how payment software vendors develop and maintain secure payment software. Similar to the current Merchant and Service Provider PCI […]
Today’s QSA tip has the potential to save you a lot of time, effort, and cost associated with getting your organization into compliance with the PCI Data Security Standard (DSS). Triaxiom Security is a PCI QSA certified company who performs audits on a myriad of organizations trying to meet PCI standards. From large organizations who […]
