Comments for RisknCompliance Consulting Group

Comment on Logging for PCI DSS Compliance by Kamal Govindaswamy

Kamal Govindaswamy — Wed, 23 May 2012 13:06:01 +0000

Thanks for your interest. I would direct you to certain reference sources … One source that immediately comes to mind is http://www.ultimatewindowssecurity.com/securitylog/default.aspx. I believe Randy Franklin Smith’s resources and webinars may be especially useful in addressing your needs.

Comment on Logging for PCI DSS Compliance by Michael Mather

Michael Mather — Tue, 22 May 2012 23:38:49 +0000

Thanks for this extensive list.

It would also be nice if you said how to implement this in Windows. For those of us who are not experts in the subject.

Comment on Verizon 2010 Data Breach Investigations Report – Key takeaways for Security Assessors and Auditors by Lets talk some real insider threat numbers – How can Access Governance and SIEM be useful as effective safeguards? | Consulting & Business Intelligence Services Private Limited

Sat, 10 Dec 2011 04:24:41 +0000

[...] If you have been following some of our posts, you probably realize that we don’t advocate security for the sake of security. Nor do we like to do compliance for the sake of compliance though you may not have much choice there if the compliance requirements are mandated by external regulations such as industry regulations (e.g. PCI DSS, NERC CIP etc.) or government regulations (e.g. HIPAA, GLBA, SOX etc.). On the other hand, we think that every investment in security projects or operations (beyond what is required for routine business support) must be justifiable in terms of the risk(s) that we are trying to mitigate or eliminate. And the allocation of IT resources and budgets must be prioritized by risk level which in turn requires every IT organization to conduct periodic risk assessments and rank the risks by severity. This probably sounds all too obvious but we still see a lot of security purchasing decisions being made that are not based on formal risk assessments or discernable risk-aligned priorities. BTW, I talk about the quality of risk assessments in another post. [...]

Comment on May we suggest some priority adjustments to your PCI DSS Compliance program? by Compliance obligations need not stand in the way of better information security and risk management | Consulting & Business Intelligence Services Private Limited

Wed, 07 Dec 2011 14:21:10 +0000

[...] that would force you to implement specific controls no matter what. Even if you are faced with an all-or-nothing regulation like PCI DSS, you can resort to using compensating controls (see here and here for some coverage of [...]

Comment on PCI DSS update related to digital audio recordings containing cardholder data by Emma Jenkins

Emma Jenkins — Thu, 30 Jun 2011 15:23:51 +0000

Brian,

Yes, there are clear rules about storage of the PAN, even if you don’t store the CV2 information. I recommend you read the release from the PCI SSC here: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

Emma.

Comment on PCI DSS update related to digital audio recordings containing cardholder data by Brian

Brian — Tue, 08 Feb 2011 15:01:21 +0000

Hi, I am trying to get clarification on a question that has been raised by my boss regarding PCI DDS requirements. The question is this………”If our call center records customer Primary Account Numbers (PAN) are there any requirements that apply to the related recordings ? I understand that there is guidance out on Sensitive Authentication Data (SAD) pertaining to this issue, but I wanted to get clarification on the PAN issue.

Comment on PCI DSS update related to digital audio recordings containing cardholder data by Brian

Brian — Thu, 03 Feb 2011 13:38:24 +0000

I’ve been asked to look into this for my employer. To clarify, if a business has a call center and records PAN, but does not ask for, and as such, does not record authorization codes (CAV2, CVC2, CVV2 or CID)….are the recordings subject to PCI DSS ? If so, what needs to be done to make the recordings compliant ?

Comment on Providers – Is HIPAA Security Risk Analysis in your plan over the next few months? by Frank Ruelas

Frank Ruelas — Mon, 15 Nov 2010 15:51:17 +0000

I for one would hope that perhaps the “meaningful use” component will get folks moving on completing effective Risk Assessments and Analysis.

To date I see this as a lagging task.

Frank
frank@hipaacollege.com

Comment on Logging for Effective SIEM and PCI DSS Compliance …. UNIX, Network Devices and Databases by Todd Bell

Todd Bell — Fri, 10 Sep 2010 04:48:41 +0000

Outstanding work! Very impressive. I really appreciate how you properly identified the proper logging parameters for each type of system component and mapped to which PCI Standard. Thank you for your assistance.

Comment on You don’t know what you don’t know – Do we have a "detection" problem with the healthcare data breach numbers? by Jack Anderson

Jack Anderson — Sun, 05 Sep 2010 14:27:51 +0000

I would say that both the article pointing out the preponderance of physical loss and Kamal’s analysis are true. The difference is in reporting. A high percentage of business associate are totally unaware of HIPAA standards and wouldn’t recognize a breach if they fell in it. You do notice when your laptop is missing but like Anthem Blue Cross you may not notice that your on-line application system has a hole in it that allows anyone to go in and look at over 200,000 records.