About Me

Kim Singletary

Kim Singletary
Director Technical Solution Marketing, Kim has 15 years of product management and marketing experience with ...

Read More

Feeds & Podcasts

Enterprise Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

Enterprise : Risk Compliance :

Reasonable Security Controls In – Assessments Out for 2010

Wednesday, January 13, 2010 at 10:42pm by Kim Singletary
Kim Singletary

Bob Carr, the CEO of Heartland Payment Systems, which suffered one of the largest breaches in history, was quoted in SC Magazine as saying “The audits done by our QSAs were of no value whatsoever.” Ouch!

SC Magazine points out what we’ve seen in the last year that CIOs that start with a mind-set to understand the risk in their environments know that the best way to achieve both security and compliance is to have the proper controls in play.  A few staggering stats from Verizon’s 2009 Data Breach Investigation Report (PDF):

  • 99.9% of breaches occurred from servers and applications
  • 85% of the 285M breached records were harvested with custom malware
  • 93% of these breaches occurred within Financial Services

    • Even NIST is advocating a risk management versus security assessment and accreditation in its current draft:  The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, (PDF) is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised RMF-based process has the following characteristics:

  • Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
  • Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
  • Integrates information security more closely into the enterprise architecture and system development life cycle;
  • Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
  • Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
  • Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function).

    • Assessments are required for verifying basic compliance but with the complex systems and general method of sampling during an assessment don’t count on them to be the ultimate control validation. Having an automated, continuous monitoring and risk assessment framework seems to be the way to go in 2010 – do you have your servers covered?

    Bookmark and Share

    Tags: ,

    Submit your own comments / message for this post

    Your email is never published nor shared. Required fields are marked *

     

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Comments (0)