In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Part Two analyzed the organizational roles and responsibilities needed to implement an effective security policy. Now let’s take a look at how Electronic Communication plays into an effective policy.
In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Now let’s take a look at the roles needed to implement an effective policy.
The intercom at the airport speaks the truth as it periodically repeats the mantra “Security is Everyone’s Responsibility”. If security is everyone’s responsibility then even the best written security policy is nearly worthless if it doesn’t include a section pertaining to roles and responsibilities.
Earlier this week a new spambot emerged, targeting no less than 711 million email addresses. Basically, the spambot delivers malware called Ursnif into the victim's inbox and is capable of stealing personal information such as login details, passwords, and credit card data.
The name of this spambot, “onliner”, is a touch disappointing, a bit ironic, and of course has no relation to us whatsoever. At Online, our team (our employees) are known as Onliners.
The PCI Security Standards Council sent out a communication to all Qualified Security Assessors (QSAs) this past week saying they are raising the number of industry certification requirements for QSAs from one certification to two (effective 2019). While I have been in strong favor of almost everything that the council has done to evolve the PCI standard and program, I have concerns with this change for QSAs and what they will mean to our clients.
Online infuses the right amount of security into everything we do – I like to refer to this approach as our “special sauce.” Security is not just important to our Risk, Security, and Privacy (RSP) practice (which lives, breathes, eats, and sleeps security), it’s important to our entire company. We have built security in to our development processes, our service management practice, our customer/digital experience offerings, our internet of things (IOT) offerings, and our cloud-based (AAS) service offerings.
In the course of performing hundreds of risk and PCI assessments, we occasionally come across a client who is running an obsolete version of a system, application, or device. Normally, when a system has reached “end-of-life,” it is no longer supported. On the surface, this would appear to be a security risk and also a violation of PCI DSS requirement 6.1: “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Organizations must determine the ideal strategy to address risk associated with using obsolete systems/applications. Short of replacing/upgrading the offending system, there may be more creative means to offset this risk.
Someone once asked Willie Sutton why he robbed banks, to which he responded, “that’s where the money is.” With the increased sophistication and ease of ‘scalable exploitivity,’ ransomware is not only here to stay, but it will continue to become the most pervasive threat to our systems, networks, and data. The latest WannaCry ransomware that hit thousands of computers last week was the perfect storm, formed by taking advantage of a known vulnerability and combining it with human fallibility, which made it wildly successful and most likely yielded a bankload of money for the attackers.
As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.
The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.
By now you have likely heard about, or worse yet, been impacted by the glitch that crippled Delta Airline’s network and reservations system on Monday that forced them to cancel about 1,000 flights worldwide. Delta has stated that a power control module malfunctioned, causing a surge that cut off power to their main computer network. Normally, the systems would switch to backup computer systems almost instantaneously, however in this case something didn’t go right. Confidentiality, Integrity, and Availability (CIA) are the foundational cornerstones of information security, and in this case, availability was on the wrong flight path. It is safe to say that this problem, which will ultimately cost the airline millions of dollars, could have been avoided through scenario planning.