RSA Conference Session – Beyond PCI DSS, final thoughts

RSA 2009 is finished; the vendors have packed up; the speakers have shuffled out of the lounge, and what remains is a compendium of excellent thoughts captured in real-time on blogs and Twitter alike.  For Twitter search for #RSA or #RSAC and for blogs, well hit Google or simply start here.  Business wise – the conference had lighter attendance (anecedotaly) and the vendors were on the edge of Cloud | Security | Recession-Antidotes.  Session wise – they were better this year then last year – the Department of Justice presentations on Data Breach investigations and the Hoff on Cloudisms were quite good and worth the travels.

Last year I spoke on the Synergies of Regulations, a core tenet of my book, and this year I pushed deeper with BEYOND PCI DSS.  The session abstract for this year was:

“The payment card industry standard for data security world centers blindly around PCI DSS, but that is not the only duty of companies and persons.  Explore the worst and most often boggled sections of PCI DSS.  Beyond PCI, discuss with peers the labyrinth of existing publications and control guidance / requirements published by government, state, and international authorities that we must address.”

PCI DSS is a very troubling issue based on the attendees to this session.  The session was full with a range of persons from vendors (10% of room) to businesses complying with PCI DSS (70%), and the remainder being made up between a VC and a few indepedents.  A great bonus of RSA is that they make video recordings available online; however, my session was not part of that digital wonder, so I will try to recap a few of the strongest points below:

  • “Compliance (PCI) provides a metric to determine security – without the compliant requirements the business of security becomes stale” – Top Industry Manufacturer
  • The perception of business / security / governance / auditors is skewed towards PCI DSS (Somali pirates) and the business SLA and other regulations (Great Report Released last week) are being placed in a back seat.  PCI part of the Program towards delivering operational integrity through IT infrastructure, systems, and computing processes.
  • Intensely vet the AUDITOR and less the firm. The firm conducting the audit must have Fidelity, but selecting the A-Team is a predominant indicator of having a strong control environment.
  • “Convince your QSA” – When going through the audit you shouldn’t be arm wrestling over controls, but these points of “negotiation” should be done through an existing, mature, and accurate Risk Assessment Program.  Caution should be focused here to not materially affect your ethics or that of your company – convice should be a mutually agreed upon state, and not a “do this or we fire you” situation.  Audits are supposed to validate compliance and / or provide a set of lenses highlighting how to enhance operations.

All quotes are in fact quotes from EVP / CIOs who attended session – comments are my own…

Thank you to everyone who attended and for each that did not receive a book during the giveaway, you may find additional copies at Amazon.

Kind regads,

James DeLuccia

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s