Tag Archives: rsac

Security News – inspired by #RSAC

This week is the RSA Conference in San Francisco and despite itself being a huge conference with great people in attendance, there is also numerous other satellite conferences happening (BSidesSF and Cloud Summit).  All that brain power is bound to generate some discussion and research reports generally are released during this PR window.  So, here is a few items that (new and old) jumped out to me getting much discussion and would be valuable to restate.  As always, I will be punching up my notes to share as things that are meaningful are presented.

First stop the CIO of the U.S. Government:  on DarkReading: “White House CIO Lays Out ‘Cloud First’ Strategy To Streamline Bloated Government IT”.  This is generally a repeat of his prior strategy laid out before the security community [Direct D/L] and the Wall Street Journal.  Nonetheless worth zipping through:

In the same stream of thought (both highlighted at Cloud Summit) is the initiation of the updating the “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance.  Note this is a collaborative group and passionate and knowledgeable persons are highly sought – if you can give your time and help.  The prior version is available here for download.

True Cost of Compliance put forward by Ponemon Institute and TripWire (released January 2011) – right off the top states that the average non-compliance costs are more than $5 million dollars than the cost to comply.  Here is the link to the report – no registration required, very nice.  Also interested what that cover graphic is hiding…

Plenty of great streams of information flowing from the conference on twitter – set search filters to: #RSAC #RSA and of course, if you like a specific area (NIST, ISO, Cloud) hit those tags up too… This week is going to produce enough reading for a few flights across the pond for us all!


James DeLuccia


Thomson Reuters Cost of Compliance Survey 2011: 86% expect regulatory change

A new survey was released today from Thomson Reuters and Complinet based on 337 global practitioners within the Financial Services sector.  The survey focused on GRC and how organizations are focused on addressing the risks this year compared to prior years.  While this is principally focused on the Financial aspects of Risk management, Fraud, and legal aspects there are some interesting takeaways.

The first that 71% of the professionals expect a need of greater resources and time to address an expected 83% increase in regulation and regulatory compliance requirements.  The link, requires registration, not my favorite.  It does provide the survey report – a short 4 pages, and the prior years at 6 pages.  Not very deep, but some interesting points – the reports may be garnered from this link.

One aspect that was interesting was how little Internal Audit is brought into these conversations on dealing with the business risk.  It is in direct opposite of what one would consider appropriate – and one I find consistent with the Information Security teams.  The lesson here, engage Internal Audit .. no need to re-invent risk management techniques (btw: I feel the same way of risk management within I.A. when compared against the insurance industry).

For a technical focused report on compliance – check out the latest Ponemon Institute Report here.

See you all at RSA SFO 2011,

James DeLuccia

Visa allows international Merchants to not demonstrate PCI DSS compliance

On February 11, 2011 Visa announced an interesting program that promotes and demonstrates the fraud deterrence strength of the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions.  Those organizations that have at least 75% of their transactions originating from smartcard-enabled terminals will not have to demonstrate compliance.  This is perhaps a reflection of Visa weighing the risks and benefits of technology from a risk management point of view.  A win for merchants certainly, as this technology is widely adopted in many parts of the world.

As a reminder, all organizations within the Payment Card Industry must be compliant with the data security standard, but the nuance of demonstration / attestation is based on the channel and volume of each individual card.  This program of Visa does not impact the other Card brands, so international Merchants will still need to consider these within their global compliance and security programs.

An interesting writeup on the article is available at Computerworld here.  The press release is here.

The deployment in the U.S. requires both adoption at the Merchant level, and the consumers too.  It would be interesting to compare the costs of the EMV architecture vs. the compliance costs of organizations.  I also wonder if the net benefit of requiring security controls to be meaningfully applied to sensitive data (in this case PCI) does not raise all the “boats” (read: other sensitive data types), as it is more likely that security safeguards are applied broadly.  Is this demonstrated by 28% reduction in identity thefts in 2010?

See you in San Francisco at RSA 2011,

James DeLuccia

RSA Conference Session – Beyond PCI DSS, final thoughts

RSA 2009 is finished; the vendors have packed up; the speakers have shuffled out of the lounge, and what remains is a compendium of excellent thoughts captured in real-time on blogs and Twitter alike.  For Twitter search for #RSA or #RSAC and for blogs, well hit Google or simply start here.  Business wise – the conference had lighter attendance (anecedotaly) and the vendors were on the edge of Cloud | Security | Recession-Antidotes.  Session wise – they were better this year then last year – the Department of Justice presentations on Data Breach investigations and the Hoff on Cloudisms were quite good and worth the travels.

Last year I spoke on the Synergies of Regulations, a core tenet of my book, and this year I pushed deeper with BEYOND PCI DSS.  The session abstract for this year was:

“The payment card industry standard for data security world centers blindly around PCI DSS, but that is not the only duty of companies and persons.  Explore the worst and most often boggled sections of PCI DSS.  Beyond PCI, discuss with peers the labyrinth of existing publications and control guidance / requirements published by government, state, and international authorities that we must address.”

PCI DSS is a very troubling issue based on the attendees to this session.  The session was full with a range of persons from vendors (10% of room) to businesses complying with PCI DSS (70%), and the remainder being made up between a VC and a few indepedents.  A great bonus of RSA is that they make video recordings available online; however, my session was not part of that digital wonder, so I will try to recap a few of the strongest points below:

  • “Compliance (PCI) provides a metric to determine security – without the compliant requirements the business of security becomes stale” – Top Industry Manufacturer
  • The perception of business / security / governance / auditors is skewed towards PCI DSS (Somali pirates) and the business SLA and other regulations (Great Report Released last week) are being placed in a back seat.  PCI part of the Program towards delivering operational integrity through IT infrastructure, systems, and computing processes.
  • Intensely vet the AUDITOR and less the firm. The firm conducting the audit must have Fidelity, but selecting the A-Team is a predominant indicator of having a strong control environment.
  • “Convince your QSA” – When going through the audit you shouldn’t be arm wrestling over controls, but these points of “negotiation” should be done through an existing, mature, and accurate Risk Assessment Program.  Caution should be focused here to not materially affect your ethics or that of your company – convice should be a mutually agreed upon state, and not a “do this or we fire you” situation.  Audits are supposed to validate compliance and / or provide a set of lenses highlighting how to enhance operations.

All quotes are in fact quotes from EVP / CIOs who attended session – comments are my own…

Thank you to everyone who attended and for each that did not receive a book during the giveaway, you may find additional copies at Amazon.

Kind regads,

James DeLuccia