1 min
PCI
PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls
Hi,
According to what we are hearing from the field, there are quite a big number
out there of active users of this PCI Compliance Dashboard. Encouraged by your
feedback and your assitance we worked on this new release. Among other great
enhancements it encompasses references to the SANS Top 20 Critical Security
Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will
follow but for now on, enjoy this new version of the PCI Compliance Dashboard.
What's New?
* Add a tabl
2 min
Your PCI Logbook - What is required in terms of log management?
P>D R is a well-known principle in security.
It's a principle that means that the Protective measures in place must be strong
enough to resist longer than the time required to Detect something wrong is
happening and then React.
For example, your door must be strong enough to prevent a malicious individual
from getting in for at least the amount time required to detect the incident,
alert the police, and have them arrive on site.
In this context, log management
[https://www.rapid7.com/fundamen
4 min
Cyber attack ranked within the top 5 risks in terms of probability
“The more complex the system, the greater the risk of systemic breakdown, but
also the greater the potential for opportunity” - Klaus Schwab Founder and
Executive Chairman World Economic Forum.
The World Economic Forum [http://www.weforum.org/] released their Global risks
2012 report, outlining the perceived impact, likelihood and interconnectedness
of 50 prevalent global risks ranged in five risk categories: economic,
environmental, geopolitical, societal and technological.
In this post I'
1 min
Can I use compensating controls to resolve vulnerabilities found during a scan?
Resolving vulnerabilities found during a scan before a passing scan result can
be issued is not always immediately possible, and sometimes the only possible
solution is the use of a Compensating Control.
Compensating controls are not meant to be the de facto response to an identified
vulnerability. Compensating controls may only be employed if a true technical
limitation or business need prevents a vulnerability from being corrected. This
is most commonly the case for zero-day vulnerabiliti
1 min
PCI
What to do if your organization can't demonstrate four passing PCI internal or external scans
Two cases:
1) Your company is assessed for the first time:
Entities participating in their first ever PCI DSS assessment are only required
to demonstrate that the most recent scan result meets the criteria for a passing
scan, and there are policies and procedures in place for future quarterly scans,
to meet the intent of this requirement. So to be compliant with 11.2 the first
time you are assessed, you only need to demonstrate that the most recent scan is
a PASS.
2) Reassessment (from th