January 2009 Archives

Have Regulations Made eCommerce Safer?

January is a popular month for waxing philosophical about the past year and full of prognostication about the coming year. One popular topic this year has been that of the impact of regulations on security and, ultimately, the safety of eCommerce. As you might imagine, opinions span the full spectrum of thinking, but the general consensus seems to be that yes, things are better.

It would be irrational to argue that security technologies have not improved, just as it would be sheer folly to say that regulations like PCI have had no impact on eCommerce safety. That being said, it also isn't clear that the gains have been as significant as some have claimed, and moreover, attacks have grown exponentially in their complexity and effectiveness.

To this end, I will be delving into these opposing conclusions below. For the purposes of this post, I will talk just about Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI). These two regulations are interesting for a couple reasons, not the least of which is how they contrast.

Epic Fail: My January Blogging

Well, good grief, where in the world has January gone? Not that too many folks are following this blog :) but I could probably have done a better job this month. It's been a busy month, filled with travel, and I've been terribly remiss in keeping track of everything here. I'll be picking things back up again soon now that I've had a break. It will likely be February before I get everything underway due to travel, but I have a lot to catch folks up on. So, bear with me and things will come back soon! :)

It's "Security" - Not "Secure IT"

(cross-posted from T2PA)

A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).

This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10