tag:blogger.com,1999:blog-7830685956544757822024-09-04T16:00:57.780+01:00This is a blog about the process of setting up an Information Security Programme within a company not known for it's InfoSec awareness. In addition, it will comment on the process of delivering a project to make the company PCI DSS compliant.Unknownnoreply@blogger.comBlogger24125tag:blogger.com,1999:blog-783068595654475782.post-16370216701275336072007-07-11T08:06:00.000+01:002007-07-11T08:16:01.881+01:00

I am sooooo behind on my blog / news reading at the moment as I have no time to think let alone post. And believe me, it take me a long time to think about anything.....I have a lot of catching up to do (Bloglines tells me I have over 1200 items unread!! :-( ) but don't have the time I'm afraid. This is due to:Projects at work finally getting traction and being inundated by useful questions from

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-9885749748287797592007-06-26T07:30:00.000+01:002007-06-26T07:38:30.612+01:00

I’ve seen a trend recently although it’s probably been around for ages but I’ve only just noticed.In many cases where an organisation’s security has been compromised, either the organisation itself or the investigative body sent in to look into the situation have responded to direct questions with vague, non-committal answers.This approach first caught my eye with the TJX situation where both the

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-89597032033834182992007-06-24T11:19:00.000+01:002007-06-24T21:15:23.289+01:00

I don't understand the lack of focussed PCI DSS related sites on the internet. Considering the depth of the requirements and the coverage area that it can have on organisations' network systems and business processes, I would have thought that there would be a lot more.There is the following dedicated site:- PCI Answerswhich is a good source of general info. I like it (and contribute when

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-10393434265526849462007-06-21T20:22:00.000+01:002007-06-21T20:26:07.680+01:00

WOW!!!! 13 days since I last posted, I can't believe it.Well, I've been on a few management courses, had a couple of days off and dealt with a few issues with the Acquirer.No excuse though, I'll pull my finger out over the weekend and post something (providing I have something to say, I don't believe in posting for the sake of it).

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-91077871057769912812007-06-08T10:33:00.000+01:002007-06-08T10:38:13.344+01:00

Various news outlets are reporting that TJX has now been named in over 20 law suits, some class action. HarborOne Credit Union has apparently billed TJX $590k for costs and damage to brand .TJX have reported an increase in sales of 5% according to Reuters yesterday. Analysts ere apparently expecting 3.9% so on that basis it has out performed market expectations.TJX’s share price dipped by

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-40976163632355721832007-06-06T13:31:00.000+01:002007-06-06T13:34:00.314+01:00

Dave Whitelegg raises a point that’s been niggling me for a while. For all the good in the PCI DSS, the whole process gets considerably weakened by the Acquiring banks insistance on the transmission of data from merchant’s system to acquiring bank’s systems in plain text. Sure, the transmission channel is SSL encrypted over a point to point / VPN link but the data is still unencrypted and

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-12273848522806362762007-06-05T19:31:00.000+01:002007-06-05T19:33:48.620+01:00

The Company has organised some management training courses and the first entitled “Personal Leadership Style” was today. Why is this InfoSec relevant? Well, I’ll tell you later.The day was good, in my opinion. I don’t think I learnt anything new about myself (which was sort of the point) but learnt a lot about “leadership styles”. There were a number of practical exercises and assessment

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-63843730900891051642007-06-04T15:28:00.000+01:002007-06-04T15:41:41.884+01:00

As you will know, I have an issue with awareness in my Company. To that end, I agreed to write a short article for the company newsletter on me and InfoSec in general.I remembered guidance I received from Rob Newby on keeping things short and sweet so as not to scare off the reader so the fir st article is exactly that. I'm going to write some follow up articles on InfoSec in general and PCI

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-59450973593496448362007-06-02T09:18:00.000+01:002007-06-02T09:29:39.287+01:00

As you know, I have recently started this blog and am new to the blogosphere itself. I'm learning a lot, not least of which is that things don't always work as they should.Blogger does not use trackbacks as most other blog hosting services appear to do. They use "backlinks" but I have been unable to get them to work. So, I've enabled Haloscan and you should now see the Trackback link at the

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-41219187585889221202007-06-01T09:08:00.000+01:002007-06-01T09:22:19.478+01:00

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:a) bore people stupidb) use up all my material at onceI intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!! My PCI DSS Project Manager has produced another article

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-59389051772666233862007-05-31T08:59:00.000+01:002007-05-31T09:01:38.252+01:00

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.The HR bod in charge of the company’s weekly newsletter has asked me to write a piece

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-79625544120394352392007-05-25T12:55:00.000+01:002007-05-25T12:58:52.436+01:00

I’ve been invited to contribute to the PCI Answers postings on their site which is quite an ego boost. The only thing is, this means I’m going to have to think of decent things to say!!!!Oh well, bang goes the instantaneous ramblings approach to writing comments. I guess I had better engage that part of my brain that rarely sees daylight and actually consider what I’m writing beforehand.Oh, and

Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-783068595654475782.post-25862914900302908462007-05-24T09:38:00.000+01:002007-05-24T09:49:38.068+01:00

There’s an interesting discussion over on PCI Compliance Demystified about maintaining compliance after you have initially achieved the “tick in the box”. The discussion is primarily about PCI DSS compliance but could be had about any compliance requirement.To paraphrase, the question was raised: “how is compliance maintained?” which has developed into a “what’s being done about maintaining

Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-783068595654475782.post-16237162842816655392007-05-16T10:10:00.000+01:002007-05-16T10:15:40.779+01:00

OK, so TJX’s Q1 results apparently show “no noticeable decline in customer numbers” since the data breach. In this article an analyst from Avondale Partners is quoted as saying:-"It still looks like there has been no meaningful fallout from the data systems breach as it relates to customer traffic," said Patrick McKeever, an analyst with Avondale Partners. "They did pretty well, all things

Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-783068595654475782.post-3328629256456359492007-05-10T15:39:00.000+01:002007-05-16T13:50:16.574+01:00

I read Rob Newby's post about "data classification" with interest as the implementation of such a process has been on my "to do" list for a while. To paraphase my comment to him, "I think Data Classification is one of the fundamental first steps in a good InfoSec programme". The point is, until you know how important the data is, how long it needs protecting for and who should have access to it

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-41743771427247929342007-05-08T11:04:00.000+01:002007-05-08T11:12:54.456+01:00

OK, so enough of bleating about how bad things are, on to some more topical issues.This news item on Security Focus amused me. Basically, if true, it appears that a wireless network secured with WEP only encryption was the access channel for the TJX hackers.The thing is, I have had a discussion with people here about wireless and the levels of protection used and suffice to say, I think they

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-89179006594105777412007-05-08T07:04:00.000+01:002007-05-08T11:14:37.630+01:00

OK, the previous post said that it was the last (for now) in the “Things I’ve done wrong” series. It wasn’t, this one is.There are other things I have learned but those are a good starter for 10. For now, I think it is safe to say that having learned the lessons I'm better equipped to start making the sort of progress I want and the company needs.From the above experiences, I looked for a

Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-783068595654475782.post-27879705073649836752007-05-08T06:32:00.000+01:002007-05-08T11:10:54.597+01:00

Last (currently) in the “Things I’ve done wrong” process.To a certain extent, this is linked to expecting people to understand “why”. In the past, I have explained the details of an Info Sec related issue and then the possible remedial actions available to the company and then assumed that the correct decision would be made. How naïve can you be?!?!?!Unfortunately, it would appear that the "

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-84306091486445856192007-05-07T12:18:00.000+01:002007-05-08T11:10:29.045+01:00

Continuing "Things I've done wrong".After designing and agreeing an Info Sec Management approach with the board another element of “Getting Distracted” happened and I never went back and followed it up. I could bleat about how “it wasn’t my fault because…” or “I meant to but this or that stopped me” but basically I should have persevered but didn’t. I allowed myself to get involved in other stuff

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-85487087394079460392007-05-05T16:22:00.000+01:002007-05-05T16:31:41.268+01:00

More on the “Things I’ve done wrong”Within the first week after being given the job, I sent a draft job description to my boss (the Group FD) and scheduled a meeting to discuss. Then, an element of “distraction” came along and we never had the meeting. Due to numerous “distraction” issues thereafter, it just got sidelined.This has led to little to no authority within the company to actually get

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-12874973789204998402007-05-04T21:48:00.000+01:002007-05-04T21:53:08.093+01:00

Continuing the "Things I've done wrong" seriesThe next error I made was expecting people to understand why something is either a good idea or necessary. An extreme example follows:-Imagine a discussion where you have to explain in finite detail "why" a company should implement a firewall solution at all. I don't mean a certain type of firewall, I mean any firewall.Things aren't quite that bad

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-27524881264832822992007-05-04T08:05:00.000+01:002007-05-08T11:10:09.291+01:00

First part of the "things I've done wrong" theme is "Getting distracted".This is the main reason for lack of progress. The Company I work for is primarily an online entertainment provider (no, not that sort of “entertainment”!!) and focuses heavily on new initiatives and new markets. This means a lot of "drop that, do this" type meetings. Not conducive to long term planning, unfortunately.The

Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-783068595654475782.post-27745106073474394172007-05-03T14:54:00.000+01:002007-05-03T16:09:35.020+01:00

Right then, first real post. I thought I'd start off by listing out the things I'd done wrong since persuading the company to generate the position of Information Security Manager and giving me the job. That all happened about 6 months ago and to be honest, I don't feel like I've made a lot of progress since. So, first is a list of titles in no particular order, I'll comment against each over the

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-783068595654475782.post-83800643484072680922007-05-03T13:15:00.000+01:002007-05-03T13:51:42.916+01:00

So, after reading and commenting on various Information Security and PCI DSS related posts and blogs over the past few months I have decided to start blogging on the subject.This is the first post and therefore not that interesting.My intention is to post my thoughts about my current situation which is setting up an Information Security Management environment and directing a PCI DSS compliance

Unknownnoreply@blogger.com0