Per my previous blog post The PCI Assessment Paradox I had posted a small survey. This survey asked two questions:
- How many assessors were on site during your most recent PCI assessment?
- How long were your assessors on site for your most recent PCI assessment?
I only received six responses to this survey but the results are interesting nonetheless.
How do you know how long your assessor should be on site? Ask yourself if you would be able to fully understand the size and scope of your environment and sign an a document attesting to the compliance of that environment given the time the QSA organization is proposing. Refer to my previous blog post for more information on assessment time frames.
Fast Assessor!
PCI has been around for a while now and the companies providing assessments are becoming better and defining the process of the PCI assessment with this experience. The assessors have refined what works best with the assessing process, interview schedules, sampling methods, reporting structures, etc.
The publicized information surrounding breaches of entities that were previously assessed as PCI compliant companies has brought additional scrutiny to the assessment process from the PCI Council. The council has implemented a quality assurance program which includes placing assessing organizations on probation for insufficient assessing practices.
While the work required to perform a PCI assessment per the documented guidelines is defined, the range of effort seems to vary greatly from organization to organization. I have seen small organizations undergo very thorough assessments by QSA firms and to the contrary I have seen very large organizations be assessed by a single assessor that is on site less than a week. It becomes easy to see who wins when shopping QSA firms strictly on price alone.
So what is the “just right” amount of time and effort an assessing organization would need to conduct a proper assessment for you? The assessment process isn’t some kind of voodoo magic. There’s no real shortcut — every assessment must answer every bullet for every testing procedure for every requirement. To me it’s very simple. When choosing a QSA firm, ask yourself if you would be willing to sign a document attesting to the compliance of your size/scope of organization given the time and effort that the QSA is presenting?
The difficulty here is that it seems that the companies that are willing to stand tough on the basis that they are doing what is contractually and ethically required of them by the PCI Security Standard Council and the industry as a whole will suffer to those who are just volume assessors providing check marks at a low cost.
So be wary of an assessing firm that says that they can conduct a level 1 PCI assessment and only show up for 2 days on site. Ask yourself, could you sign that attestation form?
How many assessors conducted your most recent survey and how long were they on site? I am conducting a brief two question survey and will post the results.
Our father, mentor, and best friend left this world at 9:30 pm on June 8, 2010. Ben Springfield was a wonderful father of 3 sons (Scott, Brad and myself), though hundreds of people throughout Oklahoma referred to him as dad, pops or Pappy. The amount of people that this man touched over the years is astounding.
His professional life was spent serving others. He served as a Lincoln County Deputy Sheriff, City of Chandler Police Officer and the Director of Emergency Management for Lincoln County. But there was so much more to his service to the community.
Please leave a comment below if my dad impacted you in any way over the years.
Services will be held at theĀ First Christian Church in Chandler, Oklahoma at 10am on Friday June 11, 2010. The viewing will be any time after noon on Thursday June, 10 at Brown Fulneral home in downtown Wellston.
While he did not die of cancer, he lost his mother to breast cancer and father to stomach cancer. His sister and I both battled colon cancer. If you would like to make a donation, you can donate to the American Cancer Society in his name. On the American Cancer Society form, please indicate that the donation is an “HONOR” gift. Please make the donation in Honor of Ben Springfield and send the card to:
Your donations are greatly appreciated.
Windows 2003 Yakkage
It is amazing how we have come to expect nothing but perfection from our anti virus providers. The recent events that stem from a McAfee DAT update has reminded us the level of access and the level of risk that this type of software can have in our environment.
Would you roll a Microsoft Super Tuesday patch to your servers straight out of the package with no testing? No, your organization probably has a very formal process for upgrading software. Staging, testing, phased roll-outs, etc. It is somewhat strange how we look at a vendor such as McAfee so differently in the updating of the DAT and the inherent risks that involves. Granted this level of impact hasn’t been seen many times in the past.
We want the best of all worlds. To update our anti-virus engines with the most recent packages in order to take advantage of the new protection in order to reduce our overall risk. But we also want to do it in a manner that provides a level of assurance that we won’t have an operational impact. You know, we want to reduce risk while reducing risk.
What a fine line that McAfee has to walk. Build increasingly complex signatures that will protect the servers without any room for an adverse effect. Wow, that’s got to be hard. To think that this has gone for so many years without a widespread outage is amazing and I think it shows an amazing track record for McAfee as well as other anti-virus software providers. The question is though, will this event effect how organizations update their DATs?
Growing up, my dad was the Emergency Management Director for Lincoln, County, Oklahoma. A part of his job responsibilities was operating the emergency operations center (EOC) for Lincoln county and running the storm spotting activities. So growing up, we did a lot of storm spotting and working in the EOC during spring storm season.
One of the major challenges of running a rural (not a professional) storm spotting team is that you have access to the live weather radar and the approximate location of each spotter.
The setup:
In looking through some Twitter API documentation, I thought it might be kind of cool to use Twitter as a location tool for storm spotters in a particular region. Many phones on the market today have gps services embedded in them and many twitter clients have the ability to send geolocation data to Twitter as a part of your twitter post.
The idea:
Write a web application that overlays the tweet of each spotter with what they see with the exact location of their observation on a google maps interface.
So the spotter in the field would tweet what he/her sees from their vantage point:
mspringfield: funnel cloud to my direct west.
Pea size hail and gusty winds from the northwest.Through the Twitter API this tween can be dissected to include full latitude and longitude coordinates with the tweet. This information is delivered in xml and would be very easy to parse. Write a simple app to lay that on a Google map through the Google maps API and viola! Your tweet information is posted right on a Google map!
Natural next steps would be to lay over the actual radar image and give the user control to adjust the opacity of the reflection. Also a Twitter bot could be written to auto-reply and sign up users for different regions and could be controlled by the web app.
Anywho — lots of fun ideas around this one. I think it has potential, but I’ve got no time to pursue at this time.
Bottom line (is that some sort of pun?) it’s not fun to talk about. But ask your doctor about getting screened.
- Colorectal cancer is the third most commonly diagnosed cancer and the second leading cause of cancer death in both men and women in the US. Second only to lung cancer.
- 37% of colorectal cancers are found after the cancer is diagnosed at a regional stage (spread to surrounding tissue).
- 20% of colorectal cancers are found after the disease has spread to distant organs.
Colorectal cancer has a higher annual death rate than prostate cancer for men and breast cancer for women. However, awareness and funding is much much less than breast cancer:
- The Center for Disease Control and Prevention’s (CDC) 2008 colorectal cancer budget was $14 million, compared to $200.8 million for breast and cervical cancer.
- The National Cancer Institute spent $572.6 million on breast cancer compared to $273.7 million on colorectal cancer research in 2008.
In most cases colon cancer is preventable with proper screening. Talk to your doctor about getting screened before you are 50.
Folks, today is World Cancer Day. In 2005, 7.6million people died of cancer worldwide. That’s just plain crazy.
Get checked, get off your but and exercise, eat better, take care of yourself and each other every day.
http://www.newsweek.com/id/232998
So my Apple Time Capsule died back in September. It seems that the first run units had an issue with power supplies. So much so that someone setup a registration website where you can register your fallen Time Capsule (http://timecapsuledead.org/). Seems that 18months of operation is the key time frame before it goes kaput.
Anyway my local Apple store very generously offered me a replacement (how about that!). However, when I asked about what their data destruction policy was surrounding returned Time Capsule devices, the reply was that Apple doesn’t have one.
For those of you who don’t know, the Apple Time Capsule is a backup device that wirelessly backs up all of your Apple computers to the 1TB hard drive that is on board the device. So in this case when the power supply died, leaving the hard drive containing the data completely intact. When your device dies, Apple exchanges it with a new device. So you have handed a full unencrypted backup of all of your computer’s data over to Apple and they don’t have a policy that restricts what they can do with that data.
In my case Apple didn’t have the exact model of my Time Capsule in stock. They did the exchange paperwork and ordered my new one. I have to bring my broken TC back later this week for exchange. Since the paperwork is now done, I took it upon myself to do a little surgery. I opened up the device, mounted the drive directly to my Mac and erased the data properly. I’m hoping that the exchange will still go through later this week.
Now I am stuck with a decision of what to do with my new Time Capsule. I’m seriously thinking about just eBaying it because I don’t want to be in a position for this to occur again. It’s not worth the risk of the data for me. I will just continue to back it up on my NAS.
I wonder if Apple will adopt a data destruction policy concerning these type of backup systems? As the current consumer base becomes more and more educated on data security issues, I think the manufacturers will have to deal with the issue of security on returned devices.
The song begins right at 2 minutes into the video.
This guitarist is a local Dallas guy who is absolutely amazing. His brother Ashley is a survivor of pediatric brain cancer that he was diagnosed at age 2. His cancer has returned with a vengeance and they are pursuing a very aggressive strategy with an experimental treatment to save Ashely. The treatment is non FDA approved and isn’t covered by the family’s insurance.
He is trying to sell 2,000 of his box sets to help pay for his brother’s treatments.
Check out the video, go to his website and take a listen to some of the other music and buy the set.