PCI DSS Compliance and Security: Harmony or Discord?

•Download as PPT, PDF•

5 likes•1,070 views

An organization can be compliant and still experience a security breach – look no further than Heartland Payment Systems and RBS WorldPay. Both had achieved PCI DSS compliance, only to suffer massive data breaches that cost tens of millions of dollars. What is the difference between compliance and security? And how can organizations effectively move beyond PCI DSS compliance to ensure the security of personally identifiable information (PII)?

PCI DSS Compliance and Security: Harmony or Discord?

Today’s Agenda ,[object Object],[object Object],[object Object],[object Object]

Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite

The Evolving Threat and Compliance Landscape

The Evolving Threat Landscape ,[object Object],[object Object],[object Object],Source: Verizon, 2010 Data Breach Investigations Report

Are you focused only on what you see? “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance

Silos Lead to Greater IT Risk ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Compliance & Security: Harmony or Discord? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A grim view of the current state… Source: Open Compliance & Ethics Group

Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES

Components of Compliance & Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE

6 Critical Elements to Achieve Economies in PCI DSS Compliance & Beyond

6 Economies of PCI DSS Compliance & Beyond

1 - Agility ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

2 - Consistency ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

3 - Efficiency ,[object Object],[object Object],[object Object],[object Object],[object Object]

4 - Transparency ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

5 - Accountability ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

6 - Security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

PCI Compliance, Security & Beyond ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Resources and Tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Organizations are struggling to keep up with today’s evolving threat landscape. From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks. Every organization needs some kind of information security program to protect their systems and assets. Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.

QSA Shares PCI 3.0 Advice & Checklist

Tripwire

It’s big. It’s bigger than you think. On January 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 becomes the global PCI audit standard. In this webinar, PCI QSA Jeff Hall shares the biggest gotchas that he’s encountered while working with clients. Key insights will include: • How will auditors’ requirements increase notably? • What are the foreseeable problem hot spots? • Why won't steps for passing PCI 2.0 cut it for 3.0? You’ll also get a helpful checklist for 3.0 late starters!

Building an effective Information Security Roadmap

Elliott Franklin

As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy in for multiple enterprise wide security projects.

Nist 800 53 deep dive 20210813

Kinetic Potential

Cisa 2013 ch0

Aladdin Dandis

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

Christina33713

As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. Scroll through this slideshare to learn about 4 essential frameworks.

Cisa 2013 ch4

Aladdin Dandis

IT SECURITY ASSESSMENT PROPOSALCYBER SENSE

Introduction to Risk Management via the NIST Cyber Security Framework

PECB

The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk. Main points covered: • Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms. • Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments. • Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management. Presenters: David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications. Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence. Recorded webinar: https://youtu.be/hxpuYtMQgf0

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015

Phil Agcaoili

The Business Case for Data Security

Imperva

The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.

Cisa 2013 ch3

Aladdin Dandis

Developing an Information Security Roadmap

Austin Songer

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...

North Texas Chapter of the ISSA

Doug Landoll, CEO, Lantego Four Deadly Traps in Using Information Security Frameworks Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.

Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein

Information Security It's All About Compliance

Dinesh O Bareja

What's hot

Security services mind mapDavid Kennedy

Roadmap to IT Security Best Practices

Greenway Health

Ch3 cism 2014

Aladdin Dandis

What is a cybersecurity assessment 20210813

Kinetic Potential

Cybersecurity Challenges in Healthcare

Doug Copley

Supplement To Student Guide Seminar 03 A 3 Nov09

Tammy Clark

Build an Information Security Strategy

Andrew Byers

QSA Shares PCI 3.0 Advice & Checklist

Tripwire

Building an effective Information Security Roadmap

Elliott Franklin

Nist 800 53 deep dive 20210813

Kinetic Potential

Cisa 2013 ch0

Aladdin Dandis

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

Christina33713

Cisa 2013 ch4

Aladdin Dandis

IT SECURITY ASSESSMENT PROPOSALCYBER SENSE

Introduction to Risk Management via the NIST Cyber Security Framework

PECB

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015

Phil Agcaoili

The Business Case for Data Security

Imperva

Cisa 2013 ch3

Aladdin Dandis

Developing an Information Security Roadmap

Austin Songer

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...

North Texas Chapter of the ISSA

What's hot (20)

Security services mind map

Roadmap to IT Security Best Practices

Ch3 cism 2014

What is a cybersecurity assessment 20210813

Cybersecurity Challenges in Healthcare

Supplement To Student Guide Seminar 03 A 3 Nov09

Build an Information Security Strategy

QSA Shares PCI 3.0 Advice & Checklist

Building an effective Information Security Roadmap

Nist 800 53 deep dive 20210813

Cisa 2013 ch0

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

Cisa 2013 ch4

IT SECURITY ASSESSMENT PROPOSAL

Introduction to Risk Management via the NIST Cyber Security Framework

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015

The Business Case for Data Security

Cisa 2013 ch3

Developing an Information Security Roadmap

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...

Viewers also liked

Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein

Information Security It's All About Compliance

Dinesh O Bareja

National Critical Information Infrastructure Protection Centre (NCIIPC): Role...

Cybersecurity Education and Research Centre

Six Keys to Securing Critical Infrastructure and NERC Compliance

Lumension

With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.” Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation. In this roundtable discussion, we will highlight: • The security challenges facing utilities today • The six critical elements to achieving economical NERC CIP compliance • How utilities can secure critical infrastructure in today’s networked environment

On Boarding Ppt

tomnorthrop

Onboarding! Powerpoint Presentation

Donna Morrison

Viewers also liked (6)

Addressing Security Challenges of Mobility and Web 2.0 2009

Information Security It's All About Compliance

National Critical Information Infrastructure Protection Centre (NCIIPC): Role...

Six Keys to Securing Critical Infrastructure and NERC Compliance

On Boarding Ppt

Onboarding! Powerpoint Presentation

Similar to PCI DSS Compliance and Security: Harmony or Discord?

CCA study group

IIBA UK Chapter

D1 security and risk management v1.62

AlliedConSapCourses

Item46763

madunix

New technologies - Amer Haza'a

Fahmi Albaheth

Risk Management

ijtsrd

Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani

Risk assessment

kajal kumari

${d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...$ ${d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...$

{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo

PCI DSS Implementation: A Five Step Guide

AlienVault

Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization. AlienVault PCI DSS Compliance: https://www.alienvault.com/solutions/pci-dss-compliance Have a question? Ask it in our forum: http://forums.alienvault.com More videos: http://www.youtube.com/user/alienvaulttv AlienVault Blogs: http://www.alienvault.com/blogs AlienVault: http://www.alienvault.com

Risk Management Approach to Cyber Security

Ernest Staats

Cyber crime with privention Manish Dixit Ceh

PCI Certification and remediation services

Tariq Juneja

S nandakumarIPPAI

S nandakumar_bangloreIPPAI

Cyber-Security-Whitepaper.pdf

Anil

Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.

Cyber-Security-Whitepaper.pdf

Anil

RISE's Training CatalogRISE for Information Technology Services

Enabling Science with Trust and Security – Guest Keynote

Globus

Isa Prog Need LR_Yanus

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...

abhichowdary16

Information Security Framework

ssuser65fa31

Similar to PCI DSS Compliance and Security: Harmony or Discord? (20)

CCA study group

D1 security and risk management v1.62

Item46763

New technologies - Amer Haza'a

Risk Management

Risk assessment

${d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...$ ${d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...$

{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...

PCI DSS Implementation: A Five Step Guide

Risk Management Approach to Cyber Security

Cyber crime with privention

PCI Certification and remediation services

S nandakumar

S nandakumar_banglore

Cyber-Security-Whitepaper.pdf

RISE's Training Catalog

Enabling Science with Trust and Security – Guest Keynote

Isa Prog Need L

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...

Information Security Framework

More from Lumension

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs

Lumension

Today, everything has to be patched. From desktop and laptop to server and every operating system in between. With compliance, what we have to pay attention to is what’s actually out there on our network – not just what you wish were there. Servers (Windows, UNIX and Linux)Even Windows-centric environments have at least a few UNIX or Linux servers that need to be secure and patched. Linux and UNIX servers often fulfill critical functions with few and short maintenance windows. These can be a real pain point for admins who specialize in Windows or are managed by an entirely different admin. Desktops (Windows and Macs)Maybe you are responsible for desktops instead of servers. Again it’s not just a Windows story any more. More and more people are opting for Macs instead of Windows. Watch the vulnerability lists and you’ll see that Macs need patching too. The kicker though is the 80/20 rule. If at least 80% of the computers on your network are Windows and the remaining 20% are everything else – it’s a safe bet, given the maturity and ease of WSUS, that 20% of your patching effort goes to Windows but 80% of your effort is consumed with patching all the different flavors of UNIX, Linux and your Mac computers. We need one system to manage all our patches and one pane of glass to prove compliance from data center to desktop. Believe it or not System Center 2012 R2 provides the infrastructure to do just that – it just needs a little help. Last time we showed you how you can patch 3rd party apps on Windows through System Center Update Manager. This time we’ll show you how you can patch non-Windows systems using the new System Center clients for UNIX, Linux and Mac.

2015 Endpoint and Mobile Security Buyers Guide

Lumension

Mike Rothman, Analyst and President of Securosis, as he dives into an interactive discussion around endpoint security management in 2015. • Protecting Endpoints: How the attack surface has changed, and the impact to your defense strategy • Anti-Malware: The best ways to deal with today’s malware and effectively protect your endpoints from attack • Endpoint Hygiene: Why you can’t forget the importance of ensuring solid management of your endpoint devices • BYOD and Mobility: The extent that corporate data on smart mobile devices impacts your organization • The Most Important Buying Considerations in 2015

Top 10 Things to Secure on iOS and Android to Protect Corporate Information

Lumension

Security expert Randy Franklin Smith from Ultimate Windows Security, shows you a technical and pragmatic approach to mobile security for iOS and Android. For instance, for iOS-based devices, he talks about: • System security • Encryption and data protection • App Security • Device controls Randy also discusses Android-based devices. While Android gets its kernel from Linux, it builds on Linux security in a very specialized way to isolate applications from each other. And learn about iOS and Android mobile device management needs: Password and remote wipe capabilities are obvious but there’s much more to the story. And you’ll hear Randy's list of top-10 things you need to secure and manage on mobile devices in order to protect access to your organization’s network and information.

2014 BYOD and Mobile Security Survey Preliminary Results

Lumension

Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension

Careto: Unmasking a New Level in APT-ware Lumension

Securing Your Point of Sale Systems: Stopping Malware and Data Theft

Lumension

Point of Sale (POS) systems have long been the target of financially-motivated crime. And in 2013 the magnitude of cybercrime against POS systems skyrocketed, with 97% of breaches in the retail sector and 47% in the healthcare sector aimed against POS systems. With sensitive financial and personal records getting exposed by the millions, the FBI recently warned that POS systems are under sustained and continued attack. During this webcast, we will take you into the three critical entry points to POS system attacks. We’ll discuss how the attacks look, the timelines for these breaches, and what proactive security measures you can take to help your organization minimize the risk to your POS systems. •3 Critical Entry Points to POS System Attacks •Impacts to an Organization •Top 3 Security Measures to Minimize Risk

2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...

Lumension

Thanks to you, the audience at UltimateWindowsSecurity, for the 2014 Survey. It was a great success with over 600 respondents! I appreciate all of you who took the time give me your thoughts. You’ve provided some great ideas for real training for free™ in the coming year and I’ve learned which topics are most important to you. That’s going to benefit all of us. In this presentation, we'll present our findings. We’ll talk about the community’s top goals for 2014, which topics you recommended I cover in 2014 and what our community sees as the greatest security concerns for 2014. And we’ll discuss other trends emerging from the data. Find out about the top trends, such as: SIEM – What are the top SIEM solutions? What is the UWS community’s top 3 biggest challenges with log/monitoring/security analytics? Endpoint Security – How widely is application whitelisting being used and what is driving its adoption? Which endpoint security technologies really work and which are just hype? Mobile Devices – Are employee owned mobile devices supported at your organization? Is your biggest concern with mobile devices malware, data loss, compliance? The Cloud – How widely are your peers embracing the cloud? Is your organization’s security policy, technology and training keeping up with the move to the cloud? Advanced Security Topics – What are your peers doing about “big data”? What about endpoints as sensors, and other new security approaches? This will be a fact-filled and fascinating presentation on where we are and where we are going on a host of different security fronts. Don’t miss it.

2014 Data Protection Maturity Survey: Results and AnalysisLumension

Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk

Lumension

Organizations around the world are losing intellectual property and customer data to cyber criminals at mind-boggling rates. How is this happening? For 5 consecutive years, the annual State of the Endpoint Report, conducted by Ponemon Institute, has surveyed IT practitioners involved in securing endpoints. This year’s report reveals endpoint security risk is more difficult to minimize than ever before. What are IT pros most concerned about heading into 2014? From the proliferation of mobile devices, third party applications, and targeted attacks/APTs, endpoint security risk for 2014 is becoming more of a challenge to manage. Larry Ponemon of the Ponemon Institute reveals statistics on growing insecurity, IT’s perceived areas of greatest risk for 2014 as well as tactical suggestions for how to improve your endpoint security. Specifically, you will learn: •IT perspective on the changing threat landscape and today’s Top 5 risks; •Disconnect between perceived risk and corresponding strategies to combat those threats; •Tips and tricks on how to best communicate today’s threats and subsequent needed responses up the management chain

Windows XP is Coming to an End: How to Stay Secure Before You MigrateLumension

Adobe Hacked Again: What Does It Mean for You?

Lumension

Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach. But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers. I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss: *Alternatives to Adobe and Java *Different ways to containing vulnerable apps in a sandbox * Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning. That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day. This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.

Real World Defense Strategies for Targeted Endpoint Threats Lumension

APTs: The State of Server Side Risk and Steps to Minimize RiskLumension

2014 Ultimate Buyers Guide to Endpoint Security SolutionsLumension

Data Protection Rules are Changing: What Can You Do to Prepare?

Lumension

The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent. But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies. This presentation will: - Review the current EU laws, and contrast them with laws in other parts of the world; - Examine the arguments for strengthening data protection in Europe, and the likely outcomes; - Look at what security teams should already be doing to put themselves ahead of legislative changes; - Outline strategies and technologies organisations need to meet current and future data protection requirements - Help infosecurity teams to explain the changes – and their consequences – to their boards

Java Insecurity: How to Deal with the Constant Vulnerabilities

Lumension

Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling. Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment. One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including: Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints. Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs. Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure. Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible. Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is? Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.

BYOD & Mobile Security: How to Respond to the Security Risks

Lumension

Bring Your Own Device (BYOD) is a popular topic in 2013. Trying to understand the security risks and prepare strategies to either adopt, or decide against BYOD for security and data control reasons is the challenge. The 160,000 member Information Security Community on LinkedIn conducted the survey "BYOD & Mobile Security 2013" to shed some light on the drivers for BYOD, how companies will benefit from BYOD, and how they respond to the security risks associated with this trend. With 1,600 responses, some interesting insights and patterns into BYOD were uncovered.

3 Executive Strategies to Reduce Your IT Risk

Lumension

Do you want to know how ‘best-of-breed’ enterprises prioritize their IT risk? Join Richard Mason, Vice President & Chief Security Officer at Honeywell, whose team is responsible for global security, during a roundtable discussion with Pat Clawson, Chairman & CEO of Lumension and Roger Grimes, Security Columnist & Author. Uncover strategies beyond traditional antivirus signatures and learn a more holistic approach to effective risk management. Find out ‘how’ and ‘why’ you can make security a prioritized function within your organization. Join this expert panel webcast to learn how to: 1)Understand your business audiences and evaluate their risk tolerance 2)Leverage reputation management services that are appropriate for your organization 3)Utilize realistic change management to secure prioritized data depositories

The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...

Lumension

APTs have become a major topic of conversation – and in some cases, a critical threat – among IT security departments. But the technology and motivation behind APTs has changed significantly since the introduction of Stuxnet, continuing to evolve rapidly to avoid detection. In this special Dark Reading presentation, a leading expert on the origins and directions of APTs will discuss the changing nature of these sophisticated threats – and how you can prepare your enterprise security environment to detect and mitigate these complex and dangerous attacks.

More from Lumension (20)

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs

2015 Endpoint and Mobile Security Buyers Guide

Top 10 Things to Secure on iOS and Android to Protect Corporate Information

2014 BYOD and Mobile Security Survey Preliminary Results

Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...

Careto: Unmasking a New Level in APT-ware

Securing Your Point of Sale Systems: Stopping Malware and Data Theft

2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...

2014 Data Protection Maturity Survey: Results and Analysis

Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk

Windows XP is Coming to an End: How to Stay Secure Before You Migrate

Adobe Hacked Again: What Does It Mean for You?

Real World Defense Strategies for Targeted Endpoint Threats

APTs: The State of Server Side Risk and Steps to Minimize Risk

2014 Ultimate Buyers Guide to Endpoint Security Solutions

Data Protection Rules are Changing: What Can You Do to Prepare?

Java Insecurity: How to Deal with the Constant Vulnerabilities

BYOD & Mobile Security: How to Respond to the Security Risks

3 Executive Strategies to Reduce Your IT Risk

The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Knowledge engineering: from people to machines and back

Elena Simperl

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

DevOps and Testing slides at DASA Connect

Kari Kakkonen

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Bits & Pixels using AI for Good.........

Accelerate your Kubernetes clusters with Varnish Caching

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

JMeter webinar - integration with InfluxDB and Grafana

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Knowledge engineering: from people to machines and back

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

UiPath Test Automation using UiPath Test Suite series, part 4

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

DevOps and Testing slides at DASA Connect

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Search and Society: Reimagining Information Access for Radical Futures

"Impact of front-end architecture on development cost", Viktor Turskyi

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

PCI DSS Compliance and Security: Harmony or Discord?

1. PCI DSS Compliance and Security: Harmony or Discord?

3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite

4. The Evolving Threat and Compliance Landscape

6. Are you focused only on what you see? “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance

9. A grim view of the current state… Source: Open Compliance & Ethics Group

10. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES

11. Components of Compliance & Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE

12. Sample IT Risk Assessment Process

13. 6 Critical Elements to Achieve Economies in PCI DSS Compliance & Beyond

14. 6 Economies of PCI DSS Compliance & Beyond

15.

16.

17.

18.

19.

20.

21.

22. Panel Discussion and Q&A

23. Conclusion

24.

25.

Editor's Notes

Six control-objective categories that form 12 requirement areas for compliance. Build and maintain a secure network Protect and encrypt cardholder data Manage and monitor threats and vulnerabilities to the environment Integrate strong access-control measures, so only authorized users can access card holder data Test and monitor the state of security Implement a comprehensive and effective information security policy PCI DSS compliance is just one of many regulations organizations face to ensure the protection of information. The end goal is to effectively manage IT risk — to see to it that there are proper security controls in place to reduce risk to an acceptable level. To achieve economies in PCI DSS compliance, to maintain security and prevent data breaches, organizations must implement an infrastructure for managing and monitoring compliance on a continuous basis. Heartland Payment Systems Malicious keylogger software planted on the company's payment processing network recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients. 1 130 million credit cards impacted 2 652 reported institutions affected 2 RBS WorldPay Hacker got into the computer systems 1.5 million cardholders affected Linked to gang that used debit cards to steal millions of dollars from ATMs
Open Compliance & Ethics Group (www.oceg.org) 08/27/10 (c) 2007, OCEG
Though PCI DSS is more prescriptive than other compliance requirements, an organization can use several approaches to demonstrate adherence. One approach is a manual, ad hoc and ultimately labor-intensive process that produces mountains of paper and electronic documents. This leads to a compliance posture that is often full of holes or outright “smoke and mirrors,” with little security value. A more economical approach focuses on automation and efficiency in PCI DSS compliance, which achieves greater control and security.
Organizations need a sustainable process and infrastructure to demonstrate PCI DSS compliance that is agile enough to respond to a changing business and IT environment.
Organizations need a consistent approach to demonstrate PCI DSS compliance and ensure that requirements are consistently applied across governed systems and information.
PCI DSS compliance approached the wrong way can be burdensome.
The organization, and any of its extended business relationships that interact with cardholder data, must demand transparency in reporting across systems.
At its core, compliance is about accountability. The organization is ultimately accountable for PCI DSS compliance even across extended business relationships that use its cardholder data.
Ultimately, security of cardholder data is what PCI DSS is about — and the peace of mind that the organization is not exposing cardholder and financial information to unwanted risk.

PCI DSS Compliance and Security: Harmony or Discord?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to PCI DSS Compliance and Security: Harmony or Discord?

Similar to PCI DSS Compliance and Security: Harmony or Discord? (20)

More from Lumension

More from Lumension (20)

Recently uploaded

Recently uploaded (20)

PCI DSS Compliance and Security: Harmony or Discord?

Editor's Notes