June 9th, 2015
Learnings from the keynote at Gartner’s Security & Risk Management Summit, Washington
Every business is becoming a digital business. By 2017, 50% of IT spend will fall outside of the IT department’s control. So what does this mean for organizational security?
- January 24th, 2014
Following the launch of PCI DSS 3.0 in January, I’ve been faced with questions from many businesses about changes they should implement within the next year to remain or become compliant with the updated mandate.
- January 21st, 2014
What do the guidelines of PCI DSS, FDCC, SOX and HIPAA have in common? These mandates, in addition to other commonly implemented regulations, either explicitly demand or at least suggest the use of least privilege security to effectively safeguard data. In terms of compliance, this methodology has a dual benefit – not only does it satisfy auditors, but it will also protect against security breaches that could result in destructive data loss.
- July 3rd, 2013
Don’t let privilege creep be the downfall of a project to secure your company’s IT systems.
What is Privilege Creep?
Despite the work Microsoft has done to make Windows easier to run with standard user access, some Windows features and legacy applications still require administrative privileges. When users experience an issue, the first step that the helpdesk often takes is to grant administrative privileges to check that the problem isn’t caused by a lack of access rights.
Even if the problem turns out not to be caused by standard user permissions, administrative privileges are often deliberately left in place so that the user doesn’t continue to call the helpdesk, or the privileges are simply forgotten and never removed. This phenomena of moving from standard user privileges to administrative rights is referred to by system administrators as privilege creep.
- March 28th, 2013
Singapore’s central bank, The Monetary Authority of Singapore (MAS), is preparing to issue new guidelines for IT technology risk management that will replace its previous Internet Banking Technology Risk Management (IBTRM) guidelines, last updated in June 2008. MAS acts on behalf of the government to regulate financial institutions operating in Singapore. What is even more interesting is that a large number of international banking organizations are using MAS as their compliance foundation for a risk management framework.
- March 25th, 2013
An apparently small change in one authority could have important implications for financial services.
If you haven’t heard of the new Technology Risk Management (TRM) guidelines issued quietly by the Monetary Authority of Singapore (MAS), this is a good moment to ponder the way that apparently small regulatory changes in distant corners of the world can suddenly ripple across global IT security as if from nowhere.