Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Category Archives: Compliance and Laws

Security in the Dark

– I attended a roundtable recently at which someone mentioned that, in their experience, those familiar contractual requirements requesting third-party service providers to tell their customers about security breaches within a short time frame (within three  hours, say) are often not conveyed to…

SEC-urity’s Catch 22

– On October 13, 2011, the Division of Corporation Finance (DCF) of the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . It provides the DCF’s “views…

The FFIEC and Password-Generating Tokens

– In June 2011, the FFIEC (Federal Financial Institutions Examination Council) issued a “Supplement to Authentication in an Internet Banking Environment,” available at http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf The FFIEC comprises five financial regulatory…

How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)

– While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows. The PCI…

Net-Witness of the Persecution

– There is an interesting article in the February 18, 2010 Wall Street Journal by Siobhan Gorman, with the title “Hackers Attack 2,411 Firms: Global Offensive Snagged Corporate, Personal Data; Operation Is Still Running.” It describes how staff of the security services firm, NetWitness,…