Updates, Guidance, and Stories from the Urbane team.
Getting Started With Your First Information Security Policy
Have you ever been tasked with writing a security policy and feel completely lost as to where to start?
This feeling is a normal one that we have seen time and time again in our respective consulting careers while doing security assessments. At some point, a member of the security team is tasked with writing a policy for the organization in order to fill a compliance need, but aren’t given any further guidance or framework to the content and format. Uncertain of how to fully complete the policy, one usually starts with Google looking for templates and examples of policy from other organizations they can borrow from. This results in a pasted together collage of policies and standards which may meet compliance requirements, but aren’t integrated with daily practices.
While this scenario is all too common, it doesn’t have to be. Given a little time and care, it is possible to create a set of policy and procedural documents without a lot of headache.
To Infinity, (Above) and Beyond!
The Payment Card Industry Data Security Standard (PCI DSS) is no longer a fledgling framework. The thought and process that has gone into the revisions to mature the PCI DSS has created a prescriptive list of controls that any organization would do well to follow. However, even the PCI Security Standards Council steadfastly maintains that the PCI DSS is only a baseline of controls. So let’s go through a thought exercise about additional controls that are not in the PCI DSS but could be used improve the security of your environment.
Are You Ready for the New PCI DSS Requirements in 2018?
Were you the kid who came straight home from school and started the new project on the day it was assigned? Or were you the type who would calculate in your head exactly how much you could procrastinate before starting? Playing that new video game or riding bikes outside with your friends always seemed like more fun than a new compliance requirement, er, homework.
The PCI Security Standards Council released the newest version of the PCI DSS in April 2016. It contained quite a few minor changes and updates as well as nine brand new requirements. After pushing the SSL/TLS migration deadlines back due to industry pressure and tight implementation deadlines, they prudently provided almost two years of lead time for the enforcement of these new controls. The grace period is almost over. All new requirements introduced in the PCI DSS v3.2 are a best practice currently and will go into effect as of February 1, 2018.