Click to Play

The Changing World Of Keyword...
The Changing World Of Keyword Research People who have been adhering to the same old tactics while researching keywords might do well to shake...

Recent Articles

The Understanding And Implementation Of Cloud...
I have been to my share of conferences and webinars on cloud computing the last two years and I have also read the content of many colleagues who live blog, blog, and/or tweet at cloud conferences as well.

What Are The Major Benefits From Being Certified?
And why you are at it, also get a certificate in something techy along the way. Is college the right path to succeed? With all the layoff's and an economy still stuck in the downturn or at least struggling at a pseudo bottom, the question of college as a way to make it through...

IT Certification Looks Toward Freeware Or Freedom
Earlier this week Forrester released a report titled: "Open Source Software Goes Mainstream". While the title may not be breaking news to readers of Open Sources, the data backing up the report is well worth the read.

The Current IT State Of Cloud Computing
I spent two days at the Cloud Computing Expo in NYC this past week and want to share my thoughts on the state of the cloud. Here are my thoughts in no particular order… Many of the vendors do not have a clear...

The Next Big Thing To Learn Is Cloud Computing
Whenever you roll out a new technology, there are always changes to how people perceive that technology, and the ramifications to employment that technology has. Cloud computing is disruptive, allowing fewer people to...

06.04.09

Should Maintaining The Accuracy Of IT Certification Be Ongoing?

By Dan Morrill

You are only as safe as your expert opinion . But then the question is, what if the expert opinion is followed, and you are certified and you still get a data breach that costs the company millions of dollars.

Wired threat level is running a must read article for anyone who does PCI, PCS-DSS certification for companies. Card Solutions was hacked in 2004, and while they passed their CISP, they still ended up getting hacked. While most information security environments are fluid, and most networks change on a regular basis, CISP auditing is expensive, and not something companies can afford to do every time they slot a new system into place. What is at stake here is the liability that auditors have when they have certified someone compliant, but they still get breached by hackers anyways.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company's system was underway. Source: Wired

Relax and Enjoy Free* Managed Hosting till
the Summer Solstice 21st June 2009

While you can purchase information security insurance, and over time this will become something that any company is going to need, this case is in a class of its own as it is trying to settle out by law who is responsible for the opinion of an expert brought in to certify something as secure. The various meanings of the word secure, the various ways to interpret even the most simple check sheet of standards, and the qualifications of the people doing the audit all are being brought into question. This case regardless of who prevails is going to alter how we approach compliance with an information security regulation (even if it does not have the force of law in the case of HIPAA or SOX).

Auditors are just as prone to making errors as security engineers and indeed any person in any role. It is very simple to misconfigure a system and accidentally give a hacker a toe hold into a company network. Not so much by failing to take security into account, but by being rushed or an error of omission. In these cases, who really is liable, and how that liability will result in compensation to the wronged party. This is a case that many people need to be following, as it is going to set precedence, one that will be used repeatedly in the future to help determine liability for hacker breaches, when a system or an organization has been certified compliant.

Comments

About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
About ITCertificationNews
A collection of resources designed to assist IT professionals evaluating various certification programs within the IT world. IT Certification Articles and UPdates

ITCertificationNews is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
DevNewz.com WirelessProNews.com
CProgrammingTrends.com ITmanagementNews.com


-- ITCertificationNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2009 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article


IT Certification Articles and UPdates ITCertificationNews News Archives About Us Feedback ITCertificationNews Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact