Thursday, March 15, 2007

PCI and SAS 70 - Mind The Gap?

I am trying to figure out the gap between a SAS - 70 compliant facility/environment and one for PCI. Has anyone done a Gap Analysis on these two? I have my brain wrapped around PCI. Not so much on the SAS 70 piece.

The reason I ask is that I am watching what I believe to be an emerging trend - outsourcing for PCI compliance. In other words, outsourcing the liability (to some extent). The advantage I see to working with a managed services vendor who is SAS-70 compliant AND publicly traded is that auditing is already built into the business operations - it's not a new division, new effort, etc. it's habit. It is something that is already done and is an extension of the business/business model vs. something for them to figure out for me their shiny new customer.


Friday, March 09, 2007

WiFi Audit solution - WiFi Owl

I had lunch yesterday with a former colleague and we hadn't seen each other for a while and got together for Sushi and to discuss the state of the Union as it were. One of the things that we were discussing was a wireless audit solution that satisfies some key components of PCI.

I thought I would let some folks know about it since wireless is EVERYWHERE in the Level 1's out there, they can't survive without it. This is the first wireless audit solution I've even heard about. There are a ton of wireless security plays out there like AirDefense, Cisco/Perfigo, etc. etc. but the audit capabilities are an oh by the way, vs. a core set of functionality to the solution.

Anyway, take a look - Wifi Owl is the name, and I think this has some legs, especially if they can OEM this as a component to other vendors with a weak auditing play in their product or for consultants and the certified auditors - I smell a margin booster...

Friday, March 02, 2007

How Non-Compliant Can You Be and Still Be in Business?

So I was in Maine recently in a vehicle that was allegedly due for an inspection, and was subsequently pulled over by a very cordial police officer in Biddeford. He wrote up a ticket, and I waited the requisite number of days to go online and settle up and/or contest the charges.

I went to the PayTixx website and punch in the requisite (public) information about my ticket. I then go to pay said fine, and just happen to notice that there is NO encryption/SSL on the site where I need to enter my PRIVATE information like credit card number, etc. etc. as evidenced by no padlock on the browser I was using. I used another browser (older) to rule out an obvious technical glitch. Nada. Zip. No Padlock. No Security. There is however a nice little graphic with the logo and a little padlock, allegedly ensuring that the site is secure.

Hmmmm, I must be on the insecure page. This logo links me to a page with details about the Transaction Security Policy (Full text at the end of the posting). So the State has a policy, a nice custom branded security looking logo with a link to the site, yet absolutely no validation from the technology they allegedly use to validate to me, the private information holder, that the site is in fact secure and using at least the 128-bit encryption they claim.

I'm no White Hat, Grey Hat, or Black Hat, but I do know a few and I have to say that there is a potential GOLDMINE here that is being funded by the taxpayers of Maine, for personal information of alleged drivers of different infraction types - speeders, uninspected motorists, suspended licensees, etc. etc. being poached and sold. Perhaps that is why CSC got thrown out of the State IT projects they were working on.

Don't tell me the State of Maine, or any other State can't afford better (ANY) security these days. Please DO tell me that the States will not contribute to identity theft anymore than they do. This is ridiculous. By the way - it is also NOT PCI compliant. Big Ding from Visa and Matercard, folks. They could fine you TODAY, and suspend your right to take these cards as payments - in fact if they did, they would insure the security and privacy of at least me today.

I will again urge that Mark Kemmerle, Donna Grant, or Matt Dunlap please return the calls I have made into your office.

I am more than willing and able to help improve the *real* security - and now, it's personal on why you need it.

Maine's Transaction Security Policy

Maine state government and InforME take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information. Sensitive information passed in online transactions such as social security numbers, banking information, and personal data is confidential. Please refer to our privacy policy for details about the collection of information from visitors to state websites. Whenever you see this icon on a Maine state government online service, you can rest assured that the following safeguards and security criteria are in place: Transactions involving sensitive information occur on a secure server. You can look for the "lock" symbol at the bottom of your browser window to verify that you are on a secure server. Our secure socket layer (SSL) software uses state-of-the-art 128-bit encryption to ensure that your personal and financial information cannot be intercepted during transmission to our server. All information requests pass through hardware and software security firewalls. Communication between InforME servers/systems and State databases is passed via a secure private network. Encrypted personal information includes credit card numbers as well as social security numbers and banking information.