Home
Search results “Iso 27001 cryptographic controls policy definition”
ISO 27002 - Control 18.1.5 - Regulation of Cryptographic Controls
 
01:09
This is control number 111 out of 114 controls of the ISO 27002 standard.
Views: 339 Ultimate Technology
Cryptography, Cryptographic Security Controls & Cryptography Security Techniques Explained
 
16:57
Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
Security policies and legal statements
 
02:01
In employment, we are all reminded of our security obligations, having to agree and sign up to various legal statements and confidentiality agreements. But do you find these of any use? Are they effective for anything other than when your boss wants to discipline you? www.j4vv4d.com Twitter: @j4vv4d Facebook Page: J4vv4D
Views: 586 J4vv4D
ISO 27002 - Control 18.1.4 - Privacy and Protection of Personally Identifiable Information
 
01:18
This is control number 110 out of 114 controls of the ISO 27002 standard.
Views: 319 Ultimate Technology
The Basic Information Security Policy
 
03:02
Most companies have, or should have, a basic Information Security Policy. It serves many purposes, whether it is in depth, full of rules, controls and standards or NOT. I'm going to share some of the purposes for the Basic Information Security Policy: 1.It serves as a baseline for all your other security policies, by establishing what you hold important for security rules or domains. 2. It is the first teaching tool for new employees, contractors and consultants. 3.In the Sales process, it is one of the most requested documents from potential customers looking to see how you practice security in your company (do you take the same things seriously that they do NOT the how but the WHAT you take seriously). 4. It is the 1st policy or group of policy instructions required by almost every compliance or regulatory organization. So, what do you need to do: 1. Establish the topics, domains, control families, or principles your company and its customers care about. Rank them 1 through 20 or so. These would be things like access controls, passwords, badges, firewalls, acceptable use of your laptop, etc. 2. Make a statement about WHAT you care about like "passwords shall be complex and not easily guessable or crack-able (you do know there are software and algorithms to crack passwords?) or Access, to our critical systems, shall only be granted on a need to know and approved basis." 3. Compare the statement to any regulations or compliance you or your customers care about, or have to be compliant with. 4. Update it appropriately. 5. Gain agreement with Senior staff. 6. Make it a policy. 7. Teach your employees that it's a policy and ensure they follow through! Now, anywhere along the way, if you need assistance or this doesn't make sense to you, reach out to ADHERE. We're experts on helping you establish policies that are appropriate! Rauchus by Twin Musicom is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/...) Artist: http://www.twinmusicom.org/
Views: 412 ADHERE Inc.
ISO 27002 - Control 8.3.2 - Disposal of Media
 
01:15
This is control number 24 out of 114 controls of the ISO 27002 standard.
Views: 615 Ultimate Technology
PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys
 
02:12
Do your due diligence to create strong keys and protect the unauthorized substitution of cryptographic keys. Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a specific process to prevent unauthorized key substitution. The responsible personnel should also be interviewed to ensure they know and implement this process. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-7-prevention-unauthorized-substitution-cryptographic-keys/ Video Transcription Within your encryption program, part of your key management program is doing your due diligence around creating a strong key (wherever you’re storing it), preventing individuals from getting unauthorized access to that, and rotating your key on a periodic basis that you’ve defined as your cryptoperiod. When we get to 3.6.7, we want to make sure that you have a process in place to prevent unauthorized key substitution. The reason for this is, let’s say I’m Hacker Joe and you have really great encryption processes and programs, but if I am able to implement my own key into your environment and encrypt the data with my key, when I get access to that data, I can surely decrypt it. It’s required that you have controls in place to prevent the unauthorized substitution of cryptographic keys. From an assessment perspective, we’re going to be once again looking at policies, procedures, and standards around this. We’re going to be looking at how you’ve actually implemented these controls, whether this be access controls or by any other means that you’re doing this. Understand that simply compiling the encryption keys into the source code does not necessarily mean that you’ve met this requirement. It might be a plethora of things. Protect the unauthorized substitution of your encryption keys. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 195 KirkpatrickPrice
ISO 27002 - Control 11.2.9 - Clear Desk and Clear Screen Policy
 
01:26
This is control number 56 out of 114 controls of the ISO 27002 standard.
Views: 614 Ultimate Technology
ISO 27002 - Control 13.1.3 - Segregation in Networks
 
01:14
This is control number 73 out of 114 controls of the ISO 27002 standard.
Views: 546 Ultimate Technology
Information Security Controls ISO 27001 "Information Security Controls" Explained ISO 27001
 
01:24
Information Security Controls ISO 27001 "Information Security Controls" Explained ISO 27001 ISO 27001 Training Videos & ISO 27001 Certification Videos ISO/IEC 27001 Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
03 - Security Fundamentals - Understanding Security Policies
 
27:57
03 - Hear about security policies and how they may work in an organization. See how policies provided by Group Policy can prevent unauthorized access to an organization's resources.
Views: 3455 RG Edu
What is NETWORK SECURITY POLICY? What does NETWORK SECURITY POLICY mean?
 
02:04
What is NETWORK SECURITY POLICY? What does NETWORK SECURITY POLICY mean? NETWORK SECURITY POLICY meaning - NETWORK SECURITY POLICY definition - NETWORK SECURITY POLICY explanation. Source: Wikipedia.org article, adapted under https://creativecommons.org/licenses/by-sa/3.0/ license. A network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company. Security policy should keep the malicious users out and also exert control over potential risky users within your organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage and whether any protection is already in place to prevent misuse. In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work. While writing the security document can be a major undertaking, a good start can be achieved by using a template. National Institute for Standards and Technology provides a security-policy guideline. The policies could be expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.
Views: 2285 The Audiopedia
ISO 27002 - Control 9.4.2 - Secure Logon Procedures
 
02:14
This is control number 36 out of 114 controls of the ISO 27002 standard.
Views: 817 Ultimate Technology
SOC 2 Academy: Access Controls for Remote Employees
 
02:18
Learn more at https://kirkpatrickprice.com/video/soc-2-academy-access-controls-remote-employees/ Complying with common criteria 6.7 means different things for different organizations depending on their environment. For instance, if your employees work in an office building, implementing and maintaining procedures for transmitting, moving, and removing data might be easier because of the lack of removable media in use. However, because so many organizations are opting to hire remote employees, implementing procedures for transmitting, moving, and removing data can be more difficult, which is why we suggest that organizations implement access controls, along with these five best practices for remote employees: 1. Use security awareness training 2. Establish thorough usage policies 3. Create effective password and encryption policies 4. Monitor Internet connections 5. Ensure devices and applications are updated Employing remote personnel has many benefits, but they also create additional threats that must be accounted for. When an organization is pursuing SOC 2 compliance, it’s critical that they mitigate these risks by using access controls in addition to these best practices for remote employees. Doing so allows organizations to safeguard their business from potential breaches, demonstrate to clients that their data is protected, and provides peace of mind that the procedures for transmitting, moving, and removing sensitive information remotely is secure. If you’re unsure if you’ve implemented access controls for remote employees, consider the following scenario. Let’s say that your remote employee leaves their laptop containing sensitive information in their rental car and is unable to recover the device. Do you have a GPS tracker on the device to locate it? Do you have the ability to wipe the device remotely? Are you able to restrict access to the device? It’s far too common for a situation like this to occur, which is why it’s necessary for SOC 2 compliance that organizations implement access controls for remote employees and their mobile devices. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 61 KirkpatrickPrice
ISO 27002 - Control 9.3.1 - Use of Secret Authentication Information
 
02:02
This is control number 34 out of 114 controls of the ISO 27002 standard.
Views: 847 Ultimate Technology
ISO 27002 - Control 9.2.4 - Management of Secret Authentication Information of Users
 
01:43
This is control number 31 out of 114 controls of the ISO 27002 standard.
Views: 978 Ultimate Technology
PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys
 
01:50
PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.” It also requires that, “The encryption solution must generate strong keys, as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms under ""Cryptographic Key Generation."" The intent of PCI Requirement 3.6.1, according to the PCI DSS, is to “significantly increases the level of security of encrypted cardholder data.” PCI Requirement 3.6.1 is part of the 8 sub-requirements of PCI Requirement 3.6, which is meant to build your organization’s key management program because, the PCI DSS states, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8.” We recommend that you perform a risk assessment around the generation of your cryptographic keys; this way, you can see if your keys become weakened or hold up. Industry standards, like NIST, should be used when determining how to manage and generate keys. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-1-generation-strong-cryptographic-keys/ Video Transcription If you’re using encryption within your environment, you need to use strong encryption. What this effectively means is that you need to generate strong keys. Once again, you need to be using an industry best practice for this. One of the things that I would recommend that you do as part of your risk management program, just like the annual risk assessment that you’re required to do, is that you perform somewhat of a risk assessment around the generation of your keys. If during the period of time, your encryption keys become deprecated or weakened because of some change to the industry, you must have a process for generating a new key. We’ll be talking about that in a subsequent video. Specific to PCI Requirement 3.6.1, you have to have a process in place where you’re actually generating strong keys. IF you have an HSM, that’s kind of inherent in using the HSM itself. If you have a clear text process where you’re managing or developing these keys, it needs to be done securely. I would recommend that you look at industry best practices like NIST 800-57 for that information. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 199 KirkpatrickPrice
PCI Requirement 3.6.6 Using Split Knowledge & Dual Control
 
03:02
PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key.” What is dual control? The PCI DSS defines dual control as, “Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another.” Why use both? Although PCI Requirement 3.6.6 confuses many assessors and clients, both split knowledge and dual control must be used to comply with this requirement. The PCI DSS explains, “Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-6-using-split-knowledge-dual-control/ Video Transcription If you’re using a clear text key management program in order to create your encryption keys, it’s required that you use split knowledge and dual control. This is one requirement that many assessors have gotten wrong for many years, including myself. This is one requirement that we see a lot of clients struggle to understand. Taking an encryption key and splitting it in half (giving half to one person and half to another), is not split knowledge and dual control. It might be dual control, but it’s not split knowledge. When we look at the definition of split knowledge and dual control, dual control means that it takes more than one individual to create this key rotation ceremony. When we look at split knowledge, it says that when we create the key, no one individual has any knowledge of the resulting key. Where you take these two key halves and one person gets one half and another person gets the other half, that one individual only knows what their half of that key is. If you are developing or using a clear text key management program, what we recommend that you do is have some “X, or…” process. You have Key Custodian A and Key Custodian B that has, if you’re going to create an 128 bit key, each individual has 128 bits of a key seed. Those two individuals come together and input their key into their application or their key seed into the application. The application then goes through a process of “X, or…” those two values together, then outputs the encryption key that nobody knows. If this is a struggle for you or you need a better understanding of what clear text management program looks like, give me a call or talk to your assessor – they’ll be more than happy to help you understand what a clear text management program really looks like. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 714 KirkpatrickPrice
1.3 Information Security Laws and Standards
 
10:20
Ethical hacker training course Module1 – Introduction to Hacking, Section 1.3 Information Security laws and standards Information security or InfoSec The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information Security Laws and Standards • Payment Card Industry Data Security Standard (PCI-DSS) • ISO/IEC 27001:2013 • Health Insurance Portability and Accountability Act (HIPAA) 1996 • Sarbanes Oxley Act (SOX) 2002 • The Digital Millennium Copyright Act (DMCA) 1998 • Federal Info Security Management Act (FISMA) 2002 • Cyber Laws • IT Act 2000 in India. Payment Card Industry Data Security Standard (PCI-DSS) Information security standard for organizations that handle branded credit cards from the major card schemes. www.pcisecuritystandards.org The PCI Data Security Standard specifies - Twelve requirements for compliance, - Organized into six groups called control objectives. ISO/IEC 27001:2013 • Information security standard published by joint ISO and IEC sub committee. • It has 114 controls in 14 groups and 35 control objectives. • Specification for ISMS The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress in 1996. It has been known as the Kennedy–Kassebaum Act or Kassebaum–Kennedy Act after two of its leading sponsors. The Act consists of 5 Titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Sarbanes Oxley Act (SOX) 2002 More commonly called Sarbanes–Oxley, Sarbox or simply SOX • To prevent accounting fraud and to protect investors. • US Federal law • Named after Sarbanes and Oxley The Digital Millennium Copyright Act (DMCA) is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO), became law in 1998. • It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 • The act recognized the importance of information security to the economic and national security interests of the United States. Cyber Laws in India enforced by • Ministry of Electronics & Information Technology, Govt. of India • They provide legal recognition to electronic documents and a framework to support e-filing and e-commerce transactions and also provides a legal framework to mitigate, check cyber crimes. Resource links. • http://meity.gov.in/content/cyber-laws • Information Technology Act 2000(IT Act 2000) • http://164.100.94.102/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyber-attacks. US Federal law and world wide IT age countries made strict laws to control fraud. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. - Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption and strong login passwords. There have been attempts to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity. UNCTAD.org | Cybercrime Legislation Worldwide http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Cybercrime-Laws.aspx
Views: 1322 CBTUniversity
Five Steps to Policy Implementation
 
06:56
How to implement policy into security and business operations achieve compliance Table of Contents: 02:05 - Challenge 02:36 - Overview 02:52 - Make available 03:53 - Train 05:10 - Standards, guidelines, and procedures 05:40 - Review existing configurations 06:12 - Governance 06:40 - Thank you
Views: 277 Tom Olzak
Ciphertext-Policy Attribute-Based Signcryption With Verifiable Outsourced Designcryption
 
08:53
Ciphertext-Policy Attribute-Based Signcryption With Verifiable Outsourced Designcryption for Sharing Personal Health Records To get this project in ONLINE or through TRAINING Sessions, Contact: JP INFOTECH, #37, Kamaraj Salai,Thattanchavady, Puducherry -9. Mobile: (0)9952649690, Email: [email protected], Website: https://www.jpinfotech.org Personal Health Record (PHR) is a patient-centric model of health information exchange, which greatly facilitates the storage, access and share of personal health information. In order to share the valuable resources and reduce the operational cost, the PHR service providers would like to store the PHR applications and health information data in the cloud. The private health information may be exposed to unauthorized organizations or individuals since the patient lost the physical control of their health information. Ciphertext-Policy Attribute-Based Signcryption (CP-ABSC) is a promising solution to design cloud-assisted PHR secure sharing system. It provides fine-grained access control, confidentiality, authenticity and sender privacy of PHR data. However, a large number of pairing and modular exponentiation computations bring heavy computational overhead during designcryption process. In order to reconcile the conflict of high computational overhead and low efficiency in the designcryption process, an outsourcing scheme is proposed in this paper. In our scheme, the heavy computations are outsourced to Ciphertext Transformed Server (CTS), only leaving a small computational overhead for the PHR user. At the same time, the extra communication overhead in our scheme is actually tolerable. Furthermore, theoretical analysis and the desired securing properties including confidentiality, unforgeability and verifiability have been proved formally in the random oracle model. Experimental evaluation indicates that the proposed scheme is practical and feasible.
Views: 57 jpinfotechprojects
33 ISO 27001 2013 A18 Compliance
 
10:47
This video focuses on the annexure controls of ISO 27001:2013 standards. The annexure control A18 relates to 'Compliance'. Ref: http://www.ifour-consultancy.com http://www.ifourtechnolab.com ** software outsourcing companies in India #ISO #ISOA18Compliance #SoftwareCompaniesIndia #CustomSoftwareCompanyIndia
Views: 246 Hitarth Shah
what is encryption? and why would I need encryption? Importance Of Encryption ISO 27001 Training
 
03:20
Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion
 
04:31
Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when discussing key management. So, what exactly is a cryptoperiod? A cryptoperiod is not period of time, like a month, week, or year. Rather, a cryptoperiod represents the number of transactions that a key is valid for. There are multiple factors that define a cryptoperiod. For example, key length, key strength, algorithms, exposure – all of these elements factor in. The result of these factors is the cryptoperiod. Watch this clip of Jeff Wilder explaining cryptoperiods to hear more about PCI Requirement 3.6.4. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-4-cryptographic-key-changes-cryptoperiod-completion/ Video Transcription When developing these keys and put them into production, understand that the encryption keys that you’re using have a given lifespan. When we specifically look at the requirements within 3.6, it states that you must rotate the keys at the end of their defined cryptoperiod. So if you’re using encryption in your environment, your assessor should be asking what your defined cryptoperiod is. Once again, it’s not up to us as assessors to define what your cryptoperiod is, but it is up to us to determine if you’ve done your due diligence around the time period that you use your key. If I come in to assess your organization and I say, “Hey Johnny, what is your cryptoperiod?” and you say, “Well Jeff, our cryptoperiod is every year and we rotate the key then,” I might say then, “Fine, that’s great. How did you define your cryptoperiod to be a year?” If you answer, “Just because that’s what’s done,” or “That’s the way it’s always been done,” isn’t typically enough. Understand that a cryptoperiod does not necessarily define a period of length. A cryptoperiod is not a month, a week, a year, three years, six years, whatever. A cryptoperiod is typically a number of transactions that a key is good for. So as to give an example, you need to take in multiple factor. I would recommend that you do some Google-searching on defining a cryptoperiod. But effectively what we’re going is we’re taking the key strength, the key length, the encryption algorithm that we’re using, the exposure to the key – there’s multiple variables that go into defining what a cryptoperiod is. So, we kind of take all of these numbers and we crunch them and the output of that is not a month, a year – it’s a number of transactions. The output of your numbers might say, “This encryption algorithm key that we have is good for a thousand transactions,” or it might be good for one transaction, or it might be good for a million transactions. So now that we have the number of transactions that the key is good for, then we have to look at how many transactions you process in a year. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 204 KirkpatrickPrice
GDPR Fundamentals: Data Security Requirements
 
03:41
Learn more at https://kirkpatrickprice.com/video/gdpr-fundamentals-data-security-requirements/ While GDPR is primarily a data privacy law, it also includes elements of data security. But of course, GDPR is ambiguous so it’s not very prescriptive when it comes to data security requirements for processing personal data. The law requires each organization to evaluate its own data security based risk, processing activities, and its organizational structure. By putting this in the hands of the organization, the organization can determine what’s an appropriate control. organizations are also allowed to consider the ability and resources of an organization to implement a control. Just because a control is a possibility for mitigating risk doesn’t mean that it’s an appropriate control. What’s appropriate for one organization may be too expensive, impractical, or not secure enough for another organization. Appropriate organizational and technical data security controls include risk assessments, encryption, pseudonymization, and documented policies of things like business continuity, physical security, logical access, configuration management, human resources, and management oversight. There should also be a process to monitor and test the effectiveness of data security controls, which is where internal and third-party auditing comes into play. These will serve as an effective way of demonstrating that thought and objectivity has been considered when it comes to what is appropriate for an organization. There have been unofficial attempts to map GDPR requirements to other information security frameworks, but they may be incomplete with respect to data security and privacy elements. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 190 KirkpatrickPrice
SOC 2 Academy: Movement of Data
 
04:02
Learn more at https://kirkpatrickprice.com/video/soc-2-academy-movement-data/ Service organizations need to assure their clients that their sensitive information is secure. Understanding the movement of data within the organization is key to making this happen. Why? Because if an organization doesn’t have clearly defined policies and procedures for transmitting, moving, and removing data, how will they be able to convince their customers that they are a secure service provider? Let’s say that an organization’s employees work remotely, and each employee has a company-supplied laptop. What processes are in place to ensure that the data stored on that laptop isn’t copied or removed? What security awareness training is used to educate employees on the correct protocols for transferring data? Or let’s say that a company uses a file-sharing platform. Can those files be accessed outside of the company network? Could they be copied onto a flash drive? During a SOC 2 audit, an auditor will verify that the organization has such processes in place that allow for the secure transmission, movement, and removal of data. Auditors might ask questions such as: Does the organization restrict the ability to perform transmission?, Does the entity use encryption technologies or secure communication channels to protect data?, or How does the entity protect mobile devices? To demonstrate compliance, organizations should begin by showcasing that they do in fact have written policies and procedures, have trained their employees on those policies and procedures, and have then implemented additional security measures, such as data loss prevention technologies, to ensure that the movement of data is secure. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 23 KirkpatrickPrice
ISO 27002 - Control 9.4.4 - Use of Privileged Utility Programs
 
00:55
This is control number 38 out of 114 controls of the ISO 27002 standard.
Views: 979 Ultimate Technology
PCI Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel
 
01:05
Learn more at https://kirkpatrickprice.com/video/pci-requirement-12-maintain-policy-addresses-information-security-personnel/ We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.” This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees. In order to create a strong information security policy, PCI Requirement 12 demands that many elements be included, such as: risk assessment process, usage policies, lists of devices and personnel with access to them, defined authentication methods, acceptable network locations, remote-access rules, executive management responsibilities, security awareness program, personnel training requirements, vendor compliance management, incident response program, alerts from security monitoring systems, and documentation of review process. After implementing the other 11 PCI requirements, you’ve finally moved past the technology aspect of PCI. Now, we’re defining how your organization will manage your information security program. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 74 KirkpatrickPrice
The Human Resource Security Policy
 
04:39
The HR or Human Resource Security Policy The HR, or Human Resource Security Policy, is something quite misunderstood by companies. We think we have HR policies, training and orientation, so those are the same or we don’t need this policy. I'm going to share some of the questions and reasons for the HR Security Policy: 1.Why do we background check people and to what degree? 2.Why is there a separate Information Security Awareness Training? 3.Why do specialized jobs need specialized Information Security training? 4.Why are terminations as important as hiring? FIRST - Why do we background check people and to what degree? - We handle lots of confidential, classified, restricted and encrypted (sometimes unencrypted) data. We background check people based on the level of classification of the data they will handle. Think about it, even your receptionist may handle more than confidential data on some occasion. We want to be sure of the background of the people handling our data or our customers data. And by the way, our customer’s may ask too! SECOND - Why is there a separate Information Security Awareness Training? –because there are specific ways we are required or would like or are required to have our data and processes handled. We need to train them on the how. THIRD - Why do specialized jobs need specialized Information Security training? –because there are jobs that touch code, encrypted or unencrypted data and we want them trained on EXACTLY what is required or we expect! FORTH - Why are terminations as important as hiring? –because if there is a termination for cause, we don’t want that person to have access for ONE MINUTE longer than they are under our employ, AND we want no accounts to accidentally be left open for a possible future breach. So, what do you need to do: 1.Establish simple rules: background check type and for whom, training type and for whom, termination processes for all accounts 2.Create simple ideas of procedures follow those subjects 3.Compare those simple rules against the push back your culture, people or vendors may have 4.Determine what you are or are not willing to do 5.Compare that to your standards, compliance or regulatory requirements 6.Gain agreement with Senior staff 7.Make it a policy 8.Teach your employees that it’s a policy and ensure they follow through! Now, anywhere along the way, if you need assistance or this doesn’t make sense to you, reach out to ADHERE. We’re experts on helping you establish policies that are appropriate! Rauchus by Twin Musicom is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/) Artist: http://www.twinmusicom.org/
Views: 86 ADHERE Inc.
PCI Requirement 3.6.2 Secure Cryptographic Key Distribution
 
01:29
PCI Requirement 3.6.2 states, “Secure cryptographic key distribution.” Whether it’s placing tamper-proof or tamper-evident packaging on trackable packages or tracking data that you’ve transmitted electronically, any method that your organization is using to transmit keys needs to be done securely. Whether it’s moving keys from generations into production state or to backup, any method that your organization us using to transmit keys needs to be done securely. To further explain what it means to securely transmit keys, the PCI DSS also states, “The encryption solution must distribute keys securely, meaning the keys are distributed only to custodians identified in 3.5.1, and are never distributed in the clear.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-2-secure-cryptographic-key-distribution/ Video Transcription When moving the keys from the point of generation into a production state, or perhaps moving these keys to a place of redundancy or backup, the transmission of these keys needs to be done securely. This could be done on Sneakernet, where you physically walk them on a thumb drive. If you’re going to be transmitting them over mail, those particular packages need to be trackable and need to be tramper-proof or have tamper-evident packaging. If you’re going to be emailing them or transmitting them electronically, the data-encrypting key needs to be encrypted with a key-encrypting key that’s equally as strong. In short, 3.6.2 requires that you transmit keys securely, however you’re doing that. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 147 KirkpatrickPrice
PCI Requirement 2.3 - Encryption
 
03:25
Administrative Access and Strong Encryption PCI Requirement 2.3 calls out the need to encrypt all non-console administrative access using strong cryptography. If your organization does not meet PCI Requirement 2.3, a malicious user could eavesdrop on your network’s traffic and gain sensitive administrative or operational information. https://kirkpatrickprice.com/video/pci-requirement-2-3-encryption/ Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/   More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/   About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.   For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 344 KirkpatrickPrice
PCI Requirement 3.5 Document & implement procedures to protect keys
 
02:31
PCI Requirement 3.5 requires that your organization not only has a documented key management program, but that the key management program is implemented and in use. If an unauthorized individual were to gain access to your encryption/decryption keys, they will be able to decrypt your keys. To comply with PCI Requirement 3.5, your organization must have implemented documentation related to preventing unauthorized access to keys. The PCI DSS explains, “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the key-encrypting keys require strong protection measures.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-5-document-implement-procedures-protect-keys/ Video Transcription If your organization has implemented encryption as a means for rendering your cardholder data unreadable, we need to marry that with a program around managing your keys. So, we have to establish policies and procedures around that. Looking at Requirement 3.5, it states that you have to have a program in place that’s documented to prevent unauthorized access to these keys. Understand that if someone gains access to your encryption/decryption keys, they likely have keys to your kingdom. You see a lot of the hacks that have happened in years past, these organizations had encryption enabled (or at least they thought they had decent encryption enabled), and yet hackers were still able to remove the data from that environment. If you do not understand key management, one of the documents I would recommend that you view is the NIST 800-57 (there’s 3 documents - A, B, C) and have a read of those. That’ll help you to understand what are the merits and requirements around developing a good key management program. From an assessor’s perspective, we’re going to look at your key management program, everything that talks about your key rotation, your cryptoperiod, and the means and methods of how you protect unauthorized key substitution and everything that’s involved in that. So, we’re looking for documentation that supports that, we’re going to interview staff and make sure that those individuals that are defined as your “key custodian” understand that. We’re also going to look at the means and methods for how that’s actually implemented. Once again, whatever you’ve documented is what we expect to see in place and functioning. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 189 KirkpatrickPrice
Security Policy and Enterprise Key Management To centrally Manage Encryption Keys from Vormetric
 
03:33
This is an excerpt of Vormetric's whitepaper: Simplifying IT Operations Securing and Controlling Access to Data Across the Enterprise. http://www.Vormetric.com/key82 .The whitepaper outlines the challenges of enterprise key management and details ways to minimize the risk. This whitepaper from Vormetric on Key management strategy strives to provide the reader with an understanding, of the importance of encryption key management and of its evolution. Additionally, understanding that companies today require actionable information, the paper provides the reader with a set of criteria for encryption key management as well as an understanding of the challenges that may be faced. This is followed by a review of the recent industry initiatives and compliance regulations that are shaping the future of key management strategy. Lastly, the paper describes Vormetric's Key Management, a component of the Vormetric Data Security product family. According to the whitepaper, encryption key management should meet four primary criteria: 1. Security -- In implementing a comprehensive data security strategy, organizations are well - advised to consider the security of the encryption keys. Where are they stored and how are they protected? Improper key management means weak encryption, and that can translate into vulnerable data. 2. Availability -- In addition to being secure, the keys must ensure that the data is available when it is needed by the system or user. Key management practices that add complexity can decrease availability or add overhead to the network. That results in damage to the over efficiency of the network. 3. Scalability and Flexibility -- Growth and change are inevitable in an organization. The key management solution should be able to address heterogeneous, distributed environments so as not to hamper either growth or change. 4. Governance and Reporting -- Reporting is essential to proper institutional governance. Often, third party entities (be they customers or regulatory authorities) will request, and in some cases mandate, proper governance and reporting of key management. That means implementing and enforcing things like separation of duties, authorization process and key lifecycle management.
Views: 1727 Vormetric
PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/decrypt Cardholder Data
 
01:47
PCI Requirement 3.5.3 works alongside PCI Requirements 3.5.1, 3.5.2, and 3.5.4 to protect keys. We don’t want to only protect your keys from unauthorized access; we want to take you a step further and prevent them from getting the information contained in the keys, even if they do happen to obtain them. An assessor will examine your procedures, system configurations, and key storage locations to verify that your organizations in protecting keys and complying with PCI Requirement 3.5.3. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-5-3-store-secret-private-keys-used-encryptdecrypt-cardholder-data/ Video Transcription Wherever you’re storing these keys, we want to make sure that the encryption keys that are being stored are protected. So not only are we asking that these keys be protected from unauthorized access, we also want to make sure that individuals (attackers or people with malintent) are prevented from getting the information contained in these keys, should they ever get custody of them. We’re going to ask that from an assessment perspective, specific to PCI Requirement 3.5.3, that these keys be rendered unreadable. You’re going to be encrypting them, you might be storing them on an HSM, or if you use split knowledge and dual controls in order to support this particular requirement, that you have means and methods to render those particular keys unreadable by anybody, should they ever get access to them. These keys should never reside in clear text in an unprotected state, ever. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 329 KirkpatrickPrice
PCI Requirement 3.4 Render PAN Unreadable Anywhere it Is Stored
 
04:15
PCI Requirement 3.4 relates to storing PAN, or primary account number. The PAN is the defining factor for cardholder data. PCI Requirement 3.4 requires that when PAN is stored, it must be rendered unreadable. Your organization could use one-way hashes, index tokens and pads, or encryption to ensure that the PAN stored on your system is unreadable. Watch now to learn from Jeff Wilder, director of PCI Services at KirkpatrickPrice, as he explains how to protect PAN. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-4-render-pan-unreadable-anywhere-stored/ Video Transcription: "There are going to be situations within your organization where you might need to store electronic data that contains sensitive information. Whether this be PCI data or whether this be social security numbers, it’s really in your best interest to ensure that data is encrypted. However, specific to PCI DSS Requirement 3.4, it states that you need to render this media or this information unreadable in any place that it’s stored. There’s a couple of ways that we can go about doing that. We can encrypt that data; if you encrypt it, it needs to be done with a strong protocol. We can truncate the data; understand that if we truncate the data – where we have 16 digits in the credit card number, the first 6 and the last 4 can be displayed with no problem – if you remove those middle 6 numbers, that information is no longer really considered cardholder data. It can also be hashed with a 1-one hashing algorithm; understand that the hashing algorithm needs to be strong as well. The DSS also talks about using index tokens and pads; we don’t see those often in the assessment field. One of the things we’ll be doing as assessors is asking about how you’re protecting this data. What are the methods and means that you’ve implemented in order to render the information that you have unreadable. If you’re using encryption, we’re going to look at your encryption algorithms. We’re going to look to see how you’ve actually implemented this. Understand that it is not acceptable to roll your own encryption. Encryptions are often broken and we want to make sure that you’re using an industry-accepted encryption protocol. As part of that, we’re also going to be asking to view that data. If you have it in a database, we’re going to be asking your database administrators to run queries against that data. We’re going to be looking to see that the data is not rendered in clear text. So it’s important that we protect this information, whether it’s PII data, PHI, financial information that you might retain on behalf of a third party. If you are storing cardholder data to support your business, it needs to be rendered unreadable. " Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 549 KirkpatrickPrice
PCI Requirement 6.5.8 – Improper Access Control
 
01:14
Learn more at https://kirkpatrickprice.com/video/pci-requirement-6-5-8-improper-access-control/ PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. The PCI DSS outlines four types of improper access control. Insecure direct object references occur when a developer exposes a reference to an internal implementation object as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Failure to restrict URL access can prohibit an application from protecting sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. Directory traversal could be enumerated or navigated by an attacker, thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. Failure to restrict user access to functions permits access to unauthorized functions, which could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. In order to comply with PCI Requirement 6.5.8, your organization’s policies and procedures must address proper authentication of users, sanitizing input, not exposing internal object references to users, and user interfaces that do not permit access to unauthorized functions. To verify your compliance with PCI Requirement 6.5.8, an assessor review these policies and procedures and interview the responsible personnel to ensure that your development process protects your applications from improper access control. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 150 KirkpatrickPrice
Securely Outsourcing Attributes Based Encryption with Checkability
 
01:03
Securely Outsourcing Attributes Based Encryption with Checkability
Views: 61 WingzTechnolo gies
Webinar: GDPR compliance requirements for Cloud based applications
 
01:01:54
IT Governance and Datastax have joined forces to deliver this session, which is designed to equip professionals involved in GDPR compliance with a comprehensive understanding of the Regulation’s requirements for Cloud-based applications. The General Data Protection Regulation (GDPR) will apply from 25 May 2018 to all organisations that process European residents’ personal data. Under the GDPR, businesses that fail to comply with the Regulation and suffer a data breach could face fines of up to €20 million or 4% of global revenues – whichever is greater. Explore all DataStax webinars: http://www.datastax.com/resources/webinars
Views: 1099 DataStax
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
 
01:25
Learn more at https://kirkpatrickprice.com/video/pci-requirement-4-encrypt-transmission-cardholder-data-across-open-public-networks/ PCI Requirement 4 demands, “Encrypt transmission of cardholder data across open, public networks.” How will this requirement benefit your organization? Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. So as a safety measure, sensitive data that you transmit over open networks must be encrypted. Assessors will be evaluating whether your organization has implemented the appropriate controls to protect this information. How do you define an open or public network? It depends on who is connected to the network and how it is configured. Satellite technology, cell phones/GSM, Bluetooth, laptops, the Internet, wireless Internet – so many things can be deemed public networks, even if you may consider them private. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 226 KirkpatrickPrice
GDPR Data Protection: Considerations for Email and File Sharing
 
47:53
Watch this webinar for a summary of GDPR considerations for email and file sharing to help prepare you – especially if you are considering or have already made a move to the cloud. Featuring Timothy Edgar, former national security and intelligence official, cybersecurity expert, privacy lawyer and civil liberties activist; and Brett Dorr, Director of Solutions Engineering at Virtru.
Views: 1350 Virtru
PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data
 
01:47
Learn more at https://kirkpatrickprice.com/video/pci-requirement-7-1-limit-access-system-components-cardholder-data/ We’ve discussed least privileges before (See PCI Requirements 2.2.2 and 3.1) and the concept of, “If you don’t need it, get rid of it.” PCI Requirement 7.1 also follows this idea. PCI Requirement 7.1 states, “Limit access to system components and cardholder data to only those individuals whose job requires such access.” If someone’s job needs access to function, grant it. But if they can function without it? Deny access. Implementing PCI Requirement 7.1 within your organization further protects cardholder data. The PCI DSS states, “The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.” During a PCI assessment, an assessor will ask for a list of all job roles within your organization and the responsibilities that fall under each job. An assessor will question which data each job has access to, and why this data is essential to their job. Your organization’s policies and procedures will also be examined to determine compliance with PCI Requirement 7.1. Policies and procedures for access control should incorporate the four sub-requirements of PCI Requirement 7.1. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 98 KirkpatrickPrice
4.2 – Never Send Unprotected PAN by End-User Technologies
 
02:05
Learn more at https://kirkpatrickprice.com/video/pci-requirement-4-2-never-send-unprotected-pan-end-user-technologies/ If there are situations within your organization when you need to send or receive emails that contain sensitive cardholder data information like Primary Account Numbers (PAN), that is acceptable as long as you’re in compliance with PCI Requirement 4.2. It states, “Never send unprotected PANs by end-user messaging technologies.” This includes through email, instant messaging, chat systems, SMS, etc. The purpose of PCI Requirement 4.2 is to protect sensitive information from attackers, hoping to intercept this data during delivery across internal and public networks. There’s nothing in the PCI DSS that prohibits you from sending PAN through email or messaging, but the PCI DSS does state that the information must be protected. Even if the cardholder data is being sent somewhere internal, it is still required that the sensitive information be securely transmitted. Even if you’ve only received an unencrypted email containing cardholder data, you cannot re-transmit that information without protecting it. It’s best to have a policy that states you will not send cardholder data over end-user messaging technologies. But, if you need to send PAN over end-user technologies as part of your business model, then the policy needs to state how the information is protected. The PCI DSS also states, “If an entity requests PAN via end-user messaging technologies, the entity should provide a tool or method to protect these PANs using strong cryptography or render PANs unreadable before transmission.” Your assessor should be looking in all places where you are or could transmit cardholder data, like PANs, to observe the sending and receiving process. The assessor should also, “Examine a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.” As always, the assessor needs to review policies and procedures to ensure that a policy regarding end-user technologies exists and that the policy is implemented. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 254 KirkpatrickPrice
PCI Requirement 5.2 – Ensure Anti-Virus Mechanisms are Current, Perform Scans, & Generate Audit Logs
 
04:20
Learn more at https://kirkpatrickprice.com/video/pci-requirement-5-2-ensure-anti-virus-mechanisms-current-perform-periodic-scans-generate-audit-logs/ Because the threat landscape is constantly evolving, you must keep your organization’s malware protection abreast. PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7.” Your organization’s anti-virus solution must be kept current. Every day, new types of malware are created and new definitions are released, so your organization needs to stay up-to-date. Your definitions for malware and the scanning engine itself should be current. The PCI DSS’ reason for this is, “Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections.” The anti-virus solution that you have in place should perform scans periodically. It is not the assessor’s job to define what “periodically” is for your environment, but generally, we’re looking to see that you have business justification for when you’re running scans. Ideally, you should be running it every day or in real time. We understand that there are some situations when you can’t always run it every day; but, it’s not acceptable to shut off the anti-virus solution just because it’s inconvenient. According to PCI Requirement 5.2, your anti-virus solution should generate audit logs in accordance with PCI Requirement 10.7, which states, “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” The PCI DSS further explains, “Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.” If there is malware in your environment, your staff should see it because it should show up in a log that is periodically reviewed. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 144 KirkpatrickPrice
PCI Requirement 10.1 – Implement Audit Trails to Link all Access to System Components
 
01:00
Learn more at https://kirkpatrickprice.com/video/pci-requirement-10-1-implement-audit-trails-to-link-all-access-to-system-components-to-each-individual-user/ PCI Requirement 10.1 is a pretty straightforward requirement. It states, “Implement audit trails to link all access to system components to each individual user.” This means that everything in scope should have logging enabled to enable organizations to track suspicious activity back to a specific user. To verify compliance with PCI Requirement 10.1, an auditor will observe and interview a system administrator to see that audit trails are enabled and active for system components and access to system components is linked to individual users. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 113 KirkpatrickPrice
PCI Requirement 3.4.1 Logical Access Management
 
03:07
PCI Requirement 3.4.1 deals with the use of desk encryption as a way to render data unreadable. If disk encryption is used, the authentication credentials used to decrypt the drive must be separate from the authentication credentials that are used to log into the operating system. The intent behind this requirement is to cause a separation so that if the user’s authentication credentials are compromised, that doesn’t automatically give someone access to the data set that has been decrypted. Watch now to learn from Jeff Wilder, director of PCI Services at KirkpatrickPrice, as he explains how to comply with PCI Requirement 3.4.1. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-4-1-logical-access-management/ Video Transcription: If you’re going to be using hard disk encryption as a means for meeting the 3.4 Requirement (for rendering your data unreadable) and you’re using whole disk encryption to do that, we have a requirement that the authentication credentials that you use to decrypt the drive be separate from the authentication credentials that are used to log in to your operating system. The reason for this is that if a hacker physically compromises your Windows box, for instance, those decryption keys actually reside on the physical device within the registry. Microsoft BitLocker can be configured appropriately to do this, where you have separate authentication credentials, but the point of this particular requirement is to cause a separation so if the user’s authentication credentials are compromised, that doesn’t automatically give someone access to the data set that has been decrypted. We want to make sure we have separate authentication credentials for doing that. From an assessment perspective, we’re going to talk to the staff and we’re going to look at how you’ve implemented whole disk encryption, if you’ve done so, and make sure that the authentication credentials that are subject to that are separate. As a point of conversation and understanding, it’s going to be necessary that you understand that whole disk encryption, when it mounts the drive, the cardholder data is rendered readable. As part of this test, we still have to see that the cardholder data is rendered unreadable, so using whole disk encryption kind of gets really difficult for meeting Requirement 3.4, which is rendering it unreadable, because once you’ve booted that system and mounted that drive, there’s transparent data encryption that’s used, and it’s accessible to the end user. So just be cognizant of that and if you’re using whole disk encryption to meet this requirement, be prepared to have a conversation with your assessor about the controls that you’re using in order to meet the 3.4 Requirement. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 308 KirkpatrickPrice
how to implement HITRUST certification
 
05:06
hitrust csf hitrust assessors hitrust self assessment hitrust controls hitrust requirements hitrust certification cost hitrust wiki hitrust audit hitrust ctx hitrust csf download hitrust hitrust training hitrust certification hitrust alliance hitrust academy hitrust assessment hitrust act hitrust aws hitrust and hipaa hitrust annual conference hitrust assessor council what is a hitrust certification hitrust board hitrust business associate council hitrust breach report hitrust monthly briefing hitrust anthem breach hitrust t bullets hitrust labs t bullets hitrust csf assessor hitrust certification levels hitrust conference hitrust csf domains hitrust domains hitrust definition hitrust de-identification hitrust dst hitrust dallas hitrust drive acer hitrust drive hitrust deloitte hitrust data classification hitrust download hitrust encryption hitrust encryption requirements hitrust edatasecurity hitrust egis hitrust egis download hitrust edsshellext hitrust executive council hitrust events edatasecurity hitrust startup hitrust threat exchange hitrust framework hitrust frisco hitrust fees hitrust finance corporation hitrust finance hitrust founders firehost hitrust hitrust security framework hitrust training for practitioners hitrust alliance frisco hitrust grc hitrust guidelines hitrust payment gateway hitrust risk analysis guide hitrust hipaa hitrust healthcare hitrust hitech hitrust hipaa compliance hitrust & hhs monthly cyber briefing hitrust hacked high hitrust certification healthcare hipaa hitrust mapping hitrust information security implementation manual hitrust inheritance hitrust interim assessment hitrust india hitrust inc hitrust incorporated hitrust identity services hitrust information security program is hitrust worth it qingdao hitrust import and export co. ltd hitrust jobs hitrust logo hitrust levels hitrust llc hitrust level 1 hitrust login hitrust labs hitrust linkedin hitrust maturity levels hitrust chem limited hitrust mycsf hitrust meaningful use hitrust members hitrust maturity model hitrust membership hitrust medical devices hitrust medical hitrust manual hitrust nist hitrust news hitrust vs nist daniel nutkis hitrust dan nutkis hitrust hitrust overview hitrust organization ocr hitrust hitrust board of directors hitrust certified organizations cost of hitrust certification list of hitrust certified companies benefits of hitrust focus of hitrust hitrust practitioner hitrust password requirements hitrust practitioner certification hitrust policy templates hitrust pci hitrust policies hitrust press release hitrust pdf hitrust portal hitrust privacy phitrust phitrust partenaires phitrust impact investors phitrust asia phitrust active investors philtrust bank phitrust partenaires europe phitrust vivendi phitrust endowment fund phitrust societe generale hitrust questionnaire hitrust chip-q hitrust risk assessment hitrust rmf hitrust report hitrust risk management framework hitrust risk management hitrust review hitrust rfp hitrust security hitrust soc 2 hitrust standards hitrust scoring hitrust software hitrust scoping hitrust summit 2016 hitrust support hitrust summary hitrust s.r.l hitrust texas hitrust tool hitrust trend micro hitrust taiwan hitrust threat intelligence hitrust twitter t bullets hitrust labs hitrust unit registry
Views: 335 Kishu Balani
CISSP Practice Questions of the Day from IT Dojo - #61 - Trusted Paths & Contingency Planning
 
03:58
IT Dojo offers free CISSP study questions for those who are preparing for their certification every day. In today's CISSP questions of the day from IT Dojo, Colin Weaver asks and answers questions related to Trusted Paths and IT Contingency Planning. Colin also teaches 5 Day CISSP classes regularly in Virginia Beach, VA. If you are interested in attending one of his courses, please visit our website to inquire for more details. www.itdojo.com #CISSPquestions, #CISSPpreparation, #CISSPinstructor, #CISSPcourse, #CISSPresources, #cybersecurity, #informationassurance Relevant Links: Trusted Path - (See 3.3.2.1.1 and page 113) http://csrc.nist.gov/publications/history/dod85.pdf (See Page 4) https://www.fismacenter.com/sp800-34.pdf 7 Steps of IT Contingency Planning Process: ------------------------------------------- 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Develop recovery strategies 5. Develop an IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance Colin Note: (ICSM) Define Metrics to be Gathered (Contingency Planning Process) Develop Recovery Strategies (ICSM) Respond to management with mitigation steps (SDLC) Perform functional and secruity testing (Contingency Planning Process) Identifying Preventive Controls (SDLC) Obtain formal authorization to operate (ATO) Additional Study Resources: Below is a list of resources accumulated from the internet that we feel are valuable additions to your studying. CISSP Summary Version 2.0 https://media.wix.com/ugd/dc6afa_fc8dba86e57a4f3cb9aaf66aff6f9d22.pdf McGraw-Hill Education CISSP Practice Exams https://www.mhprofessionalresources.com/sites/CISSPExams/exam.php?id=AccessControl Study Notes and Theory This is a great website that has a lot of useful resources. https://www.studynotesandtheory.com Cybrary CISSP Course by Kelly Handerhan https://www.cybrary.it/course/cissp/ Brainscape CISSP Flashcards https://www.brainscape.com/subjects/cissp Quizlet CISSP Flashcards https://quizlet.com/2519918/cissp-practice-flash-cards/ Recommended Books: CISSP (ISC)2 Certified Information Systems Professional Official Study Guide 7th Ed. http://amzn.to/2rnjGAI CISSP All-In-One Study Guide 7th Ed. http://amzn.to/2pT3nde CISSP Study Guide 3rd Edition http://amzn.to/2qsBgDw Eleventh Hour CISSP 3rd Ed. Study Guide http://amzn.to/2pT3Dcc Disclaimer: https://www.itdojo.com/question-of-the-day-disclaimer/ http://www.seguetech.com/three-stages-disaster-recovery-sites/
Views: 3647 IT Dojo