Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

PCI deadline an opportunity for holistic review of security

Global Secure Systems (GSS) : 27 June, 2008  (Technical Article)
GSS warns against an approach of "bolting on" web application security in order to achieve compliance, recommending instead to build the additional security into a more holistic approach to IT protection
Global Secure Systems (GSS) has warned companies of the need to be aware of Section 6.6 of the PCI standard - which mandates the use of Web application code reviews or the installation of an application-level firewall - that comes into force at the end of June.

According to David Hobson, GSS' managing director, the new requirements of the Payment Card Industry s6.6 standards should not, however, be treated as a rubber-stamp approval system for e-commerce security, but should be included in a company's overall IT security plans.

The topic of information security, he said, has to be approached holistically.

'Understanding what organisational assets require protection, what risks (i.e. the consequence of loss) relate to those assets and what the correct risk treatment decisions are in respect of those risks is critical in defining a security strategy,' he said.

'On top of this, if organisations are going to slavishly follow standards like PCI in 'tick-box' fashion, they may achieve compliance, but they are almost certainly not going to be fully secure against fraud,' he added.

Hobson says that organisations need to be able to answer the 'what' (what are we trying to achieve?) and the 'how'(how should be trying to achieve it?) questions before any further steps are taken.

'If organisations are unable to answer these two simple questions, then they run the risk of spending large amounts of money meeting the PCI s6.6 standards requirements, for very little improvement in their actual IT security posture,' he said, adding that technology should be the last consideration in any security program.

Hobson went on to say that security is not something that companies can simply buy, but is something that you embed in your organizational culture.

'No amount of point solutions, be they firewalls, database security tools or code reviews are going to deliver 'security' unless your organisation understands what its control objectives are and gets its executives to buy into the process of meeting those objectives. Only then should the company consider that the relevant controls should be,' he explained.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo