Brian Pennington

A blog about Cyber Security & Compliance


August 2014

VMware guides that will help you with your complaince efforts

Coalfire Systems, Inc. have launched an impressive range of VMware compliance guides.

FedRAMP guides

  • VMware FedRAMP Product Applicability Guide
  • VMware FedRAMP Architecture Design Guide
  • VMware VCE FedRAMP Product Applicability Guide Addendum
  • VMware Hytrust FedRAMP Product Applicability Guide Addendum
  • VMware McAfee FedRAMP Product Applicability Guide Addendum

VMware PCI DSS version 3.0 guides

  • VMware PCI 3.0 Product Applicability Guide
  • VMware PCI 3.0 Architecture Design Guide
  • VMware PCI 3.0 Validated Reference Architecture
  • VMware CatBird PCI 3.0 Product Applicability Guide Addendum
  • VMware BeyondTrust PCI 3.0 Product Applicability Guide Addendum

Other guides

  • VMware CJIS Product Applicability Guide
  • VMware BeyondTrust HIPAA Product Applicability Guide Addendum

If you would like copies of these guides please email me at

What to do in the case of a cyber security related emergency

In the event you have a cyber security related emergency, there are some simple, immediate steps you can take to help get the situation under control and preserve evidence for investigation.  Most incidents can be classified as a malware compromise, a data compromise, or computer misuse.  Each of these types of incidents require immediate action to help reduce impact and loss. 

Follow these steps

  1. If the system is on, leave it on. Turning it off will destroy information that is stored in volatile memory that is critical to evaluating the state of the system.
  2. Preserve logs. Any logs you have at that time should be archived offline for use in further investigation.
  3. If possible, do not make any system changes once the event has been classified as an incident. Typically, changes you may be tempted to make immediately could destroy evidence key to identifying the source of the compromise or action.
  4. Isolate the system from the network, but do not disconnect it from its upstream switch. Sophisticated malware can sense changes in system state and change its behaviour or remove itself when changes are detected. 

These simple steps are crucial.  The information that could be destroyed through improper or over aggressive recovery techniques may make the difference between cleaning up malware on a single system versus an enterprise wide system rebuild and data restoration project.

Courtesy of Coalfire Systems Inc.


Role of the Board of Directors in Information Security and Compliance

Guest Blogger Barry Schrager.

I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance.  Here are the results: 

Background No. of Board Members No. of Companies
Finance 1,583 473
Legal 391 225
Accounting 201 165
Compliance 9 9

Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril 

Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management. 

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management

Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated

Military commanders must ‘own’ cyber.  Networks and cyber [should be] the commanders’ business.”  Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]

There is a definite pattern here.   It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership.  This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed.   Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.

If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues.  This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.

This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc.  If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested.  This is not the way to operate.  Organizations and people will be hurt.  

Barry Schrager 

Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972.  The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources.  When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable.  So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States.  When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret.  Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor. 

In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley. 

Barry’s experience covers everything from software designer/developer to executive management to consulting services. 

Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame. 

Barry’s contact information is: / (970) 479-9377 




PCI Security Standards Council publishes third-party security assurance guidance

The PCI Security Standards Council and a PCI Special Interest Group (SIG) consisting of merchants, banks and third-party service providers have produced an information supplement which provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 and helps to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner. 

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. According to a 2013 study1 by the Ponemon Institute, the leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. 

Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers.  

The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program. Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

  • Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
  • Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
  • Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
  • Implement an on going process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area. 

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard. 

“One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility,” said Bob Russo, PCI SSC General Manager. “This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.”  

The Third-Party Security Assurance Information Supplement is available on the PCI SSC website.

Also look at my PCI resources page as it is often easier to find thing there.

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important


Information Commissioners Office provides data protection advice to the legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.

Information Commissioner, Christopher Graham, said:

The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.

“We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right

The ICO has published the following top tips to help barristers and solicitors keep the personal information they handle secure

  • Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
  • Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
  • Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
  • When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
  • Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
  • If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to Barristers in England and Wales.

The original ICO post is here.

Create a free website or blog at

Up ↑

%d bloggers like this: