Security Basics mailing list archives
RE: IT Manager to CISO
From: Craig Hotchkiss <CHotchk () rei com>
Date: Thu, 28 Apr 2011 11:37:13 -0700
CISA would be a good one to help with the audit. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ricardo Ferreira Sent: Thursday, April 28, 2011 5:46 AM To: security-basics () securityfocus com Subject: Re: IT Manager to CISO On 04/27/2011 05:37 AM, olufemimogaji () gmail com wrote:
Hi all, I'm currently the de facto IT manager for a small IT services firm. The nature of our business requires that we follow PCI standards as per logical security. Here's the thing, the CISO is leaving next month, and I've been told I'll be taking his position. I already have a lot of exposure to info sec, I have a CCNP (the former version with ISCW) and a I'm an MCP (Active Directory for WS 2008). What I need to know is what cert I should go out there and get to make me more cemented in this new CISO role, at least to keep the auditors happy, as they sometimes like to question your competence. The outgoing CISO, even though he was trained by some of our partners, had NO certs, and this exposed him to uncomfy questions from hard nosed auditors. Security+ or CISSP exam? Or any others? Any form of guiding light will be highly appreciated. Regards, Femi M. Sent from my BlackBerry® Smartphone Sent from my BlackBerry® Smartphone
Hi all, My 0.0.2 cents.... I am currently running a PCI-DSS certified payment service provider and even though I have some certifications on my bag let me tell you about my experience ( 5 years running and administering a PCI-DSS certified payment service provider) 1. The auditors are not looking for certs. They are always looking for answers to their questions and you must backup up these answers with evidences. and detailed documentation. 2. The target is to make sure you protect the card-holder data. This is all PCI-DSS about. So what are the controls and processes you put together to make sure you are 100% compliant with the requirements. Understand them in details. Read them. Check them. Test them. Monitore them. ( PDCA is your friend here). Know your environment. Have monitoring tools implemented in all key points of your infra-structure. Know your traffic profile.... 3. How your network firewall policy effectively mitigate possible attacks. Is there any kind of active-active network firewall implemented just in case you have one of them compromised and you can meet the business continuity plan and still offering the same level of security? How is your risk analysis plan being deployed over the past months.... 4. How you have implemented an web-application based firewall to protect the card holder data.... 5. The technical staff must be knowledgeable on security, telecom and information technology. Having certs helps but what really matters is experience and knowledge. 6..... So what I mean is OK certification really matters but do not forget the major goal of any QSA. To make sure that infrastructure being audited is secure enough and meet all security requirements. So know your environment and put in place controls and processes that can really help you to manage the infra-structure. Log everything and have a very good documentation process. I know a couple local companies that failed to meet PCI-DSS requirements but has managers with a bunch of security certs... and what I learned from these failing companies. Know your environment,have full control of it and document everything. Have a REAL firewall policy and prove that such FIREWALL policy does what is supposed to do. I know a couple security managers that do not know how to write a more elaborated rule that can effectively protect an asset from the P|CI standpoint. And last but not least PCI does not certifiy people... only companies. PS. Bear in mind this is my experience.... Having certs is OK but is not mandatory. Knowledge and experience is.... -- Cordialmente, Ricardo Ferreira Telecom, Tecnologia e Segurança da Informação CCDP, CCNP, CCDA, CCNA, MCSE, MCP ------------------------------------------------------------------- Sotech Soluções Tecnologicas Rua da Alfazema, 761, 1o. andar - 102/103 41820-710 - Caminho das Árvores - Salvador-BA - Brasil Tel : 55 71 3472.9400 Cel : 55 71 9138 4630 Email:ricardo.ferreira () sotechdatacenter com br Site: www.sotechdatacenter.com.br Esta mensagem é dirigida apenas ao seu destinatário e pode conter informações confidenciais, não passíveis de divulgação nos termos da legislação em vigor. Caso tenha recebido esta mensagem por engano, solicitamos notificar a Sotech Soluções Tecnológicas e excluí-la de sua caixa postal. This message, including its attachments, may contain confidential information. If you have improperly received this message, please delete it from your system and notify immediately the sender. Any form of utilization, reproduction, forward, alteration, distribution and/or disclosure of this content in whole or in part, without the prior written authorization of the sender, is strictly prohibited. Thanks for your cooperation. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- IT Manager to CISO olufemimogaji (Apr 27)
- Re: IT Manager to CISO Omar Salvador Alcalá Ruiz (Apr 28)
- RE: IT Manager to CISO Egerue, Ugochukwu (Apr 28)
- RE: IT Manager to CISO rogue5 (Apr 28)
- Re: IT Manager to CISO Ricardo Ferreira (Apr 28)
- RE: IT Manager to CISO Craig Hotchkiss (Apr 28)
- RE: IT Manager to CISO Valin, Christian (Apr 28)
- RE: IT Manager to CISO David Gillett (Apr 28)
- Re: IT Manager to CISO Todd Haverkos (Apr 28)
- Re: IT Manager to CISO Jonathan Younie (Apr 28)
- RE: IT Manager to CISO Jeremi Gosney (Apr 28)
- Re: IT Manager to CISO ichib0d crane (Apr 28)
- RE: IT Manager to CISO David Gillett (Apr 28)
- <Possible follow-ups>
- Re: IT Manager to CISO olufemimogaji (Apr 28)