Chris Mark to speak at 2016 ISF Texas April 10, 2016
Posted by Chris Mark in Uncategorized.Tags: assurance, Chris Mark, cybersecurity, hacking, information, risk
add a comment
This week (10:30 am, April 14, 2016) I will be in the awesome city of Austin, TX speaking at the 2016 Information Security Forum. The ISF is: “…a free educational conference aimed at public sector Information Security Officers, Information Resources Managers, and IT staff throughout the State of Texas. The conference is hosted by the Texas Department of Information Resources (DIR) and will be managed by the Office of the Chief Information Security Officer (OCISO).” The title of my presentation will be “Hackers, Slackers, and Thieves, understanding your adversary.” If you are in Austin, please consider attending!
FTC to Audit PCI Industry March 9, 2016
Posted by Chris Mark in Uncategorized.Tags: American Express, Chris Mark, credit cards, Discover, DSS, Federal Trade Commission, FTC, JCB, mastercard, Order, payment cards, PCI, visa
4 comments
(UPDATED) I have been in the PCI “industry” since before it was an industry. I was fortunate to have worked with Visa in 2001 on a team that helped design the CISP requirements for Service providers and subsequently worked at MasterCard a major processor and numerous QSA firms. I can claim (along with 2 or 3 other people) to be the FIRST assessor even before we were QDSPs then QSAs. I was the PCI SSC’s global QSA trainer and Visa’s CISP trainer. There probably only 10 people in the industry that have been doing “PCI” type work as long as I have. Unfortunately, we lost two of those fine folks in the last several years. One of the most frustrating aspects of being in the PCI assessment business has been competing with the “pay and stamp” assessors. PCI is complex and conducting a solid PCI assessment is complex and not trivial. There have always been the “bottom feeders” that will guarantee a compliant finding for a nominal fixed price fee. For those companies that do solid work (while I compete with them I am also friends with many and can respect their work as much as my own employers) we often find ourselves on the losing end of a bid when someone agrees to assess a Fortune 100 company for a Fixed fee of $40K. Well..the Federal Trade Commission has taken notice!
The FTC has issued an order to 9 QSA firms to assess (pun intended) how they assess companies against the PCI DSS and how their business is structured. The 9 companies listed are:
Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).
Here is my beef with that list. The one company (to remain un-named for fear of a lawsuit..but we all know who it is)..that has had 7 or so of the largest credit card breaches in history as it’s clients is not listed. 3 of the companies are ‘newbys’ and 3 are very well known and respected companies. They should have asked for “Chris’ list” 😉
After reading the order it is clear the FTC has done their homework and knows the answers they expect to get. This is not simply smoke and mirrors. They are asking questions related to:
- The bidding process for QSA work
- Cost structure of PCI assessment work
- Time associated with the average assessment
- number of companies found ‘non compliant’
- Whether a company is found ‘compliant’ BEFORE completing all work.
- Sampling methodology (this is a gotcha because the required methodology is outlined in the training)
- Qualifications
They are then asking for a sample ROC to be provided. I cannot applaud the FTC enough for taking this step. It is well past time that we get the “pay and stamp” providers out of the industry! Read the Order Here!
Thank You for 1,000,000 Views! January 26, 2016
Posted by Chris Mark in Uncategorized.Tags: 1 million views, Chris Mark, InfoSec, PCI DSS, security
1 comment so far
I was just notified that the GlobalRiskInfo blog just had it’s 1 millionth view with over 850,000 visitors! I want to give a big “Thank You!” to everyone that has taken the time to read my inane drivel and for those who take the time to comment! This is simply a labor of love and I am grateful for the support. This started 4 years ago and I have published 404 blog posts. While some have been big hits others have not. Regardless..thank you!
Autocracy, Anocracy, & Democracy – “Verbal Masterba(bleep!)…” January 25, 2016
Posted by Chris Mark in Laws and Leglslation, Politics.Tags: anocracy, autocracy, Chris Mark, democracy, Dr. Heather Mark, facebook, mark consulting group, politics
3 comments
Election season in the US is always interesting. Passions run high and people are quick to proclaim their positions on government and politics. Unfortunately, as many will likely agree, election season also gives voice to many who should probably remain silent.
Recently I was taken to task on Facebook and lectured on the concept of governance and democracy by a particularly obtuse and offensive individual. When I attempted to explain that democracy should NOT be considered a strictly binary proposition and that the US was indeed a democracy, his attacks became personal and I was accused of (among other things) “verbal masturbation”. According to this master of the English language: “Most folks like me would call your ideas verbal masturbation. They sound good from the outside but are really kinda stupid”…he actually wrote: “Kinda”…somehow this person drew a line between my comments on democracy and his belief that the federal government would force parents to stand by while their 12 year old daughters got abortions without consent. I am at a loss as to the logic… But…I digress. Back to democracy! (more…)
Republican, Democrat, or Independent? January 24, 2016
Posted by Chris Mark in Industry News, Uncategorized.Tags: 2nd amendment, Chris Mark, national review, Republican, sarah palin
6 comments
I wrote an open letter to Sarah Palin two days ago and it has since generated almost 400,000 views. While most of the comments have been polite and even somewhat spirited at times there are a few folks who have taken to name calling and insults. For likely the first time in my life I was called a Democratic Socialist for not supporting Sarah Palin! Here is my view. I am an American. I vote on issues but consider myself a Republican. I am socially more liberal than most in the party but fiscally conservative and am an ardent supporter of the 2nd Amendment of the US Constitution.
I believe our system has become so divisive that debate and discourse have given away to name calling and insults. My letter to Mrs. Palin was intended to shed light on a serious condition. I would have written the same letter to a Democrat. In fact, you can see my latest post is one in which I comment on Michelle Obama. I believe that our leaders should be held accountable. I have written articles for the National Review and been interviewed on NewsMax. I suspect most would classify me as a Republican
Global Security, Privacy, & Risk Management 