Articles by 'Nancy Rand'

Blog Author - Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.

By Nancy Rand, Posted in Infrastructure, Security

The Cloud Security Alliance released two new research documents to provide guidance on Cloud Incident Response and Consuming and Providing APIs. https://cloudsecurityalliance.org/artifacts/cloud-incident-response-framework/?utm_source=email https://cloudsecurityalliance.org/artifacts/security-guidelines-for-providing-and-consuming-apis/?utm_source=email Cloud Incident Response provides a framework for handling the lifecycle of a security incident in the cloud and discusses what information is shared inte... read more.

  • May 18, 2021

By Nancy Rand, Posted in Security

The PCI Security Standards Council, PCI SSC, published a new version of the Secure Software Standard and its supporting program documentation on 4/29/2021. https://www.pcisecuritystandards.org/about_us/press_releases/pr_04292021 This version includes a new Terminal Software Module that contains requirements for software used on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. There are currently two other modules in this Standard: The “Core” module that contai... read more.

  • May 18, 2021

By Nancy Rand, Posted in Security

The Cloud Security Alliance released their latest version of the Cloud Control Matrix (CCM) on 1/20/21. It is available from their website after answering a few questions. The mappings to Scope Applicability, Architectural Relevance, Corporate Governance Relevance, Cloud Service Delivery Model Applicability, Supplier Relationship, are not yet available, but the CSA has released the matrix to assist organizations to prepare to upgrade to version 4. https://cloudsecurityalliance.org/research/cloud-controls-m... read more.

  • January 22, 2021

By Nancy Rand, Posted in Security

When preparing to securely work from anywhere, it is tantamount that a zero trust policy be adopted. Locations and assets are not to be inherently trusted. A system of policies and software are needed to protect from malicious intent.  In August 2020, NIST published SP 800-207, the final version of their Zero Trust Architecture. It is available for download from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf The tenets of zero trust are presented in section 2.1. They are... read more.

  • October 05, 2020

By Nancy Rand, Posted in Security

NIST and the PCI DSS Council have both published software development frameworks. PCI DSS published a blog today highlighting an interview between Kevin Stine, Chief of the Applied Cybersecurity Division at NIST and Troy Leach, SVP, Engagement Officer at PCI SSC.  This blog discusses the importance of secure software development and contains links to additional information. https://blog.pcisecuritystandards.org/nist-and-pci-ssc-find-common-ground-in-development-of-software-frameworks Additionally, Th... read more.

  • September 11, 2020

By Nancy Rand, Posted in Security

NIST published links to GDPR and ISO crosswalks to the NIST Privacy Framework. These are published by Microsoft (for ISO/IEC 27701) and the Enterprivacy Consulting Group (for the GDPR-Regulation 2016/679). https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks/gdpr-crosswalk-enterprivacy-consulting-group https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks/isoiec-27701-crosswalk-microsoft Each spreadsheet provides a mapping between the framework and the GDPR... read more.

  • July 23, 2020

By Nancy Rand, Posted in Security

NIST has released SP 800-53 Revision 5 Public draft for review and comment. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft NIST is separating the controls catalog from the control baselines-SP800-53 Controls catalog, which will be online, and SP800-53B “bravo” Controls Baselines. The following are available at https://go.usa.gov/xdevj Draft SP 800-53 Revision 5 Summary of Changes from Revision 4 Comment Template Open Security Control Assessment Language (XML, JSON, YAML)... read more.

  • April 10, 2020

By Nancy Rand, Posted in Security

Today’s privacy laws and regulations require privacy by design and by default for systems, networks, and applications. ISACA is creating a Privacy Certification. The certification targets IT professionals that implement defenses. It is intended to assess an individual’s ability to design and implement privacy by design. The work is for cross-functional design work and expected to bridge legal and technical functions. These individuals will work with operations, systems, security, application an... read more.

  • April 10, 2020

By Nancy Rand, Posted in Security

In December 2019, the PCI SSC Council released documents on the PCI SSC Contactless Payments on Commercial Off-the-Shelf (COTS) (CPoC™) program operated and managed by PCI Security Standards Council, LLC supporting the Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) Standard. Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) Program Guide Version 1.0 December 2019 Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) Security and Test Re... read more.

  • March 16, 2020

By Nancy Rand, Posted in Security

The PCI DSS Council recently announced that a new standard for commercial off the shelf (COTS) mobile devices, PCI Contactless Payments on COTS (CPoC™) mobile devices, is to be released in December 2019. The current PCI DSS standard covers contactless payment methods, but the new publication provides detail on the mobile payment options. On October 28, the council is releasing an RFC on PCI DSS version 4.0 to assessors to provide feedback on the draft of the new version. New and revised requirements... read more.

  • October 28, 2019