The ISSA Journal March 2008 : Page 2
Table of Contents Feature Articles 15 PCI DSS: The appliance of compliance By Ken Munro What if the standard itself is sub-standard? Where is the legitimacy of a decree that creates more red tape and confusion than it delivers? 20 Authentication Agenda: Raising the bar for the future By David Helsper Protecting access to information is crucial to securing communications, assets and business transactions. Authentication – examining and verifying identities – is a cornerstone to any security initiative. 26 The Information Security Life Cycle By Luther Martin While the traditional System Development Life Cycle is a useful model for the life cycle of any IT system, a slightly different version may be more appropriate for information security products. 28 Beating a Keystroke Logger on a Public PC By Michael Seese This article describes a process which allows users to foil a surreptitiously installed keystroke logger when using a public PC to access an online financial account. Also in this issue 3 From the President 4 email@example.com 5 Association News: Elections 6 Ethics and Privacy 7 Sabett’s Brief The Double-Edged Sword of Regulatory Compliance 8 Herding Cats Practical Security Tips for a Wacky World 9 For Pete’s Sake Running the Numbers on the Vulnerability Process 18 Profiles in Security Anne Rogers 41 Conferences 42 toolsmith WinPatrol 47 Inside the AV Lab The Crimeware Ecosystem The ISSA Journal (USPS PP 152) is published monthly by the Information Systems Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219. Application to mail at periodicals postage rates is pending at Portland, Oregon and at additional mailing offices. Postmaster: Send address changes to ISSA Journal, 9220 SW Barbur Blvd., #119-333, Portland, Oregon 97219. 2 30 Converged Compliance Management By Bindu Sundaresan Developing an enterprise compliance management solution that ensures ongoing regulatory compliance while keeping the process streamlined and cost-effective. 33 Managing Physical Security By Christopher J. Antonellis Physical security is at the core of information security, and yet it is one of the areas most commonly ignored by information systems professionals. 36 An Enterprise Security Policy Management Framework – Part 2 By Mark Simon This is the second of a two-part series on developing an enterprise security policy utilizing Microsoft’s Prescriptive Guidance and Education tools and procedures. ISSA Journal | March 2008 10 Data Flows Made Easy By Branden R. Williams With data flowing all over the enterprise, it is no wonder that companies are having a hard time securing it. This article will explore a tool to simplify the creation and maintenance of data flow documentation.