Posts

PCI-DSS

Once you know what the Payment Card Industry Data Security Standard is, you will wonder how we got along without it before.  Companies that handle credit card or debit card transactions take the long card numbers of their customers. That's a necessary step in completing any kind of payment.  But wait a minute, these numbers are a massive security risk.  What if someone gets hold of one of those card numbers? In the industry by the way, one of these numbers is called a Primary Account Number, known to all as a PAN. The point of PCI-DSS is to make sure retailers and their suppliers in turn, do all they can to make sure PANs are dealt with as securely as possible.  If  a company has not looked at this question systematically, then it might be holding PANs unencrypted and be sending them around its own computer systems. They might feature in management reports. Staff might be able to get hold of them.  To deal with all of these there are a couple of standard ap...

GDPR

GDPR (the General Data Protection Regulations) created a mighty splash when the companies affected by it realised they were going to have to launch projects to comply.  The regulation is large and potentially a lengthy read. This may be the reason that few of the people involved in dealing with it seem to have read it.  This post will zoom in on Article 13, where key information related to the rights of the data subject (ie the person whose personal data is held) can be found. A great deal of information is contained in Article 13 of the regulation.  Here were learn the it is mandatory to  *Make clear the identify of the Data Controller *Give the contact details of the Data Protection Officer *Specify the purposes for which the data is held *Say were the processing of the data takes place *Who might be receiving the personal data *The length of time for which the personal data will be stored (this is a responsibility of the data controller) *The existence of the righ...

Introduction to the security and privacy blog

This blog will cover some of the most important non-tech issues in Information Privacy and Security.   I've selected these topics because  they are all ones where I have some personal experience.  Key topics will be:  i) Public Cloud The public cloud industry is growing fast, led by Amazon AWS, Microsoft Azure, and Google GCP. What are the privacy and security issues associated with providers like these? ii) Protecting endpoints Even if the cloud location is secure, legitimate users still have to have access. Access can be through using Application Program Interfaces (APIs), or through web pages. But there has to be some way to stop the wrong people using these entry points. If there isn't, all the other security measures are pointless. What are some options? iii) GDPR The EU's General Data Protection Regulation created and enormous splash when it came into force in 2018 after being adopted in 2016.  What do companies need to do? iv) The role of corporate I...