Stop Patching, for Stronger PCI Compliance

Adam Brand, Senior Manager - PCI QSA, Protiviti
Too many organizations have their administrators running on the Patching Wheel of Death. PCI DSS says all vendor critical patches must be installed within 30 days, right? Wrong. Looking more closely at the PCI standard shows that it actually mandates a risk-based approach to patching.

In this presentation, an experienced PCI QSA discusses how organizations that patch frequently and rely solely on vulnerability scanner or vendor recommendations are actually less PCI compliant. The wasted time spent on unnecessary patching could be better spent on more important ongoing compliance activities and long term fixes. An alternative approach is presented, showing how even applying simple contextual criteria when evaluating patches (in accordance with PCI DSS recommendations) can eliminate over 50% of monthly patch installations.
Sep 12 2012
46 mins
Stop Patching, for Stronger PCI Compliance
Join us for this summit:
More from this community:

IT Governance, Risk and Compliance

  • Live and recorded (3298)
  • Upcoming (65)
  • Date
  • Rating
  • Views
  • From unobtrusive advanced malware detection technologies to automated threat response and actionable mobile-friendly dashboard – manage security from any device, any time, ESET will present new solutions for securing your endpoints and new ways to manage them.
  • Organizations are having to cover more ground than ever when it comes to security. Yet businesses often lack the in-house skills and resources, so security leaders are turning to MSSPs to help bear the burden to ensure every area of risk is adequately attended to.

    Join us for an interactive discussion with guest speaker, Forrester Research VP and Principal Analyst, Ed Ferrara, to learn how MSS is changing the conversation for businesses to achieve security goals. Help drive the conversation by submitting a question for Ed in advance so we can tackle your biggest security concerns such as:

    • Overcoming the skills shortage
    • Where to focus the budget – spending trends across industries
    • The value of security – pitching it as an investment not a cost to business leaders
    • Improving business outcomes – leveraging MSSPs as a tactical arm to optimize IT security, efficiency and value
  • A recent analyst study found that 88% of organizations are “doing Project and Portfolio Management (PPM).” This finding could lead many to believe all is well with this critical business process so essential to strategic success. This is hardly the case as studies also show PPM is still generally immature in enterprises today. The lack of maturity is largely due to the fact that most organizations are addressing only a subset of PPM capabilities. So though almost every organization can lay claim to doing PPM, few are actually doing PPM for all its worth. Many of these organizations will continue to miss out on the incredible possibility and promise of this essential business capability until they grasp and appreciate the full scope and potential of PPM.

    One of the greatest barriers to realizing the full potential of PPM is an enterprise-wide awareness of the span of PPM and the likely gap that must be overcome to achieve it. There is a plethora of great PPM insight contained in the numerous books, methodologies, and frameworks available today, but using this volume of information to get everyone on the same page is a daunting challenge. The key is to use a simple approach and model to quickly establish a common understanding of this critical business discipline and to easily foster the conversations and discussions to drive the endeavor to raise PPM proficiency.

    This brief webcast will present a PPM model that is easy to remember, easy to communicate, and proven to quickly illuminate the gap between existing immature PPM processes and the full scope and potential of comprehensive Project and Portfolio Management.
  • Portfolio planning activities have struggled to gain respect in most businesses. Lack of enterprise-wide orchestration arises from a lack of effective involvement and intimate business knowledge – not simply of operations and processes, but of business imperatives, obstacles and desired outcomes. And the information systems aspects continue to be planned in splendid isolation from the business, causing IT people to mistakenly celebrate victory when a new IT system goes live. However a project only really starts when the IT goes live, and so the planning needs to be fully integrated. This can only be accomplished first by building strong relationships with business peers that will result in measurable value creation. The next step is to implement a sophisticated PPM system that can handle the extreme complexity of orchestrating all the business and related technology portfolio of initiatives, capable of optimizing the plans (and the outcomes) as the business environment changes.

    To achieve this, a new PPM model needs to be created to look at portfolio management in a holistic way, enterprise-wide. Planners need a capability that will generate multiple scenarios and real-time decision support. This dimensionality and complexity is well beyond the capacity of the human brain. By implementing such a tool, IT would be positioned as a critical partner with the business – not just in implementing mainstream information systems, but also in helping the business with a much better way to plan and manage all of its key initiatives effectively

    This session focuses on how enterprise leaders and divisional leaders and IT leaders should be working in harmony to orchestrate great business outcomes, rather than looking after their parochial interests.
  • The development of a solid product innovation strategy is undoubtledly a collaborative effort, and company cultures that support an open and robust dialog will be more able to evolve their strategies to address their changing business environments.

    Attend this webcast featuring Michelle Jones from Stage-Gate International as she discusses how these companies are better equipped to address risk and derive more value from their product innovation efforts. Also hear why aligning your product innovation strategy is an important precursor to making continuous strategic assessments and project prioritization decisions.

    All attendees will gain insight into the 5 key elements that comprise a consensus based innovation strategy, the importance of clearly communicating that strategy to drive strategic portfolio management, and the metrics to measure performance.

    This event is approved for 1 Professional Development Unit (PDU) credit.
  • Wall Street expects it and customer demand it – accountability from Sr. Executives for the future direction of their organizations. How can executives ensure their strategic plans are in action and on track? How can they shift and pivot to changing market conditions along with the risks and impacts to the long-term vision and goals? How do you thread accountability from planning to execution to results?

    Join this session, where David Werner, Senior Principal Product Marketing Manager, CA Technologies, speaks with Rick Morris, published Author and Owner/President of R2 Consulting about ways to bring more accountability through your strategic plan.
  • A recent analyst study found that 88% of organizations are “doing Project and Portfolio Management (PPM).” This finding could lead many to believe all is well with this critical business process so essential to strategic success. This is hardly the case as studies also show PPM is still generally immature in enterprises today. The lack of maturity is largely due to the fact that most organizations are addressing only a subset of PPM capabilities. So though almost every organization can lay claim to doing PPM, few are actually doing PPM for all its worth. Many of these organizations will continue to miss out on the incredible possibility and promise of this essential business capability until they grasp and appreciate the full scope and potential of PPM.

    One of the greatest barriers to realizing the full potential of PPM is an enterprise-wide awareness of the span of PPM and the likely gap that must be overcome to achieve it. There is a plethora of great PPM insight contained in the numerous books, methodologies, and frameworks available today, but using this volume of information to get everyone on the same page is a daunting challenge. The key is to use a simple approach and model to quickly establish a common understanding of this critical business discipline and to easily foster the conversations and discussions to drive the endeavor to raise PPM proficiency.

    This brief webcast will present a PPM model that is easy to remember, easy to communicate, and proven to quickly illuminate the gap between existing immature PPM processes and the full scope and potential of comprehensive Project and Portfolio Management.
  • At its most basic level, communication is the transfer of information and ideas between two or more entities. In the context of organizational project and program management, communication is a core competency that, when properly executed, connects every member of a project team to a common set of strategies, goals and actions. Unless these components are effectively shared by project leads and understood by stakeholders, project outcomes are jeopardized and budgets incur unnecessary risk. Effective communications leads to more successful projects, allowing organizations to become high performers and risk 14 times fewer dollars than their low-performing counterparts.

    This webinar reveals the communications challenges that prevent organizations from accomplishing more successful projects, and identifies key initiatives enable organizations to improve their communication as they face their own unique challenges in an ever-changing complex and risky environment.

    This session is approved for 1 Professional Development Unit (PDU) credit.
  • A recent comprehensive survey commissioned by CA revealed some very clear trends in portfolio management and provided evidence of what distinguishes a strong portfolio performer from a weak one.

    In this engaging presentation report author, Andy Jordan will explore these indicators and provide recommendations for how your organization can become more adaptable, agile and responsive to portfolio changes.

    Learn how you can build improved effectiveness into your portfolio execution approach, and how communication can contribute to your success.

    This event is approved for 1 Professional Development Unit (PDU) credit.
  • The C-level suite agrees that aligning business and technology objectives are an essential element in achieving what’s necessary to win, retain and serve their customers, however, are they putting their money where their mouths are? The data tells a different story. According to Forrester Research, while two thirds of CIOs and CMOs agree that the CMO is an active participant in strategic planning, the perception of CIO involvement varies significantly between the two roles. Moreover, half of surveyed PMO leaders feel they have all the tools in place to competently manage the portfolio pipeline. Companies are routinely adopting practices to deliver faster and better; it’s time for executives to do the same. Effectively managing a portfolio that enables business leaders to achieve their strategic objectives requires tooling that supports pragmatic practices in order to gather data at the right level and at the right time.

    This presentation examines portfolio management trends and best practices that high achieving organizations have applied to turbo charge their planning process.

    Forrester Research, Inc., The State Of Strategic Execution In 2015, January 27, 2015

    This event is approved for 1 Professional Development Unit (PDU) credit.
  • Channel
  • Channel profile
  • Avoiding the Headlines: 5 Critical Security Practices to Implement Now Mar 5 2015 6:00 pm UTC 45 mins
    2014 could have easily been called, “The year of the biggest security breaches since the beginning of forever.” But given current security practices and technologies, many of the breaches could have been prevented. So why weren’t they?

    Many of the affected companies fell into a very common trap, thinking that if a company goes to the trouble to be legally compliant then it will be effectively “secure.” Unfortunately, as with many kinds of regulations, legal compliance really represents the absolute least amount of effort required. If companies want to give themselves the best chance to avoid the very severe consequences that come with a major breach, there are five practices they need to put in place now.

    Join Adrian Sanabria, Senior Security Analyst at 451 Research, and Amrit Williams, CTO of CloudPassage, on this webinar to learn
    · Possible gaps left by the compliance-first approach to security
    · How to limit vulnerabilities across traditional, virtual and cloud infrastructures
    · Five best practices to avoid a major security breach in 2015
  • The One-Man SOC: Habits of Highly Effective Security Practitioners Mar 5 2015 5:00 pm UTC 60 mins
    Do you feel alone? No resources? No help? If you are like many security practitioners faced with a mountain of tasks each day and a small (or non-existent) team to help, prioritization and efficiency are key. Join Joe Schreiber, Solutions Architect for AlienVault for this practical session outlining habits to get the most out of your limited resources.

    In this session, you'll learn how to develop routines to efficiently manage your environment, avoid time-sucks, and determine what you can do by yourself and where you need help.

    In this practical session, Joe will cover:
    - How to work around the limitations of a small (or one person) team
    - Tips for establishing a daily routine
    - Strategies to effectively prioritize daily tasks
    - Benefits of threat intelligence sharing
    - Critical investigation & response steps when the inevitable incident occurs
  • Endpoint Security Just Got Simpler Recorded: Mar 4 2015 37 mins
    From unobtrusive advanced malware detection technologies to automated threat response and actionable mobile-friendly dashboard – manage security from any device, any time, ESET will present new solutions for securing your endpoints and new ways to manage them.
  • Maintaining Security in a Mobile World Recorded: Mar 4 2015 31 mins
    The game has changed. Due to cost savings, and the privacy and mobility needs of employees, in just a few short years companies have loosened the mobile device leash. Enterprises are now shifting from traditional “company owned” devices, to allowing “Bring Your Own Device” in the workplace. According to Gartner, by 2017 fifty percent of companies will actually force employee to bring their own device to work.

    But if you’re tasked with securing devices, how do you accommodate BYOD? Where do you start and what kinds of security solutions should you be looking for?

    In this webinar, Chris Hines, Product Manager at Bitglass will teach you how to balance the needs of IT admins and employees when it comes to securing your mobile world.
  • Security Rivals? The Value of Measuring & Comparing Network Security Performance Recorded: Feb 27 2015 50 mins
    Who has earned the bragging rights as the most secure college athletic conference?

    Colleges have rivals both on the football field and in the classrooms, but how do they fare in security performance? Watch this webinar featuring Stephen Boyer, CTO and Co-Founder of BitSight Technologies, and Rebecca Sandlin, CIO of Roanoke College, to learn how the major athletic conferences compared in key security performance metrics. There is also a discussion about why security benchmarking is so significant in education.

    Watch this webinar to discover:

    - The unique challenges higher education faces in securing their networks and how benchmarking can help
    - Why performance varies across the industry, and how that translates into actionable intelligence for security teams
    - How Security Ratings are enabling Roanoke College to gain tremendous insights about security strategy and performance issues that they can share with their board.
  • Actionable Intelligence: A Threat Intelligence Buyer’s Guide Recorded: Feb 26 2015 48 mins
    Today’s threat actors are more sophisticated than ever, and organizations need live attack intelligence that alerts them to emerging threats long before they become full-blown attacks that lead to sensitive data loss. Furthermore, organizations need the most current threat data available in order to protect their networks from incursions – they need real-time actionable intelligence.

    Join us for the upcoming webinar, “Actionable Intelligence: A Threat Intelligence Buyer’s Guide” featuring Rick Holland, Principal Analyst at Forrester Research, and Jeff Harrell, Senior Director, Product Marketing at Norse, to learn how to evaluate the various threat intelligence offerings in the marketplace, and how to utilize them to prevent today’s advanced attacks.

    In this webinar you will learn about:
    * The criteria needed to effectively evaluate threat intelligence solutions that meet your organization's needs
    * The value of the different types and sources of internal and external threat intelligence
    * How best to utilize threat intelligence to realize a greater return on security investments and better protect your organization
  • Assessing Risks & Solutions for Social Engineering Recorded: Feb 26 2015 32 mins
    Social engineering targets our most challenging assets - people! We'll share a case study on how a regulated, mid-sized company prioritized risks, developed a mitigation strategy, and delivered an innovative awareness campaign.

    What's unique about this example is the program we helped build to incorporate active control testing, user feedback, and metrics to improve employee training alongside traditional technical controls.
  • Attack Intelligence: The More You Know, The Less Damage They Can Do Recorded: Feb 26 2015 48 mins
    Attack Intelligence to Power Tomorrow’s Cyber Response.

    Preparing to combat every threat and vulnerability is a war that no cybersecurity professional can win today. Speed, accuracy and visibility of threats and active attacks is critical to defending against APTs and other sophisticated attacks responsible for today’s headline-grabbing data breaches. The next generation of advanced threat prevention solutions will require a significant shift in how we incorporate threat and attack visibility into everyday security operations, enabling incident responders to identify and stop campaigns as they happen.

    Join us as IDC’s Research Vice President for Security Products Services Charles Kolodgy shares his view of the threat landscape, including how threats are evolving, how cybercriminals are becoming more sophisticated and what new solutions are necessary to combat APTs.
  • Six Steps To a High-Performing IT Department Recorded: Feb 26 2015 53 mins
    What sets high-functioning IT organizations apart from the rest? That’s something every IT leader wants to know. After all, we live in a highly competitive business climate and IT performance can be the difference between success and failure. To conquer the challenge, we need to be informed and collaborative and we need to do this in a cost-effective manner.

    In this webcast, you will hear from two experts on some of the technology that’s driving today’s high-functioning IT organizations. Find out how your company can be aligned, agile and ready to respond to ever-changing business requirements and competitive pressures.
  • Applied Security Analytics Recorded: Feb 26 2015 45 mins
    Many organizations are looking at using big data to detect more advanced adversaries. We are collecting more information than ever before, but what are we doing with it? In this talk, we will look at some ways you can use data science and visualization tools to get more out of the data you collect. Visualizations will let you see what is happening at a high level: A picture is worth a thousand log entries. There are data science techniques that other industries, such as advertising, have used successfully. We can apply these techniques to find patterns of behavior that are out of the ordinary, and ultimately catch more bad guys.
  • Is it Time to Embrace Cloud for Remote Office Server Backup? Recorded: Feb 26 2015 51 mins
    As a business, concerns over RTO, RPO, costs, security, and data privacy have historically made the decision for cloud backup a complicated one. However, cloud technologies continue to evolve, and can now provide substantial cost benefits while overcoming the most stringent security, data privacy, storage and performance hurdles. This makes it a perfect fit for many backup needs — especially remote office server backup.

    In this session we’ll cover:

    * The state of the cloud and the latest advancements for D2C server backup
    * How security and data storage advancements are addressing key enterprise data privacy concerns
    * How to leverage the cloud for remote office server backup and archiving, while significantly lowering storage and administration expenses
  • Continuous Third Party Monitoring Powers Business Objectives Recorded: Feb 26 2015 48 mins
    While many companies focus their effort on reducing cybersecurity risk, more threats are being discovered daily. Point-in-time, subjective questionnaires are not in line with the new regulations requiring continuous monitoring of vendors, partners and other third parties.

    In “Continuous Third Party Monitoring Powers Business Objectives,” BitSight CTO and Co-founder Stephen Boyer and guest speaker, Forrester Research Senior Analyst Renee Murphy will discuss the value businesses are finding in using a solution that has a constant eye on third party cyber threats.

    Boyer and Murphy will also discuss:

    - The results of the study BitSight commissioned Forrester Consulting to undertake, examining how IT decision-makers feel about objective, reliable and continuous monitoring.
    - What can be done beyond compliance to increase security performance.
    - Which industries stand to benefit most from using automated, objective information security data.
    - Specific use cases for continuous monitoring and how they help companies improve information security performance.
  • Key Research Findings: How to Optimize Business Processes Recorded: Feb 26 2015 53 mins
    Based on recent research by analyst Bob Larrivee of AIIM, this webinar will address how organizations can leverage technology to identify, evaluate and optimize business processes to increase operational efficiency.

    Join us as we explore:
    - Drivers for problem-solving, tracking KPIs, process failures and workflow management
    - How technology can reduce errors and exceptions that lead to lost business and non-compliance
    - Increasing visibility to optimize processes, reduce costs and deliver a superior customer experience
  • Cost-effective Disaster Recovery Without a DR Site Recorded: Feb 25 2015 58 mins
    Achieving cost-effective disaster recovery (DR) services without a physical DR site — or having to extend your DR footprint — is possible. In this live webcast with Microsoft, see how you can use AppAssure software in combination with Microsoft® Azure® and disaster recovery as a service (DRaaS) from Dell partner, eFolder.

    The first half of the webcast will showcase how you can store AppAssure backup archives directly on Azure and perform item-level recovery from the archive without having to download the archive from the cloud. Then we’ll showcase ways to replicate AppAssure backup images to the eFolder® Storage Cloud® and enable multiple disaster recovery options.

    Join our webcast partnered with Microsoft® and see how easy it is to:
    • Manage the growth of your backup archives
    • Establish cost-effective disaster recovery without a DR site
    • Avoid extending your DR footprint

    What you will learn:
    • How to leverage Azure to directly store AppAssure backup archives
    • How to perform item-level recovery from the archive without downloading the archive from the cloud
    • How to replicate AppAssure backup images to the eFolder Storage Cloud
    • How to enable multiple disaster recovery options, including image download, overnight drive shipment or recovery in the eFolder® Continuity Cloud®
  • Self-Service Data Governance & Preparation for Hadoop Recorded: Feb 25 2015 56 mins
    With the maturation and increased adoption of Big Data technologies such as Hadoop, the process for how data flows through an organization is evolving so to ensure these technologies are utilized to their full potential. Traditional technologies for data discovery, governance and preparation simply don’t fit the requirements of this new ecosystem’s technology and users.
  • When Prevention Fails... Recorded: Feb 25 2015 13 mins
    When prevention fails, your only hope is detection. Security defense plans are relying on detection and response knowing preventive defenses are declining in effectiveness. The balance between preventive and detective defenses is the big security shift for 2015, and knowing the process cycles, skills and technologies is vital for success. Detection and response is more than a point solution, learn the four phases for detection on your network in this webcast.

    - Four detection phases for your network
    - Integrating key technologies required for detection
    - Processes to mine big data for actionable intelligence
    - Detection skills sets, costs and resource requirements
    - Analyzing all the data all the time, options for success
  • Protect Your Network From Today's Advanced Attack Methods Recorded: Feb 25 2015 42 mins
    Attackers have been employing a few very popular attack methods recently in their quest for profit: spear phishing, malvertising, ransomware, to name a few. Learn about these methods and others through real examples, and the tactics you can employ to reduce your risk and protect your network from advanced threats like these.
  • Clear and Present Danger Recorded: Feb 25 2015 50 mins
    Criminal activity is being reported before our eyes in the news and it could be infiltrating your organization -threatening your brands trust and even your job.

    There is clear and present danger - whether you know it or not.

    Hear from Kevin Kennedy, VP of Product at Agari, as he examines a real life phishing attack, what impact it had on the person and company who was phished, and what strategies CISOs need to know in order to protect their own organization.
  • Optimize SSL Certificate Management with Symantec and A10 Networks Recorded: Feb 25 2015 57 mins
    Managing a secure SSL environment is getting complex. Recent industry standards and security vulnerabilities required IT to migrate from SHA-1 to SHA-2 hash algorithm, find alternatives for certificates with non-fully-qualified domain (FQDN) names and replace certificates impacted by the Heartbleed vulnerability. In addition, initiatives like Google’s “HTTPS everywhere” or always-on SSL on Google search may increase the deployment of SSL certificates in an organization. All these changes add to the challenges of managing SSL certificates.

    In the meantime, IT managers have to continue to provide optimal system performance to meet their users’ needs while staying within their budget.

    Attend this exclusive webinar to:

    - Discover recent changes and challenges with SSL certificate management
    - Learn how you can minimize time and resources in monitoring and managing SSL certificates with Symantec Certificate Intelligence Center (CIC)
    - Find out how you can optimize the performance of SSL encryption and decryption with the A10 Thunder Application Delivery Controller (ADC) from A10 Networks
  • The 5 Misconceptions About the Modern DDoS Attack Recorded: Feb 25 2015 31 mins
    Distributed Denial of Service attacks, once dismissed as simple flood-based threats, are now regularly in the headlines for taking down the networks of one Fortune 500 corporation after another. For today's web-reliant businesses, understanding the modern DDoS attack is critical to maintaining availability and business continuity. DDoS is no longer a basic attack, but a complex one, targeting the application layer and the infrastructure itself.

    No security threat has a more immediate or high profile impact than a successful DDoS attack. If your website or online services go offline, everyone associated with your business knows, from customers to employees and yes, your competitors.

    In this 30 minute presentation, Arbor DDoS experts will review the five most common misconceptions about DDoS attacks, giving you a new perspective on this rapidly evolving threat and your organization's protection strategy.

    Attend this webinar to learn:
    -What has changed about the nature of DDoS attacks
    -Why your existing perimeter security tools may fail to protect you
    -How DDoS can be component of a full-blown attack campaign
trends, developments, and technology
Increasing expectations for good governance, effective risk management and complex demands for legislative and regulatory compliance are presenting a growing challenge for organizations of all sizes. Tune in to live and recorded presentations by respected luminaries in the fields of governance, risk and compliance. Their thought leadership will provide you with practical advice on how to implement successful GRC strategies and processes for your organization.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Stop Patching, for Stronger PCI Compliance
  • Live at: Sep 12 2012 4:00 pm
  • Presented by: Adam Brand, Senior Manager - PCI QSA, Protiviti
  • From:
Your email has been sent.
or close
You must be logged in to email this