GDPR and PCI DSS Intro - General Data Protection Regulation (GDPR) & Payment Card Industry Data Security Standard

General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe.

When will it go into effect?
May 25, 2018.

What is the primary purpose?
To provide EU citizens with greater control over how their personal data is collected, protected and used.

To whom does this regulation apply to?
GDPR applies to how Company must handle all EU customer and employee data.

Is there a penalty for non-compliance?
Yes, the risks are significant financial penalties and legal exposure. Fines up to 4% of annual worldwide revenue or €20 million are possible.



PCI-DSS (the Payment Card Industry Data Security Standard) mandates specific security safeguards for handling credit card data.

Companies are required to adhere to PCI standards as part of our contractual agreements with banks, partners, and credit card companies. Failing to adhere to these requirements could result in significant fines and possibly termination of Companie's ability to accept credit cards for transactions.

Embedding Privacy and Security Impact Assessments into our various business processes to ensure that privacy and security are consulted throughout the lifecycle of data-related initiatives;

Formalizing processes around Data Subject Rights to ensure that we can respond comprehensively and within the timeframe set out in the GDPR;

Updating our Privacy Policies to ensure they are GDPR compliant;

Developing our Data Retention and Deletion Capabilities;

Updating our Vendor Contract Templates to ensure they are in accordance with GDPR requirements; and

Developing our Privacy Resources and Specialist Training Modules to ensure all teams have the information they need.

Threat hunting, mitigation and Vulnerability Management

This article is a part of my series 'Security is our duty and we shall deliver it'

Threat hunting is a very deep and strong method to deal with security issues in markets and solutions that need stringent regulations, policies and have risks involved. It is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. According to SANS institute, the threat hunters are actively searching for threats to prevent or minimize damage. The formal process of threat hunting should not be confused with an attempt to prevent adversaries from breaching the environment or for defenders to eliminate vulnerabilities in the network. 

We employ SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels. As the industry itself is developing around it, we also have our feets wet in the process. We have our Chief Security consultant actively involved in all the three methods viz. Analytics-Driven, situational-Awareness Driven and Intelligence-Driven. As an accompalished engineer he is a master of monkey and fuzzy tests as well.

For bug logging and defect tracking we use home grown technologies as well as Atlassian tools like Jira. For the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, i.e Vulnerability management we have adept leaders to lead and guide teams in teams in using vulnerability scanners. We have successfully employed Coverity and various checkstyles and PMD level rules. 

We have a set of our own scripts and systems to analyze and investigate for known vulnerabilities such as open ports, insecure software configurations, and susceptibility to malware infections. Like stated above, we have masters of fuzzer techniques who can work with us 24x7. Unknown vulnerabilities, such as a zero-day, and complex threats are all under our hand. We have consultants worked with a variety of antivirus software and heuristic analysis mechanisms. You remember we said, we have smartest of security consultants!


You can read and download the article from:
https://www.slideshare.net/toughjamy/security-is-our-duty-and-we-shall-deliver-it-white-paper

Read on LinkedIn:
https://www.linkedin.com/pulse/security-our-duty-we-shall-deliver-mohd-anwar-jamal-faiz/

Security is our duty and we shall deliver it! - A White Paper For Software Security Organizations

Recently, I wrote a White paper. It is titled as - 'Security is our duty and we shall deliver it!'


This paper could be best described in following words-

Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications.


The chief sections of the document would be:

1. Introduction to Enterprise Risk & Cyber Security
2. The technologies we employ in
3. Types of Software testing
4. Some examples of Cyber Security Firms and what they do
5. How we achieve a secure product
6. InfoSec and Managed Security Service Provider
7. Training and development
8. Safeguarding against Phishing and Multi-Factor Authentication
9. Threat hunting, mitigation and Vulnerability Management
10. The denouement

You can read and download the article from:
https://www.slideshare.net/toughjamy/security-is-our-duty-and-we-shall-deliver-it-white-paper

Read on LinkedIn:
https://www.linkedin.com/pulse/security-our-duty-we-shall-deliver-mohd-anwar-jamal-faiz/



Following blog posts are must read for any Software Quality and Security Professional or an organization working in this field:

http://www.w3lc.com/2010/05/veracode-as-new-whitebox-testing-tool.html

http://www.w3lc.com/2012/02/analysis-of-valgrind-still-reachable.html

http://www.w3lc.com/2011/07/stress-testing-what-how-when.html

http://www.w3lc.com/2011/02/types-of-software-testing.html

http://www.w3lc.com/2010/10/dos-and-ddos-clarification-on-hacking.html

http://www.w3lc.com/2010/05/baseline-and-traceability-matrix.html

Cheers my readers.
You are my reason to be motivated.

- M. Anwar Jamal Faiz