View the Recording from the MCSA Meeting
Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.
To address these issues, the Midwest Cyber Security Alliance virtual meeting offered an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we reviewed the Sedona Conference’s legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.
Jennifer L. Urban, CIPP/US
Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
HALOCK Security Labs