Getting Help with PCI Compliance

August 5, 2010

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of any company accepting payment card transactions or storing payment card data. It is also rapidly becoming a defacto industry standard required of other businesses whose customers are concerned about information theft.

Launched to protect credit card information taken by merchants and ecommerce sites, PCI compliance is now showing up as a requirement in RFPs from corporations outsourcing data to SaaS/Cloud Computing companies.

For large transaction volumes or large data sets, an on-site audit by a certified Qualified Security Assessor (QSA) is usually required (learn more). Others can complete a Self Assessment Questionnaire, but may need the assistance of a QSA to accurately assess their situation and close any compliance gaps (learn more).

The costs of getting it wrong can be huge if your company suffers a data breach. Costs for PR, legal, IT forensics and damage to customer relationships can dwarf the costs of creating a secure data environment and processes.

We recommend getting help from a certified QSA even if you are not required to do so. They know the detailed requirements and alternate solutions to your gaps. While many security companies focus on large clients with large security budgets, boutique security firms such as Moyo Group can be of great value to midsize companies with modest budgets. Working with a QSA who also has IT architecture and operations experience will provide much more bang for your buck.

For further information or to arrange a free assessment, contact Marc Manuel at 408-550-8066, mmanuel@moyogroup.com.

Is your IP walking out the door when employees leave?

April 21, 2010

The CEO of an internet marketing company recently called me with an urgent concern. An employee defected to a competitor and he was suspicious about the theft of valuable intellectual property. The company has a large software development staff and has developed significant proprietary IP.

We checked email logs and discovered that a number of email messages with large attachments were sent by this employee just prior to giving notice. However, the employee had deleted the email messages just after sending them. By the time the system was backed up in the evening there was no record of the email details. The company was left without proof that IP was stolen, but it sure looked suspicious. It also became clear that employees knew how to cover their tracks and send information out of the company without getting caught.

It occurred to me that this must be happening all the time, especially now that employee turnover is rising with the recovering economy. What can companies do to protect themselves from this mis-use of IP?

We made the company aware of cost-effective solutions they could put in place quickly to address these concerns.

• Email archiving – copies of all messages are kept off site for an extended period – these are streamed to an archive, rather than just having a daily snapshot taken with the backup system.
• Data Leakage Protection – This is a low cost way to encrypt specified directories and prevent IP from being sent out via email, FTP, or memory sticks without explicit permission. An audit trail of all activity on these files is kept.
• Directory permissions – employees are given access to information on a need-to-know basis. Group directory policies are clear and automatically enforced by role.
• Security Policies
  • Password policies – no security policy will work if passwords are shared between people freely or if they are easy to guess.
  • Confidential information policies – employees need to know what is confidential and what the company expects. Lawyers often say that courts will not protect your rights if you have not taken reasonable efforts to do it yourself.
  • IP tracking policies – All new and existing sensitive content is marked as such and subject to encryption and special tracking rules by the security system.
• Employee Communication – Employees are made aware of company policies and that measures have been put in place to prevent unauthorized copying or sending of IP. They also know that all activities related to these files are tracked, keeping honest people honest.

Management now knows that reasonable efforts have been put in place to safeguard their IP. They have peace of mind knowing that disgruntled employees are restricted from misusing company information and that employees cannot accidentally violate these policies.

If you’ve found interesting solutions to security concerns we’d love to hear from you. We are always looking for cost-effective solutions for our clients.

Congratulations to Cleantech Open Winners

January 11, 2010

As a sponsor for the Cleantech Open organization, Moyo Group congratulates the California category finalists and National Prize winner of the 2009 business competition. The following companies were honored at the annual awards gala at San Francisco’s Masonic Center. We look forward to their success and helping them on their way.

EcoFactor – National Prize Winner
SaaS application for managing residential energy consumption over the web. www.ecofactor.com

Micromidas – Air, Water and Waste Category
Conversion of biomass into biodegradable plastics. www.micromidas.com

Alphabet Energy – Energy Efficiency Category
Commercializing a disruptive, low-cost thermoelectric technology that captures wasted industrial energy and converts it into electricity.
www.alphabetenergy.com

tru2earth – Greeen Building Category
Manufacturing roofing materials made from recycled PET (water/soda bottle) plastic that are energy-efficient and cradle-to-cradle recyclable. www.tru2earth.com

Armageddon Energy – Renewables Category
Manufacturing a packaged retail residential rooftop solar energy system that is attractive, affordable, and easy to install.
www.armageddonenergy.com

FuelSaver Technologues – Transportation Category
Shape-changing technology that increases fuel efficiency in long-haul vehicles such as tractor-trailer trucks and buses.
www.fuelsavertechnologies.com