Risk Register is a tool that we use in the risk management process. It is nothing but a repository or a simple table that lists all identified risks and related information about each listed risk. There are many different tools that can act as risk registers from comprehensive GRC and project management software suites to simple spreadsheets or even a hand-written table. The effectiveness of mentioned tools depends on the way of implementation and the organization’s size, culture and complexity.

The main intent to use the risk register is identifying and tracking potential risks in an organization. Mostly to fulfill…

1. Cardholder Data Environment

Finding where PCI DSS controls/safeguards are required and which system needs to be protected are the principal keys of success in executing PCI DSS compliance. Many organizations still have problems to figure out which systems are in PCI DSS scope and which systems are not. This guideline provides guidance to help organizations identify the systems that, at a minimum, need to be included in the scope of PCI DSS.

Before start talking about this subject, we have to be familiar with the following terms and acronyms:

CHD — Cardholder data SAD — Sensitive authentication data CDE — Cardholder data environment…


  • 23 NYCRR 500 aka NYDFS Cybersecurity Regulation is a set of regulations from the New York Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions.
  • Banks, insurance companies, and companies that do business in New York must now assess their cyber risks, implement a comprehensive, written cybersecurity program, as well as manage the cyber risks of their third-party vendors. The groundbreaking regulation holds company board members personally liable for annual compliance certification.
  • The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. …

In general, attestation means approval and providing evidence that something is true.

In Identity and Access Management (IAM), Access Attestation is an ongoing review and confirmation process that helps out organization reduces risk by granting users the right access to data, systems and/or applications, evaluating the risk associated with that access and reviewing access deemed as risky or inappropriate.

Access attestation is generally required by obligations and/or compliance reasons. It is also considered a good business practice. In a large environment where lots of changes are made to user accounts on a regular basis, it is hard to track such…

SOC 2 is one of the more common compliance requirements that tech companies should meet today to be competitive in the market. SOC stands for Service and Organization Controls, is introduced by AICPA and is based on the Trust Services Criteria (explained later). Each Trust Services Criteria (TSC) is divided into some Points of Focus which can be a security control or a combination of some security controls or linked to one or some security controls.

You can find all required TSCs and their Points of Focus in this pdf document on AICPA website. First 52 pages are TSCs for…

I was recently asked as a Subject Matter Expert (SME) for determining a maturity level on PCI DSS program for a business. My answer to that question was that I have some benchmarks based on my previous experience and these are the factors that I usually consider to determine the status and level of the maturity for its PCI compliance program:

1. Low

Organization identifies and knows the problems

a. Processing, transmission and storage of card holder data are identified and documented. Internal and External (e.g. …

Surveys of IT leaders find that security certifications are increasingly important in today’s enterprise environments. The two most popular certification issuers that are recognized widely in infosec industry are ISC2 (which issues CISSP, CCSP, SSCP, …) and ISACA (which is famous for its CISA, CISM and CRISC). Both are independent nonprofits and they call themselves vendor-neutral.

If you pass the CRISC exam, you will prove you are an expert in how to challenge both IT and enterprise risk management. Being certified in CRISC may help your organization on how to implement and align effective risk management and control frameworks and…

List of all documents that we have to prepare based on PCI DSS 3.2.1:

  1. Security policy
  2. Risk assessment and risk analysis process
  3. Diagram or a documented inventory of cardholder data locations
  4. Up-to-date list of devices and system components that are in scope for PCI DSS
  5. Current network diagram that identifies all connections between the CDE and other networks
  6. Current data-flow diagram that shows all cardholder data flows across systems and networks
  7. List of services, protocols and ports that that are necessary for business
  8. Configuration standards (system hardening standards) for all system components in PCI scope
  9. Data retention and disposal policies…

PCI DSS is an information security standard for organizations and companies that handle credit cards from Visa, MasterCard, American Express, Discover and JCB. PCI DSS is mandated by the card brands and administered by a council called Payment Card Industry Security Standards Council. PCI DSS is designed to put some kind of security safeguards around cardholder data in order to reduce credit card fraud. Validation of compliance is performed annually. It can be done by a Qualified Security Assessor aka QSA or by Self Assessment Questionnaire aka SAQ.

It has 12 requirements (based on the latest version as of today…

TLS and its predecessor, SSL are cryptographic protocols to provide communication security (confidentiality and integrity in some cases and non-repudiation in other cases) over a network.

In one-way TLS, or regular TLS, the X.509 server certificate is created by a CA that the client can trust when wants to connect. Public Key Infrastructure (PKI) is responsible for trust management and distribution of the certificate(s). Certificate Authorities (CAs) play a very important role in PKI. An X.509 certificate is nothing but some information about the server and the public key of the server that is digitally signed by a CA.


Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store