Thursday, June 30, 2022

The Zen of Python by Tim Peters... Applied to standards.

Not all regulations, standards, and security practices are the same. Some have too little detail, and some have too much detail. Some have great clarity and focus, and others are all over the place. 

See how beautifully this applies to the standards community. This should be read before every standards meeting...! 

The Zen of Python, by Tim Peters

Beautiful is better than ugly.

Explicit is better than implicit.

Simple is better than complex.

Complex is better than complicated.

Flat is better than nested.

Sparse is better than dense.

Readability counts.

Special cases aren't special enough to break the rules.

Although practicality beats purity.

Errors should never pass silently.

Unless explicitly silenced.

In the face of ambiguity, refuse the temptation to guess.

There should be one-- and preferably only one --obvious way to do it.

Although that way may not be obvious at first unless you're Dutch.

Now is better than never.

Although never is often better than *right* now.

If the implementation is hard to explain, it's a bad idea.

If the implementation is easy to explain, it may be a good idea.

Namespaces are one honking great idea -- let's do more of those!

Thursday, June 23, 2022

PCI DSSv4 Spreadsheet Format

PCI DSSv4 Spreadsheet Format!

Source: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

Available hereBlog Downloads ( 

Direct Link: HERE


It can be helpful to have the PCI Data Security Standard content in a spreadsheet format to facilitate learning and the creation of related artifacts and mappings. I've provided this for other versions and now have an updated PCI DSS version 4 in a similar format to facilitate learning about the standard's content. This format helps me absorb and structure (yes - an active verb) a large amount of information quickly. I've learned that I'm wired differently than others - and this is what works for me. 

I'm a fan of what the PCI Standards Security Council has created with the DSS. They have had a significant impact on the overall security posture of many organizations because of their output.


The tabs in the spreadsheet contain: 

  • Original Content: Keeps tables in the same organization as the original. All text is retained. 
  • Nested Content: Recognizes the intentional nesting of content. All text is retained. 

Example given:                                 

  • X.Y is used as a top-level control descriptor for the items under it and never has a testing procedure.  
  • X.Y.Z is used as the primary control descriptor which always has a testing procedure

Nested Content is therefore: 

Gartner’s Top Cybersecurity Predictions 2022-23

 Tags: Gartner; Risk Management; Predictions

Source: Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23

Relevance: Cyber security risk management runs as a central theme throughout each of these predictions.

  • Formal risk management critical thinking and processes have been central to peer conversations for more than 10 years. It’s now time to bring quantitative and qualitative measurement and evaluation into business decisions regarding controls that protect critical assets. We do this to protect our business.
  • Just as importantly, perhaps more so, risk management must be part of product security decision making. We do this to protect our customers… which protects our business.

Gartner recommends that cybersecurity leaders build the following strategic planning assumptions into their security strategies for the next two years.

  1. Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.

As of 2021, almost 3 billion individuals had access to consumer privacy rights across 50 countries, and privacy regulation continues to expand. Gartner recommends that organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.

  1. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.

With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.

  1. 60% of organizations will embrace Zero Trust as a starting point for security by 2025. More than half will fail to realize the benefits

The term zero trust is now prevalent in security vendor marketing and in security guidance from governments. As a mindset — replacing implicit trust with identity- and context-based risk appropriate trust — it is extremely powerful. However, as zero trust is both a security principle and an organizational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.

  1. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data. As a result of consumer concerns and interest from regulators, Gartner believes organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.

  1. Through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021.

Modern ransomware gangs now steal data as well as encrypt it. The decision to pay the ransom or not is a business-level decision, not a security one. Gartner recommends engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.

  1. By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.

Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common and more disruptive. In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft, according to Gartner.

  1. By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.

The COVID-19 pandemic has exposed the inability of traditional business continuity management planning to support the organization’s response to a large-scale disruption. With continued disruption likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative and build an organization-wide resilience strategy that also engages staff, stakeholders, customers and suppliers.

  1. By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts

Most boards now regard cybersecurity as a business risk rather than solely a technical IT problem, according to a recent Gartner survey. As a result, Gartner expects to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.