2010 07 BSidesLV Mobilizing The PCI Resistance 1c

Mobilizing The PCI Resistance:Lessons Learned From Previous Wars (SOX-404)

Gene Kim, CISACTO, Tripwire

@realgenekim, http://www.realgenekim.me#BSidesLV 2010

Problem Definition

• Success of any PCI DSS compliance initiative is very dependent on accurate definition and scoping of the Cardholder Data Environment.

• There is a wide variance in practice, experience and guidance in merchant and QSA community.

• These contribute to scoping errors that result in:– Overly narrow scope that jeopardizes cardholder data– Overly broad scope that adds unnecessary cost and effort

for compliance – Decreased confidence in and frustration with the PCI DSS

standard

What This Really Means

• Incredible amount of discontent and growing disenchantment with PCI DSS

• Complaints that DSS is too specific or too vague• Like Michelle Klinger, I have a love/hate

relationship with PCI DSS– The reach of PCI DSS is awesomely breathtaking,

and is relevant to all PII– But in the worst case, it's a total waste of time, at

enormous cost to the organization

Agenda

• Describe the problems around SOX-404 • What we did about it at the Institute of Internal Auditors

– The GAIT concepts, politics, tools and outcomes• Show how we can use this as a model to change the state of

the practice around PCI DSS• Share with you the best formulation of the plan I have• Get your help improving the plan• And ideally…

– Share my biggest a-ha moments the GAIT experience– Excite you enough to do something about it– Tell you some interesting stories

Holy Crap. This Looks Familiar!

www.theiia.org

The Problem

• The IT portions of SOX-404 compliance has frustrated auditors and management– Significant key controls reside inside IT and IT

processes as well as in the business processes– No well-established guidance for scoping IT work

results in inconsistency and the process being overly subjective

– Sometimes result in overly broad scope and excessive testing costs

– Significant risks to financial assertions may be left unaddressed

– Suboptimal use of scarce resources

www.theiia.org

Why Is There A Problem?

• No clear guidance exists to define how IT processes and activities can invalidate financial application processing or financial assertions– COSO provides an accepted construct for defining

overall internal control objectives, assertions, risks and controls, but its application to the IT environmet is ambiguous

– COBIT doesn’t provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)

• Something else is needed…

Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION

“OMG. 952 IT Deficiencies?!?”

www.theiia.org

Vision: Create Equivalence to Nine Firm Document on IT

Control ExceptionsGAIT takes the approach used in the nine firm document.

GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives

Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies, “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)

11© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.

What were/are people worried about?

IT controls dominate the deficiencies, significant deficiencies, and material weaknesses identified through the S-O 404 assessment.The estimated percentage of deficiencies identified show IT controls accounting for the most (34 percent), followed distantly by revenue (13 percent), procure to pay (10 percent), and fixed assets (10 percent). 

The estimated percentage of significant deficiencies identified again shows IT controls leading the way (23 percent), followed by financial reporting and close (14 percent), procure to pay (13 percent), and revenue (12 percent).  

The estimated percentages of material weaknesses identified include IT controls (27 percent), revenue (18 percent), taxes (11 percent), and financial reporting and close (10 percent).  It is important to note that the results presented here are based on self-reporting by the companies that participated in the survey. Conclusions may be affected by the differing methods companies use to report on various elements of Sarbanes-Oxley compliance.

Holy cow!!! Enron wasn’t caused by a DBA. So, why are the auditors digging here?? --gk

February 2006 Corporate Finance12

PROBLEMS & CHALLENGES

0%

50%

100%

%

EFFORT DEFICIENCIES

IT V NON - IT COMPARISON

IT

NON - IT

Disproportionate Share: Compliance effort. Deficiencies. Non Finance Apps.

Financial Statement Impact: Indirect linkage Least likely impact

Business & IT integration.

0%

50%

100%

%

Fin Apps Non Fin Apps

Applications in Scope

Again, holy cow!!! If the risk isn’t in IT, then auditors are not only generating efforts, but finding

deficiencies that don’t matters… --gk

Why We Knew There Was A Better Way

• All the work using Chart 3 is linking controls to risks that actually mattered– COSO describes objectives, risks, controls and

assertions– COBIT is an exhaustive list of controls

• This is called scoping, which is critical to getting the right outcomes– Comes before control design, implementation and

testing

Thought Experiment

• Auditors vs. Management• We can agree that there are two extremes in

spectrum of financial reporting risk– eBay auction settlement business process– Grain elevators

• Extremes are easy… Middle is hard…

PCI Scoping Exercises (Show Your Work!)

• Question 1: Is the Cardholder Data Environment (CDE) equivalent to the PCI Scope of Assessment?

• Question 2: Is a domain controller (e.g., Windows Active Directory server) that is being relied upon by CDE applications for authentication and security services in the PCI Scope Of Assessment?

• Question 3: How about a domain controller (e.g., Windows Active Directory server) that is not relied upon by any CDE applications?

• Question 4: Is a network attached stapler that happens to be on the same network segment as a CDE system component always also in the CDE?

• Question 5: Does it matter if a workstation that a customer service representative uses a thin- or thick-client?

• Question 6: When should it be acceptable that if a virtualization hypervisor hosting a production application in the CDE be also able to host another VM without it being part of the CDE, as well?

• Question 7: If you have a domain controller that is not in the CDE, but in the scope of PCI assessment, is a print server on the same network segment as that domain controller also in the scope of PCI assessment?

• Bonus Exercise: For each of the questions where you answered "in scope of the PCI assessment," describe a strategy to contain the scope, such that systems connected to that system are not in scope. (See Michelle Klinger's great post on the "PCI Contagion Dilemma.")

SOX-404 Value Network: Primary Constituencies

What Does PCI Value Network Look Like?

www.theiia.org

Language Is Often An Obstacle

• In Newton’s time, there were not concrete terms for several critical concepts:– Force, acceleration, mass, inertia

• In the following slide, note how difficult it was for Newton to frame the “three laws of motion” without these concepts…

www.theiia.org

Early Drafts Of Three Laws Of Motion

• 1. If a quantity once move it will never rest unless hindered by some externall cause.

• 2. A quantity will always move on in the same straight line (not changing the determination nor celerity of its motion) unless some externall cause divert it.

• 3. There is exactly so much required and no more force to reduce a body to rest as there was to put it upon motion.

• Axiom 100: A body once moved will always keep the same celerity, quantity and determination of its motion

• Axiom 103: ...as the body (a) is to the body (b0), so must the power of efficacy vigor strength or virtue of the cause which begets the same quantity of velocity

Source: Isaac Newton, James Gleick.

www.theiia.org

Benchmarks

• Pythagorean theorem: 24 words• Archimedes' Principle: 67 words• Newton’s Three Laws Of Motion: 91 words• The 10 Commandments: 179 words• GAIT Proposed Principles v3.0: 168 words• The Gettysburg Address: 286 words• The Declaration of Independence: 1,300 words • GAIT Principles v1.3: 6,856 words • GAIT Methodology v2.2: 11,348 words• The US Government regulations on the sale of cabbage:

26,911 words

Solution: GAIT…• Released in Feb 2007, Establishes four principles that

– Defines the relevance of IT infrastructure elements to financial reporting integrity

– Define the three types of IT processes that can affect them: change management and systems development, operations and security

– Defines an end-to-end process view of these three processes– Defines an approach to defining objectives and key controls within those

three processes• Provides a methodology and thinking process that

continues the top down, risk based approach started in AS2 to scope IT general controls

• Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective– Initial target is internal control objectives for financial reporting, but

should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)

GAIT Principle #1

• The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data.

(“What are the relevant IT infrastructure elements?”)

GAIT Principle #2

• The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data:– Change management and systems development: the processes

around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure

– Operations management: the processes around managing the integrity of production data and program execution

– Security management: the processes around limiting access to information assets

(“What are the relevant end-to-end IT processes?”)

GAIT Principle #3

• Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes.

(“What are the relevant objectives of those IT processes? In other words, we shouldn’t get

carried away when reaching a conclusion when testing a control.”)

GAIT Principle #4

• The basis for identifying key controls in the three IT processes is based on:– Inherent risk of not achieving the IT process objectives– IT process risk indicators

(“How do we select key controls within those IT processes?”)

GAIT Scoping: Step By Step

Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps

Evaluate overall entity level controls

Identify IT entity level elements and the demonstrated maturity of the process

Identify key financial statement captions

Identify the general ledger accounts related to the key financial statement accounts (significant account)

Identify key transaction processes that affect the general ledger accounts

Identify and understand related business processes

Identify and understand applications and modules that support financially relevant business processes

Analyze the risks within the integrated business process (Identify risks)

Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)

Identify IT infrastructure elements which support the application (the rest of the stack)

Identify and understand infrastructure that supports the business processes

Validate IT entity level controls

GAIT Starts Here

AS2 begins here

GAIT Tools

• Scenarios– Online auction settlement process (high IT)– Rebate approval process (med IT)– Option expensing process (low IT)

• Ask Dr. GAIT

GAIT Evolution

• GAIT-R for Business Risk

Conclusions and Lessons Learned, Continued

► Improved audit comment wording helps to connect to things management cares about:

• “We noted poor change control procedures and were unable to obtain comfort that all changes were authorized and tested as required”

-- vs. -- • “Poor change control practices introduced the risk of

unauthorized or untested changes to key data such as annual threshold amounts for toxic chemical releases. Given the level of precision applied to reviewing the final report downstream, it is unlikely management would detect such errors. Our testing disclosed numerous “break/fix” changes had been made to code or data without supervisory review and approval or notifying the users.”

GAIT Evolution

• Elements of GAIT was incorporated into PCAOB AS-5

• GAIT-R for Business Risk– To me, it's the first really well thought out way of

linking IT to any COSO internal control objective– Unlike ITIL, COBIT: it helps focus on what matters– Which is very much unlike PCI…

• The Integrated Auditing Project (“Magic Glasses”)

Wait, You’re Lowering The PCI Bar!

• Until you get scoping right, you can't raise the bar

• Unless you correctly identify the scope of PCI assessment correctly, any work on the controls is potentially wasted

My PCI Mission And Crusade

• Create guidance to be able to scope correctly• Enable a risk based way to not only scope, but

to evaluate controls– Prioritized PCI DSS is a disappointment– What controls for the PCI Scope of Assessment?

• First, to earn the right to do all of this, we must enable correct scoping first

Participants

• Leads– Kent Fox (Intermountain

Healthcare)– Brandon Green (T-Mobile)– Gretchen Forsyth (Southwest

Airlines)– Mike Dahn (Verizon)– Tabitha Greiner (Verizon)– Ian White (Verizon)– James Summers (Nike)

Extend Concepts In PCI DSS

Page 4: DSS 1.2: “System components” are defined as any network component, server, or application that is included in or connected to the cardholder

data environment.

Before vs. After• Before: Prior to creating a structured method, we needed

over 40 hours to come to a scoping conclusion.• After: With the model under development, we generated

consensus on 15 scoping conclusions in less than 2 hours.

Proposed Deliverables

• Define and deliver the following, in a manner that clarifies and supports the spirit and intent of protecting cardholder data:– Scoping principles– A structured scoping methodology– A library of scoping scenarios demonstrating its usage

for educational and clarification purposes• Create useful tools and guidance that will assist in

the scoping effort for both merchants and QSAs.

Decision Tree

Proposed Timeline

• Submit a set of guidance to the PCI SSC for approval before the PCI Community meeting in September 2010

• Desired outcome:– PCI SSC and Board of Advisors agree with problem

and its significant, have confidence in the approach– Assign a staff member to validate guidance and

integrate it into the PCI practice

Also TODO

• Identify attributes of effective segmentation to contain PCI contagion– Encrypted PIN device– Citrix Thin Client– Virtualization

• Where necessary, fix the words, "segment", "connected to,"

Next Up: Scoping Category vs. Control Consideration

ControlConsiderations

1a:CDE/CHD

1b:CDE

2a:Connecte

d To

2b:Connecte

d To

2c:Connecte

d To

3:Out Of Scope

Scoping Category

?????

Next: Alternate Control Procedures

• Create a framework to evaluate alternate control procedures -- for that you need risk– Right now, PCI is 220+ control activities: create the

framework to state what the control objectives are, so you can evaluate whether the objective is being met

• COSO construct– Objective, risk, control objective– THEN control activities and controls!

Top A-Ha Moments

• Auditors rock: they have a comprehensive vocabulary that we need – otherwise, we’re stuck in Flatland

• We need more people who can see the sphere

• Auditors have seen the dead people longer than anyone

• These auditors will eventually go crazy, and need friends

• After a long detour into IT operations and audit, I’m returning to information security, in the guise of compliance

We Can Change The State Of The Practice

• It’s an important problem• There are models we can replicate• Do you want to get involved?

My New Twins

My Last Day At Tripwire

What I’m Working On

• 50% with my family• 50% on

– When IT Fails: The Novel– Figure out the methods, procedures and tools

needed to enable the transformation– Collaborate with communities of practice to help

mobilize these transformations• BSides, DevOps, ITIL, IIA, SEI

When IT Fails: The Novel: Day 1

• Steve Masters, CEO• Dick Landry, CFO

• Parts Unlimited$4B revenue/year

When IT Fails: The Novel: Day 2

• Bill Palmer, VP IT Operations (new)– Wes Davis, Director, Distributed Systems– Patty McKee, Director, Support and Process

Improvement

When IT Fails: The Novel: Day 3

• Norman Merz, Chief Audit Executive• John Kirkland, CISO

When IT Fails: The Novel: Day 4

• Chris Anderson, VP Application Development• Sarah Moulton, SVP Retail Products

• The outsourcing sales rep

When IT Fails: The Novel: Day 10

• The Deployment

When IT Fails: The Novel: The Two Critical Projects

• Project Phoenix: designed to close the gap with the retail competition: $20M project

• Project Argo: designed to integrate POS systems with accounting systems to reduce time to close books, manufacturing order-to-cash, restock intervals