PCI DSS Compliance and Security: Harmony or Discord?

PCI DSS Compliance and

Security: Harmony or

Discord?

Today’s Agenda

•The evolving threat and compliance landscape

•How to use compliance as a catalyst for developing and implementing an effective security program

•The six critical elements to PCI DSS compliance

•How to go beyond PCI DSS and secure critical information

2

Today’s Speakers

3

Chris MerrittDirector of Solution MarketingLumension

Michael RasmussenRisk & Compliance AdvisorCorporate Integrity, LLC

William BellDirector of Information SystemsEC Suite

The Evolving Threat and Compliance Landscape

Slide 5© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

The Evolving Threat Landscape

•85% of attacks were not considered highly difficult

•Web application vulnerabilities continue to be the attack vector of choice

•Cybercriminals used stolen account logons in 38% of successful data breaches, accounting for 86% of the records compromised

Source: Verizon, 2010 Data Breach Investigations Report

Slide 6© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Are you focused only on what you see?

“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”

E.J. Smith, Captain of the Titanic

RiskAwareness

RiskIgnorance

Slide 7© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Silos Lead to Greater IT Risk

• A reactive and siloed approach to IT GRC is a recipe for disaster and leads to . . . 

– Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.

– Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.

– Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.

– Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in.

– Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.

Slide 8© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Compliance & Security: Harmony or Discord?

• PCI DSS provides payment card data protection requirements

• However, compliance and security are not the same– An organization can be compliant and still experience a security breach,

and can also be non-compliant and maintain a secure infrastructure.

• What is the value of compliance?– Use as a catalyst for implementing effective security measures– Requires an understanding of the principles behind the requirements, not

just adherence to minimum requirements. – Security is more than a list of checkboxes — it involves a holistic

approach and processes to protect the organization. – Compliance standards such as PCI DSS provide a foundation for

achieving security, but by itself it does not adequately protect the organization.

Slide 9© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

A grim view of the current state…

Source: Open Compliance & Ethics Group

Slide 10© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Big Picture of Compliance

OBJECTIVESstrategic, operational, customer, process, compliance objectives

BUSINESS MODELstrategy, people, process, technology and infrastructure in place to drive toward objectives

MANDATED BOUNDARYboundary established by external forces including laws, government regulation and other mandates.

VOLUNTARY BOUNDARYboundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies.

OPPORTUNITIES

OPPORTUNITIES

OPPORTUNITIES

OBS

TACL

ESSource: Open Compliance & Ethics Group

Slide 11© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Components of Compliance & Data Protection

INFORM &INTEGRATE

DETECT & DISCERN

ORGANIZE & OVERSEE

ASSESS & ALIGNMONITOR &

MEASURE

PREVENT & PROMOTE

RESPOND & RESOLVE

Source: Open Compliance & Ethics Group

Slide 12© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Sample IT Risk Assessment Process

6 Critical Elements to Achieve Economies in PCI DSS Compliance & Beyond

Slide 14© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

6 Economies of PCI DSS Compliance & Beyond

Slide 15© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

1 - Agility

• Ensure continuous compliance:– Full ongoing discovery of the IT environment, its

information and technology assets.– Understand where cardholder data is stored and who has

access.– Automatically assess the network and devices that

connect to it.– Automate IT risk-assessment to provide structure around

the collecting evidence for compliance controls.– Enforce policy for software updates, security patches

and standardized configurations.– Flexibility to handle unique needs and requirements.

Slide 16© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

2 - Consistency

• Streamline compliance workflows and processes:– Comprehensive inventory and management of IT systems

that store, communicate, transmit and interact with cardholder data.

• Consolidated console for visibility of physical and virtual environments.

• IT asset management - applications, databases, servers, networks, data centers, people and processes.

– Continuously monitor compliance and IT risk postures and enforce mandatory baseline for systems interacting with cardholder data.

– Add, create, define, edit and import/export security configurations and checklists.

– Normalize common controls across standard and regulatory requirements into a single control.

Slide 17© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

3 - Efficiency

• Automate compliance and security processes:– Address multiple management needs through a single

compliance architecture.– Maximum organizational and IT flexibility with

automated enforcement, saving both time and effort by IT staff.

– Implement standard configuration checklists with a repository of software vulnerabilities, which provides context to properly maintain security and control of cardholder data.

– Automate risk-profile analysis to save time over manual risk-analysis practices.

Slide 18© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

4 - Transparency

• Ensure visibility of IT risk across the organization:– Provide harmonization of compliance controls across a

range of mandates.– Understand the holistic risk of cardholder data that flows

among multiple information systems, processes, and departments.

• Collect device, security and configuration information to provide consolidated visibility for system owners.

• Provide a global view of vulnerability status for all organization assets with an at-a-glance understanding of risk and system status.

– Document changes and demonstrate progress toward audit and compliance requirements. Be fully prepared for PCI DSS QSA audits, with relevant information ready for auditors.

Slide 19© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

5 - Accountability

• Ensure no stones are left unturned:– Complete view of PCI DSS compliance covering specific assets,

requirements, and organization systems/processes.– Constant audit readiness through centralized and automated

collection of vulnerability assessments.– Workflow-based surveys to ensure accountability for

procedural and physical controls. – Stakeholder surveys to determine the business impact of risk

scenarios that compromise the CIA of cardholder data.– Risk-based analysis of IT posture to enable drill down on

suspicious behavior for further investigation.– Information system and role-based reporting and

administration.– Comprehensive reporting to management and authorities at a

moment’s notice.

Slide 20© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

6 - Security

• Ensure continuous security policy enforcement:– Identify controls that enhance security of cardholder data while

meeting PCI DSS compliance requirements.– Assess threats, vulnerabilities, patch status, security

configurations, installed software and hardware inventory.– Remediate software and endpoints that store, transmit, and

interact with cardholder data. – Automate enforcement of malware protection and endpoint

security.– Quickly respond to issues and visibility across the organization’s

information systems environment.– Continuously monitor security policies, particularly when new

information, processes, and technology assets are added that interact with cardholder data.

Slide 21© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

PCI Compliance, Security & Beyond

• Go beyond securing credit cardholder data and enforce policies to protect all critical information:

  Discover, inventory, and categorize information systems Monitor vulnerability exposure and PCI DSS compliance Remediate and maintain compliance to PCI DSS Manage security configurations across all endpoints Control removable device use and enforce data encryption Streamline overlapping technical and procedural controls

across compliance obligations Maintain trusted application use on information systems Enforce compliance with evolving requirements Enable reporting and monitoring of PCI DSS compliance and

your entire IT risk posture

Panel Discussion and Q&A

Conclusion

Resources and Tools

• Whitepapers» 6 Critical Elements to Achieving Economical

PCI DSS Compliance» Reducing Your Cost to Achieve PCI DSS

Compliance with Lumension» Shift Happens: The Evolution of Application

Whitelisting

• Other Resources» EC Suite ROI Case Study» Podcasts, Videos, Webcasts, eBooks» On-Demand Demos» Scanners

• Product Software Evaluations» Virtual Environment» Full Software Download

24

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

[email protected]

blog.lumension.com