1. PCI DSS Compliance and Security:Harmony or Discord?
2. Todays Agenda
The evolving threat and compliance landscape
How to use compliance as a catalyst for developing and implementing an effective security program
The six critical elements to PCI DSS compliance
How to go beyond PCI DSS and secure critical information
3. Todays Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite
4. The Evolving Threatand Compliance Landscape
5. The Evolving Threat Landscape
85% of attacks werenotconsidered highly difficult
Web application vulnerabilitiescontinue to be the attack vector of choice
Cybercriminals usedstolen account logonsin 38% of successful data breaches, accounting for 86% of the records compromised
Source: Verizon, 2010 Data Breach Investigations Report
6. Are you focused only on what you see? Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof! E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance
7. Silos Lead to Greater IT Risk
A reactive and siloed approach to IT GRC is a recipe for disaster and leads to . . .
Lack of visibility.A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
Wasted and/or inefficient use of resources.Silos of risk and compliance lead to wasted resources.
Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in.
Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.
8. Compliance & Security:Harmony or Discord?
PCI DSS provides payment card data protection requirements
However, compliance and security are not the same
An organization can be compliant and still experience a security breach,and can also be non-compliant and maintain a secure infrastructure.
What is the value of compliance?
Use as a catalyst for implementing effective security measures
Requires an understanding of the principles behind the requirements, not just adherence to minimum requirements.
Security is more than a list of checkboxes it involves a holistic approach and processes to protect the organization.
Compliance standards such as PCI DSS provide a foundation for achieving security, but by itself it does not adequately protect the organization.
9. A grim view of the current state Source: Open Compliance & Ethics Group
10. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES
11. Components of Compliance& Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE
12. Sample IT Risk Assessment Process
13. 6 Critical Elements to Achieve Economiesin PCI DSS Compliance & Beyond
14. 6 Economies of PCI DSS Compliance & Beyond
15. 1 - Agility
Ensure continuous compliance:
Full ongoing discovery of the IT environment, its information and technology assets.
Understand where cardholder data is stored and who has access.
Automatically assess the network and devices that connect to it.
Automate IT risk-assessment to provide structure around the collecting evidence for compliance controls.
Enforce policy for software updates, security patches and standardized configurations.
Flexibility to handle unique needs and requirements.
16. 2 - Consistency
Streamline compliance workflows and processes:
Comprehensive inventory and management of IT systems that store, communicate, transmit and interact with cardholder data.
Consolidated console for visibility of physical and virtual environments.
IT asset management - applications, databases, servers, networks, data centers, people and processes.
Continuously monitor compliance and IT risk postures and enforce mandatory baseline for systems interacting with cardholder data.
Add, create, define, edit and import/export security configurations and checklists.
Normalize common controls across standard and regulatory requirements into a single control.
17. 3 - Efficiency
Automate compliance and security processes:
Address multiple management needs through a single compliance architecture.
Maximum organizational and IT flexibility with automated enforcement, saving both time and effort by IT staff.
Implement standard configuration checklists with a repository of software vulnerabilities, which provides context to properly maintain security and control of cardholder data.
Automate risk-profile analysis to save time over manual risk-analysis practices.
18. 4 - Transparency
Ensure visibility of IT risk across the organization:
Provide harmonization of compliance controls across a range of mandates.
Understand the holistic risk of cardholder data that flows among multiple information systems, processes, and departments.
Collect device, security and configuration information to provide consolidated visibility for system owners.
Provide a global view of vulnerability status for all organization assets with an at-a-glance understanding of risk and system status.
Document changes and demonstrate progress toward audit and compliance requirements. Be fully prepared for PCI DSS QSA audits, with relevant information ready for auditors.
19. 5 - Accountability
Ensure no stones are left unturned:
Complete view of PCI DSS compliance covering specific assets, requirements, and organization systems/processes.
Constant audit readiness through centralized and automated collection of vulnerability assessments.
Workflow-based surveys to ensure accountability for procedural and physical controls.
Stakeholder surveys to determine the business impact of risk scenarios that compromise the CIA of cardholder data.
Risk-based analysis of IT posture to enable drill down on suspicious behavior for further investigation.
Information system and role-based reporting and administration.
Comprehensive reporting to management and authorities at a moments notice.
20. 6 - Security
Ensure continuous security policy enforcement:
Identify controls that enhance security of cardholder data while meeting PCI DSS compliance requirements.