Info Security & PCI(original)

Skeletal Elements of your Organization’s IT Systems

Deter, Detect and Defend Against Data Breaches

Information Security Program &

Payment Card Industry Data Security(PCI DSS)

Compliance for Your Business

Security and ComplianceNot Synonymous

• Regulatory Compliance helps to improve Security

• Improved Security helps to achieve Compliance

77 Million Users10 Million Credit Card Compromised

Accounts

Losses ???

Millions of Names and Email Addresses of over 2,500 Major

Companies

Consequences??

94 Million Compromised Accounts

83 Million Dollars in Losses

4 Million Compromised Accounts

100’s of Compromised Accounts

50,000+ Credit Card Transactions Processed Yearly

20,000+ Credit Cards Numbers

The High Cost of Data Breaches

Average Cost Per Record Breached $204

Average Cost Per Breach $6.75 million

Range of Total Cost Per Breach$750,000 to almost $31 million

Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009

Essentials Elements of a Successful Information Technology Security

Program

COBIT Standards Risk Assessment

• Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.

• Proactively identify IT related risks that require mitigation strategies, including anticipating future regulatory and external reporting expectations.

• Aid in the overall IT Governance Activities and support the business’s operational risk initiatives.

• Sound business decisions are based on timely, relevant and concise information.

• Decision making is more effective because COBIT aids management in: o Defining a Strategic IT Plano Defining the Information Architecture o Acquiring the necessary IT hardware and software to execute an

IT strategyo Ensuring Continuous Service (BCP/DR)o Monitoring the Performance of the IT systemso Provides a foundation upon which IT related Decisions and

Investments can be based• COBIT Executive Summary consists of an Executive

Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles.

Management Benefits

• Helps identify IT control issues within a company’s IT infrastructure

• Corroborate their audit findings• COBIT is the framework used by most

companies to comply with Sarbanes-Oxley.

Auditors Benefits

• Assurance that the IT applications that aid in the gathering, processing, and reporting of information comply with a recognized standard

• Implies controls and security are in place to govern the IT processes

End Users Benefits

COBIT's Four Domains

• Planning and Organization• Acquisition and Implementation• Delivery and Support• Monitoring

Plan and Organize

• Covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives.

• Highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

Control Objectives for the Planning & Organization Domain

PO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization & RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims & DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects

Acquire and Implement

• Identifying IT requirements, Acquiring the Technology, and Implementing it within the company’s current business processes.

• Addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

Control Objectives for the Acquire & Implement Domain

AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

Delivery and Support

• Execution of the applications within the IT system

• The support processes that enable the effective and efficient execution of the IT systems

• Support processes include security issues and training

Control Objectives for the Delivery & Support Domain

DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

Monitor and Evaulate

• Deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements

• Covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.

Control Objectives for the Monitor & Evaluate Domain

ME1 Monitor and Evaluate IT ProcessesME2 Monitor and Evaluate Internal ControlME3 Ensure Regulatory ComplianceME4 Provide IT Governance

Further Information:

Information Systems Audit and Control Association

(ISACA)

http://www.isaca.org

Annual Security Reporting

• Introduction o Brief Synopsis of IT Security Yearly Activities

• IT Security Activities o Policy/Standards Developmentso Security Hardware and/or Software

Implementations• Next Year’s IT Security Goals• COBIT Internal Risk Assessment

Information Security Policy

• Purpose • Objectives• Development and Implementation• Responsibility • Assessment and Management of Risk • Protection and Destruction of Sensitive Information• Monitoring, Testing & Updating of the Information

Security Program• Monitoring of the Information Security Program• Overseeing Service Provider Arrangements • Annual Status Reporting and Policy Review

Safeguarding Customer Information Policy

• Policy Statement • Statement of Responsibilities • Computer Security• Physical Security • Copyrights and License • Monitoring • Violations

Access Control Policy

• User Access Management• Access Control Rules • Access Control Request Form • File System Control • Login Banner Notices

Data Classification, Retention and Disposal Policy

• Sensitivity Guidelines • Sensitive Information Retention & Disposal

Guidelines • Credit Card Information Retention & Disposal

Guidelines

Intrusion Response Plan • Incident Severity • Incident Declaration • Document Recovery Steps • Analyze the Intrusion • Recover from the Intrusion • Intrusion Response Checklist

• Customer Notice• Incident Declaration • Response Program• Recovery Steps • Sample Call Staff Instructions• Sample Call Staff Telephone Script Instructions• Customer Call Record Form • Suggested Communication to Regulators• Sample Customer Notification Letter • Identity Theft Bureaus & Agencies• Assessment of Unauthorized Access to Sensitive • Customer Information • Incident Response Log

Unauthorized Access to Customer Information Plan

Additional Items

• Password Policyo Compliance Requirementso Password Integrity Guidelineso Password Protection Standardso Employee Acknowledgment

• Vendor Management Programo Risk Assessment & Mitigationo Request for Proposalo Due Diligence o Implementation

Further Information & Sample Polices/Guidelines:

Systems And Network Security

http://www.sans.org

National Institute of Standards and Technology(NIST)

www.nist.gov

Payment Card Industry Data Security(PCI DSS)

Compliance for Your Business

A Security Breach and Subsequent Compromise of Cardholder Data could have far-reaching Consequences

for Your Business including:

• Regulatory Notification Requirements• Loss of Reputation• Loss of Customers• Potential Financial Liabilities (Regulatory

and Other Fines and Fees)• Litigation

Compliant Organizations Experience Fewer Breaches

• 32% of Compliant Organizations Never Had a Breach vs. 12% of Non Compliant Organizations

• 69% of Compliant Organizations Reported at Least One Breach vs. 88% of Non Compliant Organizations

We all can help to Deter, Detect and Defend

against ID Theft with these 5 easy steps:Take Stock – Know Where the Info Is

Scale Down – Keep Only What is Needed

Lock It – Protect the Info We Do Keep

Pitch It – Properly Dispose of What We Don’t

Plan Ahead – Create a Plan to Response to a Breach

does not manage compliance programs and does not impose

any consequences for non-compliance.

may have their own compliance initiatives, including financial or operational consequences to certain

businesses that are not compliant.

The Road to PCI DSS Compliance

is dependent on the

Merchant Level &

Self Assessment Questionnaire (SAQ)

Validation Types

Merchant Levels based on

Credit Card Transactions Processed

• Level 1 – Over 6,000,000 per year• Level 2 – 1,000,000 to 6,000,000 per

year• Level 3 – 20,000 to 1,000,000 per

year• Level 4 – Fewer than 20,000 per year

Self Assessment Questionnaire (SAQ) Validation Types

SAQ A

• Card Not Present Merchants• All cardholder data functions

outsourced• Never applies to face to face

merchants• 13 Questions & Attestation

SAQ B

• Imprint Only Merchants• No electronic cardholder data

storage• Standalone dialout terminal

merchant with no date storage• 29 Questions & Attestation

SAQ C-VT

• Merchants with web based virtual terminals

• No electronic cardholder data storage

• 51 Questions & Attestation

SAQ C

• Merchants with Payment Applications connected to Internet

• No electronic cardholder data storage


SAQ D

• All Merchants not included in other SAQ descriptions

• All service providers defined by payment brand as eligible to complete a SAQ


Maintain Information Security PolicyRequirement

12SAQ A,B,C,D

Regularly Test Security

Systems/ProcessesRequirement

11SAQ C,D

Track & Monitor Access to Network Resources & CHD

Requirement10

SAQ C,D

Restrict Physical Access to CHDRequirement

9SAQ A,B,C,D

Assign Unique ID for each person w/computer access

to CHDRequirement

8 SAQ C,D

Restrict CHD Access to Business Need-to-Know

Requirement 7

SAQ B,C,D

Develop & Maintain Secure

Systems/ApplicationsRequirement

6SAQ C,D

Use & Regularly Update Anti-Virus Software

Requirement5

SAQ C,D

Encrypt Transmission of CHD

across Public NetworksRequirement

4SAQ B,C,D

Protect Stored CHD Requirement

3SAQ B,C,D

Change All Defaults Passwords

& Security ParametersRequirement

2SAQ C,D

Install & Maintain Firewall Configuration

to protect CHDRequirement

1 SAQ C,D

Security Requirements

for PCI DSS

Compliance

Prioritized Approach to Pursue PCI DSS Compliance

• 1. Remove Sensitive Authentication Data and Limit Data Retention (Requirements 1,3,9)

• 2. Protect the Perimeter, Internal and Wireless Networks (Requirements 1,2,4,5,11,12)

• 3. Secure Payment Card Applications (Requirements 2,6)

• 4. Monitor and Control Access to Systems(Requirements 7,8,10,11)

• 5. Protect Stored Cardholder Data (Requirements 3,9)

• 6. Finalize remaining Compliance Efforts and Ensure all Controls are in Place (Requirements 1,6,10,11,12)

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_PCI_DSS_version1_2.xls

Prioritized Approach to Pursue PCI DSS Compliance Tool

PCI Compliance in its simplest form is; if you don’t need the cardholder data - then don’t store it, if you store it, you must protect it.

Further Information on

• Complete PCI DSS Specification• Prioritized Approach Guidance & Tool• Other Supporting Tools and

Documentation

http://www.pcisecuritystandards.org

Questions??

Info Security & PCI(original)

Technology

Transcript of Info Security & PCI(original)