The Difference Between Being Secure And Being Compliant
-
Upload
john-bedrick -
Category
Documents
-
view
1.444 -
download
2
description
Transcript of The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being Compliant
John Bedrick - AccuCode
Agenda• About AccuCode• Which is Worse?• Unlocking the Security Taxonomy• Security versus Compliance• How much security is enough? • What happens if ……. ?• Closing Thoughts• AO:Compliance• Next Steps• Questions and Answers
AccuCode the Company
• Founded 1995• VAR, Professional & Managed Services, Commercial
Software Products • National leader in: retail systems, security & compliance,
wireless networking, mobile computing, bar code & RFID technologies
• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes
AccuCode Customers & Partners
AccuCode has hundreds of customers & thousands of end-users!
PartnersManufacturingRetail Transportation
Illusion versus Reality
Which is Worse?
Unlocking the Security TaxonomyPEOPLE
Security Versus Compliance (NOT a complete list)
CHECKLIST SECURITY COMPLIANCEPerimeter Locked Down (e.g., Firewalls, Routers, Wireless, etc…)
DMZ in use for outward facing systems (e.g., e-Commerce systems)
Web servers protected
Database systems protected
Internal Network partitioned
Network device/systems protected (e.g., Anti-Virus, IDS/IPS, Firewall, UTM)
Access Control measures in place
All Operating Systems and Applications are kept updated and patched
Computers protected (e.g., Anti-Virus, HIPS, Firewall, File integrity, White Lists)
Important Data is protected (e.g., CHD, PII, Financials, Health records, IP, etc…)
Layered Approach for protection is in place
Monitoring, Logging and Alerting systems in place
All applications and data Backed-up and Encrypted
Disaster Recovery measures in place
Policies and Procedures created and in place
Physical Locations protected and locked down tight
How Much Security Is Enough?• Step 1 – Determine the Assets you need to
protect.• Step 2 – Determine how much those Assets are
worth (to you and someone else)• Step 3 – Determine the level of Risk you are
willing to live with.• Step 4 – Decide how much you are willing to
spend to protect those Assets, based on the level of Risk you have determined to accept.
• Step 5 – Implement Security measures based on above. (Answer: It’s never enough!)
• Step 6 – Repeat as often as needed or whenever things change.
Sp
yware
Malw
are
Adware
Viruses
Worms
Ro
otkits
Trojan
s
Bot Nets
Spam
Hackers
Phishing
Social Engineering
What Happens If…..?• you have a breach and you were compliant; but, not “secure”?
– Determined on a case-by-case basis and also State-specific privacy laws.• someone breaks into your business and steals your servers and/or back-up systems
(drives, tapes, paper records, etc…)?– Were appropriate protection measures being used at the time? Disaster recovery?
• your phone or mobile device (e.g., tablet) is lost or stolen?– Is there sensitive data stored on the phone/device? Can you remote “wipe” it?
• a “vendor” is at fault?– Did you “check out” the vendor and double-check their work?
• an employee is “duped” (social engineering) or assists a criminal?– Was the employee trained in the proper policies and procedures?– Did you “hire right” and the employee “checked out” prior to hiring?
• there was nothing more that could’ve been done – it just happened?– There’s always more that could be done.– Did you determine the appropriate level of risk and secure appropriately?
Closing Thoughts• Security is a journey; not, a destination. But it’s also a race.• Implementing proper levels of security require careful analysis of
risk versus implementation.• Well thought out security requires layers of protection all working
together.• There are NO guarantees for being 100% secure.
• Being PCI compliant is far better then not being compliant– it’s a step in the right direction for becoming more secure.
• Hire reputable security/compliance experts to help you.– Don’t get into a position of the “blind leading the blind”.
ANDNext Steps
AO:Compliance Makes PCI Compliance as Easy as:
1•Assess & Analyze
2•Close GAPs
3•Stay Compliant
Next Steps, If You Need Help
AccuCode and our partners are ready to assist you with getting and staying PCI Compliant• Go to the AO:Compliance website to find out more information
about our compliance and security offerings www.aocompliance.com
• Contact Us: [email protected] If you need help with other technology issues, AccuCode
can also assist you with that as well• Visit the AccuCode website for more information about our
other products and services www.accucode.com PCI Standards: https://www.pcisecuritystandards.org/
Questions and Answers