The Difference Between Being Secure And Being Compliant

John Bedrick - AccuCode

Agenda• About AccuCode• Which is Worse?• Unlocking the Security Taxonomy• Security versus Compliance• How much security is enough? • What happens if ……. ?• Closing Thoughts• AO:Compliance• Next Steps• Questions and Answers

AccuCode the Company

• Founded 1995• VAR, Professional & Managed Services, Commercial

Software Products • National leader in: retail systems, security & compliance,

wireless networking, mobile computing, bar code & RFID technologies

• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes

AccuCode Customers & Partners

AccuCode has hundreds of customers & thousands of end-users!

PartnersManufacturingRetail Transportation

Illusion versus Reality

Which is Worse?

Unlocking the Security TaxonomyPEOPLE

Security Versus Compliance (NOT a complete list)

CHECKLIST SECURITY COMPLIANCEPerimeter Locked Down (e.g., Firewalls, Routers, Wireless, etc…)

DMZ in use for outward facing systems (e.g., e-Commerce systems)

Web servers protected

Database systems protected

Internal Network partitioned

Network device/systems protected (e.g., Anti-Virus, IDS/IPS, Firewall, UTM)

Access Control measures in place

All Operating Systems and Applications are kept updated and patched

Computers protected (e.g., Anti-Virus, HIPS, Firewall, File integrity, White Lists)

Important Data is protected (e.g., CHD, PII, Financials, Health records, IP, etc…)

Layered Approach for protection is in place

Monitoring, Logging and Alerting systems in place

All applications and data Backed-up and Encrypted

Disaster Recovery measures in place

Policies and Procedures created and in place

Physical Locations protected and locked down tight

How Much Security Is Enough?• Step 1 – Determine the Assets you need to

protect.• Step 2 – Determine how much those Assets are

worth (to you and someone else)• Step 3 – Determine the level of Risk you are

willing to live with.• Step 4 – Decide how much you are willing to

spend to protect those Assets, based on the level of Risk you have determined to accept.

• Step 5 – Implement Security measures based on above. (Answer: It’s never enough!)

• Step 6 – Repeat as often as needed or whenever things change.

Sp

yware

Malw

are

Adware

Viruses

Worms

Ro

otkits

Trojan

s

Bot Nets

Spam

Hackers

Phishing

Social Engineering

What Happens If…..?• you have a breach and you were compliant; but, not “secure”?

– Determined on a case-by-case basis and also State-specific privacy laws.• someone breaks into your business and steals your servers and/or back-up systems

(drives, tapes, paper records, etc…)?– Were appropriate protection measures being used at the time? Disaster recovery?

• your phone or mobile device (e.g., tablet) is lost or stolen?– Is there sensitive data stored on the phone/device? Can you remote “wipe” it?

• a “vendor” is at fault?– Did you “check out” the vendor and double-check their work?

• an employee is “duped” (social engineering) or assists a criminal?– Was the employee trained in the proper policies and procedures?– Did you “hire right” and the employee “checked out” prior to hiring?

• there was nothing more that could’ve been done – it just happened?– There’s always more that could be done.– Did you determine the appropriate level of risk and secure appropriately?

Closing Thoughts• Security is a journey; not, a destination. But it’s also a race.• Implementing proper levels of security require careful analysis of

risk versus implementation.• Well thought out security requires layers of protection all working

together.• There are NO guarantees for being 100% secure.

• Being PCI compliant is far better then not being compliant– it’s a step in the right direction for becoming more secure.

• Hire reputable security/compliance experts to help you.– Don’t get into a position of the “blind leading the blind”.

ANDNext Steps

AO:Compliance Makes PCI Compliance as Easy as:

1•Assess & Analyze

2•Close GAPs

3•Stay Compliant

Next Steps, If You Need Help

AccuCode and our partners are ready to assist you with getting and staying PCI Compliant• Go to the AO:Compliance website to find out more information

about our compliance and security offerings www.aocompliance.com

• Contact Us: compliance-info@accucode.com If you need help with other technology issues, AccuCode

can also assist you with that as well• Visit the AccuCode website for more information about our

other products and services www.accucode.com PCI Standards: https://www.pcisecuritystandards.org/

Questions and Answers