Upload
laura-perry
View
347
Download
1
Tags:
Embed Size (px)
DESCRIPTION
by Jill Van Hoesen
Citation preview
Skeletal Elements of your Organization’s
IT Systems
Deter, Detect and Defend Against Data Breaches
Information Security Program &
Payment Card Industry Data Security (PCI DSS)
Compliance for Your Business
Security and ComplianceSecurity and ComplianceNot SynonymousNot Synonymous
Regulatory Compliance Regulatory Compliance helps to improve Securityhelps to improve Security
Improved Security helps to Improved Security helps to achieve Complianceachieve Compliance
77 Million Users
10 Million Credit Card Compromised Accounts
Losses ???
Millions of Names and Email Addresses of over 2,500
Major Companies
Consequences??
94 Million Compromised Accounts
83 Million Dollars in Losses
4 Million Compromised Accounts
100’s of Compromised Accounts
50,000+ Credit Card Transactions
Processed Yearly
20,000+ Credit Cards Numbers
The High Cost of Data The High Cost of Data BreachesBreaches
Average Cost Per Record Breached Average Cost Per Record Breached $204$204
Average Cost Per Breach Average Cost Per Breach $6.75 million$6.75 million
Range of Total Cost Per BreachRange of Total Cost Per Breach$750,000 to almost $31 million$750,000 to almost $31 million
Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009
Essentials Elements of a Essentials Elements of a Successful Information Successful Information
Technology Security ProgramTechnology Security Program
COBIT Standards Risk COBIT Standards Risk Assessment Assessment
Control Objectives for Information and related Control Objectives for Information and related Technology (COBIT) is a set of best practices Technology (COBIT) is a set of best practices (framework) for information (IT) management (framework) for information (IT) management created by the Information Systems Audit and created by the Information Systems Audit and Control Association (ISACA), and the IT Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. Governance Institute (ITGI) in 1996.
Proactively identify IT related risks that require Proactively identify IT related risks that require mitigation strategies, including anticipating future mitigation strategies, including anticipating future regulatory and external reporting expectations. regulatory and external reporting expectations.
Aid in the overall IT Governance Activities and Aid in the overall IT Governance Activities and support the business’s operational risk initiatives. support the business’s operational risk initiatives.
Sound business decisions are based on timely, Sound business decisions are based on timely, relevant and concise information. relevant and concise information.
Decision making is more effective because COBIT Decision making is more effective because COBIT aids management in: aids management in: Defining a Strategic IT PlanDefining a Strategic IT Plan Defining the Information Architecture Defining the Information Architecture Acquiring the necessary IT hardware and software to Acquiring the necessary IT hardware and software to
execute an IT strategyexecute an IT strategy Ensuring Continuous Service (BCP/DR)Ensuring Continuous Service (BCP/DR) Monitoring the Performance of the IT systemsMonitoring the Performance of the IT systems Provides a foundation upon which IT related Decisions Provides a foundation upon which IT related Decisions
and Investments can be basedand Investments can be based COBIT Executive Summary consists of an COBIT Executive Summary consists of an
Executive Overview which provides a thorough Executive Overview which provides a thorough awareness and understanding of COBIT's key awareness and understanding of COBIT's key concepts and principles. concepts and principles.
Management Benefits
Helps identify IT control issues Helps identify IT control issues within a company’s IT within a company’s IT infrastructureinfrastructure
Corroborate their audit findingsCorroborate their audit findings COBIT is the framework used by most COBIT is the framework used by most
companies to comply with Sarbanes-companies to comply with Sarbanes-Oxley.Oxley.
Auditors Benefits
Assurance that the IT applications Assurance that the IT applications that aid in the gathering, processing, that aid in the gathering, processing, and reporting of information comply and reporting of information comply with a recognized standard with a recognized standard
Implies controls and security are in Implies controls and security are in place to govern the IT processes place to govern the IT processes
End Users Benefits
COBIT's Four DomainsCOBIT's Four Domains
Planning and OrganizationPlanning and Organization Acquisition and ImplementationAcquisition and Implementation Delivery and SupportDelivery and Support Monitoring Monitoring
Plan and OrganizePlan and Organize Covers the use of technology and how Covers the use of technology and how
best it can be used in a company to help best it can be used in a company to help achieve the company’s goals and achieve the company’s goals and objectives. objectives.
Highlights the organizational and Highlights the organizational and infrastructural form IT is to take in order to infrastructural form IT is to take in order to achieve the optimal results and to achieve the optimal results and to generate the most benefits from the use of generate the most benefits from the use of IT. IT.
Control Objectives for the Control Objectives for the Planning & Organization DomainPlanning & Organization Domain
PO1 Define a Strategic IT PlanPO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO3 Determine Technological DirectionPO4 Define the IT Processes, Organization & PO4 Define the IT Processes, Organization &
RelationshipsRelationshipsPO5 Manage the IT InvestmentPO5 Manage the IT InvestmentPO6 Communicate Management Aims & PO6 Communicate Management Aims &
DirectionDirectionPO7 Manage IT Human ResourcesPO7 Manage IT Human ResourcesPO8 Manage QualityPO8 Manage QualityPO9 Assess and Manage IT RisksPO9 Assess and Manage IT RisksPO10 Manage ProjectsPO10 Manage Projects
Acquire and ImplementAcquire and Implement
Identifying IT requirements, Acquiring Identifying IT requirements, Acquiring the Technology, and Implementing it the Technology, and Implementing it within the company’s current business within the company’s current business processes. processes.
Addresses the development of a Addresses the development of a maintenance plan that a company maintenance plan that a company should adopt in order to prolong the life should adopt in order to prolong the life of an IT system and its components. of an IT system and its components.
Control Objectives for the Control Objectives for the Acquire & Implement DomainAcquire & Implement Domain
AI1 Identify Automated SolutionsAI1 Identify Automated SolutionsAI2 Acquire and Maintain Application AI2 Acquire and Maintain Application
SoftwareSoftwareAI3 Acquire and Maintain Technology AI3 Acquire and Maintain Technology
InfrastructureInfrastructureAI4 Enable Operation and UseAI4 Enable Operation and UseAI5 Procure IT ResourcesAI5 Procure IT ResourcesAI6 Manage ChangesAI6 Manage ChangesAI7 Install and Accredit Solutions and AI7 Install and Accredit Solutions and
ChangesChanges
Delivery and SupportDelivery and Support
Execution of the applications within Execution of the applications within the IT system the IT system
The support processes that enable The support processes that enable the effective and efficient execution the effective and efficient execution of the IT systemsof the IT systems
Support processes include security Support processes include security issues and trainingissues and training
Control Objectives for the Control Objectives for the Delivery & Support DomainDelivery & Support Domain
DS1 Define and Manage Service LevelsDS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS9 Manage the ConfigurationDS10 Manage ProblemsDS10 Manage ProblemsDS11 Manage DataDS11 Manage DataDS12 Manage the Physical EnvironmentDS12 Manage the Physical EnvironmentDS13 Manage OperationsDS13 Manage Operations
Monitor and EvaulateMonitor and Evaulate Deals with a company’s strategy in Deals with a company’s strategy in
assessing the needs of the company and assessing the needs of the company and whether or not the current IT system still whether or not the current IT system still meets the objectives for which it was meets the objectives for which it was designed and the controls necessary to designed and the controls necessary to comply with regulatory requirements comply with regulatory requirements
Covers the issue of an independent Covers the issue of an independent assessment of the effectiveness of IT assessment of the effectiveness of IT system in its ability to meet business system in its ability to meet business objectives and the company’s control objectives and the company’s control processes by internal and external processes by internal and external auditors. auditors.
Control Objectives for the Control Objectives for the Monitor & Evaluate DomainMonitor & Evaluate Domain
ME1 Monitor and Evaluate IT ME1 Monitor and Evaluate IT Processes Processes
ME2 Monitor and Evaluate Internal ME2 Monitor and Evaluate Internal Control Control
ME3 Ensure Regulatory ME3 Ensure Regulatory ComplianceCompliance
ME4 Provide IT GovernanceME4 Provide IT Governance
Further Information:Further Information:
Information Systems Information Systems
Audit and Control AssociationAudit and Control Association
(ISACA)(ISACA)
http://www.isaca.orghttp://www.isaca.org
Annual Security ReportingAnnual Security Reporting
Introduction Introduction Brief Synopsis of IT Security Yearly Brief Synopsis of IT Security Yearly
ActivitiesActivities IT Security Activities IT Security Activities
Policy/Standards DevelopmentsPolicy/Standards Developments Security Hardware and/or Software Security Hardware and/or Software
ImplementationsImplementations Next Year’s IT Security GoalsNext Year’s IT Security Goals COBIT Internal Risk AssessmentCOBIT Internal Risk Assessment
Information Security Policy Information Security Policy
Purpose Purpose ObjectivesObjectives Development and ImplementationDevelopment and Implementation ResponsibilityResponsibility Assessment and Management of RiskAssessment and Management of Risk Protection and Destruction of Sensitive Protection and Destruction of Sensitive
InformationInformation Monitoring, Testing & Updating of the Monitoring, Testing & Updating of the
Information Security ProgramInformation Security Program Monitoring of the Information Security ProgramMonitoring of the Information Security Program Overseeing Service Provider Arrangements Overseeing Service Provider Arrangements Annual Status Reporting and Policy ReviewAnnual Status Reporting and Policy Review
SafeguardingSafeguarding Customer Customer Information Policy Information Policy
Policy StatementPolicy Statement
Statement of ResponsibilitiesStatement of Responsibilities
Computer SecurityComputer Security Physical Security Physical Security Copyrights and LicenseCopyrights and License MonitoringMonitoring ViolationsViolations
Access Control Policy Access Control Policy
User Access ManagementUser Access Management Access Control RulesAccess Control Rules
Access Control Request FormAccess Control Request Form File System ControlFile System Control Login Banner NoticesLogin Banner Notices
Data Classification, Data Classification, Retention and Disposal Retention and Disposal
PolicyPolicy
Sensitivity Guidelines Sensitivity Guidelines Sensitive Information Retention & Sensitive Information Retention &
Disposal Guidelines Disposal Guidelines Credit Card Information Retention & Credit Card Information Retention &
Disposal GuidelinesDisposal Guidelines
Intrusion Response PlanIntrusion Response Plan
Incident SeverityIncident Severity
Incident DeclarationIncident Declaration Document Recovery StepsDocument Recovery Steps Analyze the IntrusionAnalyze the Intrusion
Recover from the IntrusionRecover from the Intrusion Intrusion Response ChecklistIntrusion Response Checklist
Customer NoticeCustomer Notice Incident DeclarationIncident Declaration Response ProgramResponse Program Recovery StepsRecovery Steps Sample Call Staff InstructionsSample Call Staff Instructions Sample Call Staff Telephone Script InstructionsSample Call Staff Telephone Script Instructions Customer Call Record FormCustomer Call Record Form Suggested Communication to RegulatorsSuggested Communication to Regulators Sample Customer Notification LetterSample Customer Notification Letter Identity Theft Bureaus & AgenciesIdentity Theft Bureaus & Agencies Assessment of Unauthorized Access to SensitiveAssessment of Unauthorized Access to Sensitive Customer InformationCustomer Information Incident Response LogIncident Response Log
Unauthorized Access to Unauthorized Access to Customer Information PlanCustomer Information Plan
Additional ItemsAdditional Items
Password PolicyPassword Policy Compliance RequirementsCompliance Requirements Password Integrity GuidelinesPassword Integrity Guidelines Password Protection StandardsPassword Protection Standards Employee AcknowledgmentEmployee Acknowledgment
Vendor Management ProgramVendor Management Program Risk Assessment & MitigationRisk Assessment & Mitigation Request for ProposalRequest for Proposal Due Diligence Due Diligence ImplementationImplementation
Further Information & Sample Further Information & Sample Polices/Guidelines:Polices/Guidelines:
Systems And Network SecuritySystems And Network Security
http://www.sans.orghttp://www.sans.org
National Institute of Standards and TechnologyNational Institute of Standards and Technology
(NIST)(NIST)
www.nist.govwww.nist.gov
Payment Card Industry Data Security (PCI DSS)
Compliance for Your Business
A Security Breach and Subsequent Compromise of A Security Breach and Subsequent Compromise of Cardholder Data could have far-reaching Cardholder Data could have far-reaching
Consequences Consequences for Your Business including:for Your Business including:
Regulatory Notification RequirementsRegulatory Notification Requirements Loss of ReputationLoss of Reputation Loss of CustomersLoss of Customers Potential Financial Liabilities Potential Financial Liabilities
(Regulatory and Other Fines and (Regulatory and Other Fines and Fees)Fees)
LitigationLitigation
Compliant Organizations Compliant Organizations Experience Fewer BreachesExperience Fewer Breaches
32%32% of Compliant Organizations of Compliant Organizations
Never Had a Breach vs. Never Had a Breach vs. 12%12% of Non of Non Compliant Organizations Compliant Organizations
69%69% of Compliant Organizations of Compliant Organizations Reported at Least One Breach vs. Reported at Least One Breach vs.
88%88% of Non Compliant of Non Compliant OrganizationsOrganizations
We all can help to
Deter, Detect and Defend
against ID Theft with these 5 easy steps:
Take Stock – Know Where the Info Is
Scale Down – Keep Only What is Needed
Lock It – Protect the Info We Do Keep
Pitch It – Properly Dispose of What We Don’t
Plan Ahead – Create a Plan to Response to a Breach
does not manage does not manage compliance programs and compliance programs and
does not impose any does not impose any consequences for non-consequences for non-
compliance.compliance.
may have their own compliance initiatives, may have their own compliance initiatives, including financial or operational including financial or operational
consequences to certain businesses that are consequences to certain businesses that are not compliant.not compliant.
The Road to The Road to PCI DSS CompliancePCI DSS Compliance
is dependent on theis dependent on the
Merchant Level Merchant Level & &
Self Assessment Questionnaire Self Assessment Questionnaire (SAQ) (SAQ)
Validation TypesValidation Types
Merchant Levels Merchant Levels based on based on
Credit Card Transactions Credit Card Transactions ProcessedProcessed
Level 1Level 1 – Over 6,000,000 per year – Over 6,000,000 per year Level 2Level 2 – 1,000,000 to 6,000,000 – 1,000,000 to 6,000,000
per yearper year Level 3Level 3 – 20,000 to 1,000,000 per – 20,000 to 1,000,000 per
yearyear Level 4Level 4 – Fewer than 20,000 per – Fewer than 20,000 per
yearyear
Self Assessment Self Assessment Questionnaire (SAQ) Questionnaire (SAQ)
Validation Types Validation Types
SAQ A SAQ A
Card Not Present MerchantsCard Not Present MerchantsAll cardholder data All cardholder data functions outsourcedfunctions outsourced
Never applies to face to Never applies to face to face merchantsface merchants
13 Questions & Attestation13 Questions & Attestation
SAQ BSAQ B
Imprint Only MerchantsImprint Only MerchantsNo electronic cardholder data No electronic cardholder data storagestorage
Standalone dialout terminal Standalone dialout terminal merchant with no date storagemerchant with no date storage
29 Questions & Attestation29 Questions & Attestation
SAQ C-VTSAQ C-VT
Merchants with web based Merchants with web based virtual terminals virtual terminals
No electronic cardholder No electronic cardholder data storagedata storage
51 Questions & Attestation51 Questions & Attestation
SAQ CSAQ C
Merchants with Payment Merchants with Payment Applications connected to Applications connected to InternetInternet
No electronic cardholder No electronic cardholder data storagedata storage
40 Questions & Attestation40 Questions & Attestation
SAQ DSAQ D
All Merchants not included All Merchants not included in other SAQ descriptionsin other SAQ descriptions
All service providers defined All service providers defined by payment brand as by payment brand as eligible to complete a SAQeligible to complete a SAQ
288 Questions & Attestation288 Questions & Attestation
Maintain Information Security Policy
Requirement12
SAQ A,B,C,D
Regularly Test Security
Systems/Processes Requirement
11SAQ C,D
Track & Monitor Access to Network Resources & CHD
Requirement10
SAQ C,D
Restrict Physical Access to CHDRequirement
9SAQ A,B,C,D
Assign Unique ID for each person w/ computer access
to CHDRequirement
8 SAQ C,D
Restrict CHD Access to Business Need-to-Know
Requirement 7
SAQ B,C,D
Develop & Maintain Secure Systems/Applications
Requirement 6
SAQ C,D
Use & Regularly Update Anti-Virus Software
Requirement5
SAQ C,D
Encrypt Transmission of CHD
across Public NetworksRequirement
4SAQ B,C,D
Protect Stored CHD Requirement
3SAQ B,C,D
Change All Defaults Passwords
& Security ParametersRequirement
2SAQ C,D
Install & Maintain Firewall Configuration
to protect CHDRequirement
1 SAQ C,D
Security Requiremen
ts for PCI DSS
Compliance
Prioritized Approach to Pursue Prioritized Approach to Pursue PCI DSS CompliancePCI DSS Compliance
1. Remove Sensitive Authentication Data and Limit Data Retention 1. Remove Sensitive Authentication Data and Limit Data Retention (Requirements 1,3,9) (Requirements 1,3,9)
2. Protect the Perimeter, Internal and Wireless Networks 2. Protect the Perimeter, Internal and Wireless Networks (Requirements 1,2,4,5,11,12) (Requirements 1,2,4,5,11,12)
3. Secure Payment Card Applications 3. Secure Payment Card Applications (Requirements 2,6) (Requirements 2,6)
4. Monitor and Control Access to Systems4. Monitor and Control Access to Systems (Requirements 7,8,10,11)(Requirements 7,8,10,11)
5. Protect Stored Cardholder Data 5. Protect Stored Cardholder Data (Requirements 3,9)(Requirements 3,9)
6. Finalize remaining Compliance Efforts and Ensure all Controls 6. Finalize remaining Compliance Efforts and Ensure all Controls are in Place are in Place (Requirements 1,6,10,11,12)(Requirements 1,6,10,11,12)
https://www.pcisecuritystandards.org/documents/Prioritized_Approach_PCI_DSS_version1_2.xls
Prioritized Approach to Pursue Prioritized Approach to Pursue PCI DSS Compliance ToolPCI DSS Compliance Tool
PCI Compliance in its simplest form is; if you don’t need the cardholder data - then don’t store it, if you store it, you must protect it.
Further Information onFurther Information on
Complete PCI DSS SpecificationComplete PCI DSS Specification Prioritized Approach Guidance & Prioritized Approach Guidance &
ToolTool Other Supporting Tools and Other Supporting Tools and
DocumentationDocumentation
http://www.pcisecuritystandards.orghttp://www.pcisecuritystandards.org
Questions??Questions??