addressing pci requirements: protecting cardholder data · about 13 computers somewhere in your...

Tivoli Software

ISACA

September 2007

©2007 IBM Corporation

Addressing PCI Requirements:

Protecting Cardholder Data

Marne E. Gordan

GRC M

arket Manager

Tivoli


2ISACA

September 2007

Agenda

�Why Compliance ??

�PCI Drivers

�It’s A Jungle Out There

�PCI Overview & Objectives

�What’s the Solution ??

�Summing Up

�Q & A


3ISACA

September 2007

Why Compliance ??

�At the Seattle Cancer Care Alliance

�Patient Eric Drew’s identity stolen by

phlebotomist Richard Gibson

–Gibson had access to patient record

–Obtained Drew’s SSN, date of birth, and primary

address

–Used this inform

ation to open lines of credit

–Ran up over $9k in debt

•Clothing

•Jewelry

•X-Box

•Porcelain figurines

http://www.m

snbc.msn.com/id/10549098/


4ISACA

September 2007

Drew Began Receiving Unsolicited M

ail/Collection Notices

�Contacted m

ajor credit bureaus

–Placed fraud warnings on legitimate credit cards

–Begged major issuers not to issue any new cards

–Contacted local law enforcement

�Nothing happened, until

–Local reporter Chris Daniels at KING-5 NBC TV reported the story

–Daniels and Drew continued the investigation

–Forensic trail led to Gibson

�Gibson plead guilty

–16 months in jail, plus restitution

–First documented “HIPAA conviction”

–Convicted of unlawful use of IIHI


5ISACA

September 2007

Great Story, But . . . .

�What Does it Have to do with PCI ???

–When faced with a compliance “checklist”, we

often

•Become overwhelmed by tasks and deadlines

•Focus on “minimum necessary”to pass the audit

•Focus on “beating”fines and penalties

•Forget what can happen when data is m

isused

•Overlook “harm

”to

–Customers

–Business Partners

–Employees

–Any individuals who entrust us with their data


6ISACA

September 2007

Consumer Confidence*

1.

Data security

2.

Global warm

ing

3.

Terrorism

4.

Job loss

5.

Disease or epidemics

6.

Natural disasters

* Source: Global Survey of Consumer Attitudes, Visa International, December 2006


7ISACA

September 2007

2005: Year of the Data Breach

DOJ

Stanford Univ

Valdosta State

CardSystems

Duke Univ

Cleveland State

Merlin Data Services

Motorola

CitiFinancial

FDIC

MCI

SJ Medical

CO Dept of Health

Purdue Univ.

USC, Michigan, Southern

California State

Sonoma State University

PayMaxx

Hinsdale High

Westborough Bank

Jackson CC

LexisNexis

U CA Berkeley

Boston College

Nevada DMV

Northwestern

UNLV

Cal State Chico

U CA SF

Georgia DMV

Bank of America

University of Colorado

Cisco.com

Tufts University

Polo Ralph Lauren

CA FasTrack

CA Dept of Health

DSW Shoes

Ameritrade

Carnegie Mellon

Michigan State

CSJ Hospital

Georgia Southern

Wachovia

Oklahoma State

Tim

e W

arner

ChoicePoint

Air Force

University of North Texas

Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm


8ISACA

September 2007

2006: The Good Times Just Keep Coming . . .

University of Medicine and Dentistry of New

Jersey

Ross-Sim

ons

Univ. of South Carolina

University of Alaska, Fairbanks

Ohio UniversityInnovation Center University of

Texas‘McCombs School of Business

Univ. of Northern Iowa

Purdue University

Aetna --health insurance records for employees

of 2 m

embers, including Omni Hotels and the

Dept. of Defense NAF

MasterCard (Potentially UK only)

Long Island Rail Road

Ohio's Secretary of State

Dept. of Defense

Georgia State Government

Idaho Power Co.

Ohio UniversityHudson Health Center

Dept. of Veteran Affairs

Wells Fargo

Mercantile Potomac Bank

American Institute of Certified Public

Accountants (AICPA)

Deloitte & Touche(M

cAfee employee

inform

ation)

Medco Health Solutions

OH Secretary of State's Office

Olympic Funding (Chicago, IL)

Los Angeles Cty. Dept. of Social

ServicesHamilton County Clerk of

Courts

Metropolitan State College

Georgetown Univ.

Verizon Communications

iBill(Deerfield Beach, FL)

CA Dept. of Consumer Affairs

General Motors (Detroit, MI)

Buffalo Bisonsand Choice One Online

Ernst & Young (UK)

Bananas.com

Fidelity Investm

ents

CA State Employment Development

Division Verm

ont State Colleges

Georgia Technology Authority

Conn. Technical High School System

Progressive Casualty Insurance

DiscountDomain

Registry.com

UPMC Squirrel Hill Family M

edicine

H&R Block

Atlantis Hotel -KerznerInt'l

People's Bank

City of San Diego, Water & Sewer Dept.

Univ. Place Conference Center & Hotel

Indiana Univ.

California Arm

y National Guard

Univ. of Notre Dame

Univ. of WA M

edical Center

Providence Home Services (OR)

State of RI web site

Boston Globe

The W

orcester Telegram & Gazette

BCBS of North Carolina

FedEx

Honeywell International

Dept. of Agriculture

Old Dominion Univ.

BCBS of Florida

Calif. Dept. of Corrections, Pelican Bay

Mount St. Mary's Hospital (Lewiston,

NY)



9ISACA

September 2007

2006: And Coming . . .

University of Tennessee

Nat'l Association of Securities Dealers (NASD)

Naval Safety Center

Montana Public Health and Human Services

Dept.

Moraine Park Technical College

Northwestern Univ.

University of Iowa

Treasurer's computer in Circuit Court Clerk's

office

NelnetInc.

CS Stars, subsidiary of insurance company

Marsh Inc.

U.S. Dept. of Agriculture

New York City Dept. of Homeless Services

Arm

strong W

orld Industries

Georgetown University Hospital

Old Mutual Capital Inc.

Cablevision systems

U. S. Navy recruitment offices

Kaiser Perm

anente Northern Calif. Office

Los Angeles County, Community Development

Commission (CDC)

Los Angeles County, Adult Protective Services

Western IlliniosUniv

NY State Controller's Office

ING

Univ. of Kentucky

Automatic Data Processing (ADP)

CA Dept. of Health Services(CDHS)

Equifax

Univ. of Alabama

U.S. Dept. of Agriculture

(USDA)

Cape Fear Valley Health System

Fed. Trade Comm. (FTC)

San Francisco State Univ.

U.S. Navy

CA Dept. of Health Services(CDHS)

Catawba County Schools

King County Records, Elections, and

Licensing Services Division

Gov'tAccountability Office (GAO)

AAAAA Rent-A-Space

AllState

Insurance Huntsville branch

Nebraska Treasurer's Office

Minnesota Dept. of Revenue

Nat'l Institutes of Health Federal

Credit UnionNIH

American Red Cross, Farm

ers

Branch

BisysGroup Inc.

Automated Data Processing (ADP)

Univ. of Delaware

M&T Bank

Sacred Heart Univ.

American Red Cross, St. Louis

Chapter

VystarCredit Union

Texas Guaranteed Student Loan

Corp.

Florida Int'l Univ.

Miami University

Univ. of Kentucky

Buckeye Community Health Plan

Ahold

USA

YMCA

Humana

Internal Revenue Service

Univ. of Texas

Univ. of Michigan Credit Union

Denver Election Commission

U.S. Dept. of Energy

Minn. State Auditor

Oregon Dept. of Revenue

U.S. Dept of Energy, Hanford

Nuclear Reservation

American Insurance Group (AIG)



10

ISACA

September 2007

2007: ???

•January 2 –

Deaconess Hospital –Evansville, IN

•January 4 –

Unnamed m

edical center via recycling service –

Stockton, CA

•January 5 –

Dr. Baceski’sOffice –

Somerset, PA

•January 25 –

Ohio Board of Nursing –

Columbus, OH

•January 26 –

Anthem Blue Cross Blue Shield –

VA

•February 2 –

VA M

edical Center –Birmingham, AL

•February 7 –

Johns Hopkins University Hospital –Baltim

ore, MD

•February 8 –

St. M

ary’s Hospital –Leonardtown, MD

•February 9 –

Radford University, Waldron School of Health and

Human Services –

Radford, VA

•February 14 –

Kaiser Medical Center –Oakland, CA

•February 19 –

Seton Healthcare Netw

ork –North Austin, TX

•February 20 –

Back and Joint Institute –

San Antonio, TX

•Today or Tomorrow --YOU ???


Tivoli Software

ISACA

September 2007


It’s A Jungle Out There . . . .


12

ISACA

September 2007

One M

ore Threat to Consider . . . .

Bad PR . . . .

. . . . Priceless !!!!


13

ISACA

September 2007

Skipping compliance:

The short path from breach to extinction


14

ISACA

September 2007

And it gets worse

T.J. Maxx Parent Company Data Theft Is The Worst Ever

The intrusion hands the retailer the dubious honor of surpassingthe 40 m

illion stolen

customers record m

ark, something that only CardSystem

shad been able to achieve.

By Larry Greenemeier,Inform

ationWeek Inform

ationWeek

March 29, 2007

TJX

Co., the parent company of T.J. Maxx and other retailers, onWednesday dropped a bombshell in its ongoing investigation of acustomer data

breach by announcing in a security and exchanges commission filing that m

ore than 45 m

illion credit and debit card numbers have been stolen from

its IT system

s. Inform

ation contained in the filing reveals a company that had taken some measures over the past few years to protect customer data

through obfuscation and encryption. But TJX

didn't apply these policies uniform

ly across its IT system

s and as a result still has no idea of the extent

of the dam

age caused by the data breach.

As a result, TJX

is a company under siege. The company recorded a fourth-quarter charge of about $5 m

illion to cover the costs of containing and

investigating the breach, as well as improving the security of its IT system

s, communicating with customers, and paying legal fee. The U.S. Federal

Trade Commission has launched an investigation of TJX

. While theFTC wouldn't reveal the nature of the investigation or when it began, it's likely

the result of the data breach. And law

suits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns4,500 shares of

TJX

stock.

The intrusion into TJX

's IT system

s also hands the retailer the dubious honor of surpassing the 40 m

illion stolen customers record m

ark, something

that only CardSystem

shad been able to achieve. And it puts to sham

e the Veterans Affairs Departm

ent, which last year briefly lost track of more

than 26 m

illion records thanks to a stolen employee laptop.


15

ISACA

September 2007

How Vulnerable Are You?

If yours is an average U.S. corporation* here’s what your

network experienced in the last week . . .

�Every Internet connected devices was "probed" about 26

times per day for known vulnerabilities.

�About 13 computers somew

here in your organization

encountered a computer virus.

�16 already logged-in desktop computers were

inappropriately used by another employee in your

company to access inform

ation.

�Three people scrounged through desks and drawers

looking for someone else’s passw

ord. One of them

succeeded and used it.

Statistics provided by ICSA Labs December 2006


16

ISACA

September 2007

How Vulnerable Are You?

If yours is an average U.S. corporation here’s what your

network experienced in the last week . . . .

�On average 16 sexually explicit graphics were mailed or shared

among some of your users. There is a 50-50 chance that some

of these are stored on your network.

�At least two people experim

ented with a “hacking”tool or

technique on the general computers, servers, and databases

inside your network in the past month.

�Despite all the press and focus on hacking and viruses, there is

a 72% likelihood that the next security breach your staff deals

with will come from an insider.

Statistics provided by ICSA Labs


17

ISACA

September 2007

Ah, the disgruntled employee !!!

�Recent Novell research indicates

–More than half the UK workforce* would be prepared to

seek revenge on form

er employers by exploiting continued

access to corporate systems if they lost a job

–55% would continue to use their company laptop if it were

not taken back; 58% would continue use of company

mobile phones.

–6% said that they would delete important files

–4% would let a virus loose in the corporate email system

–67% would be prepared to steal sensitive inform

ation that

would help in their next job

–38% said that they would steal company leads

*2006 article did not indicate how large the polling group was, nor if it were a scientific poll


18

ISACA

September 2007

The Enemy Inside….

�For years, external security threats received m

ore attention than

internal security threats, but the focus has changed. W

hy?

�Hackers

�Crackers

�Denial of service

�Viruses

�Worm

s

�Intruders

�AV

�Firewalls

�IDS

�Content security

�Encryption


19

ISACA

September 2007

•The number of attacks

attributed to the inside vs.

outside is approximately

equal (Source: CSI/FBI

Survey 2005)

•Therefore, 43.5% of the total

number of security incidents

experienced globally can be

attributed directly to the

privileged user group.

•The privileged user group

generally represents < 5%

of any given organization.

Who is W

ho ??

43.5% of global security incidents (inside & outside)

can be attributed to the privileged user


20

ISACA

September 2007

Known People (un) Intentionally Do Great Harm

�87% of insider incidents are caused

by privileged or technical users

�Many are inadvertent violations of:

–Change m

anagement process

–Acceptable use policy

�Others are deliberate, due to:

–Revenge (84%)

–“Negative events”(92%)

�Regardless, too costly to ignore:

–Internal attacks cost 6% of gross

annual revenue

–Costing $400 billion in the US alone

Sources: Forrester research, IdM Trends 2006; USSS/CERT InsiderThreat Survey 2005; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.

Who Causes Internal Incidents?

Privileged or technical

users (87%)

Other

(13%)


21

ISACA

September 2007

Dominant loss types


22

ISACA

September 2007

Why does the audit community care about “the enemy inside”?

�While viruses, worm

s,

Trojans and DoSare

serious, attacks

perpetrated by people with

trusted insider status pose

a far greater threat to

organizationsin term

s of

potential cost per

occurrence and total

potential cost than

attacks mounted from

outside.


23

ISACA

September 2007

Redefining “Insiders”

�According to recent Gartner research

–As a result of the high demand from western companies looking tocut costs some

outsourcing service providers in India and Chinaare growing rapidly, hiring

thousands of new employees in a m

onth.

–Gartner has warned companies that outsource to countries like India and China not

to overlook the impact of cultural differences on security.

–"India is seen as an answer when outsourcing applications but is

actually a

problem in the security space"

–Standards of privacy are often loosein India because

•Reading someone else's e-m

ail would not be considered m

uch of an intrusion

•Fingerprinting is considered offensive in the Indian culture; security checks are often

outsourced to the local police, requiring that applicants have an Indian passport-thiscan

only be acquired by passing vigorous security checks conducted by law enforcement

officials

•Many firms require only two references from each applicant as a security m

easure, but do

not ensure the applicant has no criminal record.

–"Fifty percent of companies understand that there are security issues with

off-shoring, but the real issues are cultural, and in compliance and

regulation."

Source: http://www.computerworld.com/m

anagementtopics/outsourcing/story/0,10801,96074,00.htm

l


24

ISACA

September 2007

Could This be Your Worst Enemy?


25

ISACA

September 2007

Who is an “Insider”?

�Current or form

er

employees, consultants,

and outsourcers who:

–Intentionally or inadvertently

exceeded or misused an

authorized level of access to

networks, systems, or data

in a manner that

–Targeted a specific

individual or affected the

security of the organization’s

data, systems, and/or daily

business operations

Consultant using the LAN to

conduct daily business

LAN

Semi-Trusted

User

Client or partner accessing

account inform

ation

Extranet

Semi-Trusted

User

Executive logging in remotely

to review personnel files

VPN

Super/

Privileged User

IT administrator using the LAN

to administer desktop

LAN

Super/

Privileged User

Salesperson logging in via

remote access to m

anage

accounts

Dial-up

Trusted User

Employee using a directory on

the file server to save critical

files

LAN

Trusted User

Example

Access

Type

User


26

ISACA

September 2007

Insiders have two important factors in their favors:

–Access –

both logical and physical

–Trust

�In general, users and computers accessing resources on the

local area network (LAN) of the company are deemed

trusted. Practically, we do not draconically restrict their

activities –

revoke trust --because an attempt to control

these trusted users too closely will impede the free flow of

business.

The reason insider attacks “hurt”

�And, obviously, once an attacker

has physical control of an asset,

that asset can no longer be

protected from the attacker.


27

ISACA

September 2007

�The United States Secret Service and the Carnegie

Mellon University Software Engineering Institute’s

CERT Coordination Center published an insider

threats study report in 2005 which offered critical

insights into the m

ind and m

otivation of the

“inside attacker.”

The insider threat profile

�A frightening 87% of those

perpetrating harm

were those

we would consider as having

the “keys to the kingdom”


28

ISACA

September 2007


�Male

�17-60 Years Old

�87% technical positions

�About half m

arried

�Variety of racial and ethnic

backgrounds

Source: CERT


29

ISACA

September 2007


�The average IT worker

•More comfortable in the

world of ideas and

concepts than emotions

and relationships,

•Prefer to work

independently,

•Tend to resist authority,

•More subject to

environmental stress.

Source: CIA’s Center for Analysis of Personality and Behavior


30

ISACA

September 2007

What motivates the internal attacker?

–Challenge/Curiosity:Many internal

attackers don’t think about their acts as

“attacks”at all. They would constitute the

act instead as a challenge—combining

patience, skill, and a combination of

tactical and strategic thinking. Common

examples of these attacks may include

breaking into e-m

ail or IM accounts,

accessing sensitive data assets (i.e.,

salary or financial data) or conducting ad

hoc penetration tests.

–Financial Gain:Internal attackers

motivated by financial gain steal

confidential inform

ation for a third party.

�Internal attackers “perpetrate harm

” for a number of

reasons.


31

ISACA

September 2007

What motivates the internal attacker?

–Revenge:Internal

attackers motivated by

revenge have negative

feelings directed not

simply to the company,

but also toward a

particular individual

within that company.

•These attackers can be

particularly dangerous

because they are

patient and targeted.

Motivations for Deliberate attacks

(CERT)

0%

84%

92%

0%10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Financial

Revenge

Response to Negative

Event

Motivation


32

ISACA

September 2007

�80% exhibited suspicious or

disruptive behavior to their

colleagues or supervisors before

the attack.

�Only 43% had authorized access

(by policy, not necessarily via

system control).

�64% percent used remote access to

carry out the attack.

Source: USSS/CERT

These attackers planned ahead

�62% percent of the attacks were planned in advance.

�57% percent of the attackers surveyed would

consider themselves “disgruntled.”


33

ISACA

September 2007

Though let us not forget the role of stupidity

�Common threats to the internal security of

any enterprise can be chalked up to stupidity:

–Organizational stupidity: Systems

administrators are highly sensitive to

environmental stress*. If the systems

administrator is overworked, mistakes will

happen. Unfortunately, in the security world

mistakes can have incredibly significant and

negative impacts.

–Individual stupidity: This category includes

accidental destruction, modification, disclosure, or

incorrect classification of inform

ation; or failure to

follow security policy or operational procedure,

which leads to breach of system or inform

ation

integrity confidentiality or availability.

•Again, according to the CIA personality profile of

the average IT worker, IT workers resist authority,

working outside the “playbook.”While we didn’t

need the CIA to tell us that, it should be noted that

that human error is a significant threat to any

organization.

*(Source: CIA’s personality profile of an average IT worker).


34

ISACA

September 2007

Source: Association of Certified Fraud Examiners

�The m

edian loss caused by

males is about $185,000; by

femalesabout $48,000

�Losses caused by m

anagers

are four timesthose

caused by employees

�Median losses caused by

executives are 16 tim

es

those of their employees

Additional Statistics…


35

ISACA

September 2007

A concise list of worries from the CXO

We all know the drill; operating systems such as W

indows and Linux have not

been designed to be highly secure. Privileged users in particular have easy

access to inform

ation regarding which vulnerabilities exist, andwhich

vulnerabilities have been patched. With the ability to read, andadministrative

access –

privileged users have it in their power to m

anipulate these design

flaws and exercise native vulnerabilities.

Manipulation of Operating

System Design Flaws

Protocol weaknesses in TCP/IP can result in a virtual treasure trove of

problems, for example --DNS spoofing, TCP sequence, hijacked sessions and

authentication session / transaction replay, denial of service, and TCP_SYN

flooding.

Manipulation of Protocol Design

Flaws

“Bad code”may include tim

e bombs (software programmed to damage a

system on a certain date), or logic bomb (software programmed todamage a

system under certain conditions).

Introduction of bad code

Common attacks include the installation of Trojans by privilegedusers.

Installation of unauthorized

software or hardware

While the m

ost significant internal threat is the “ignorant”employee that

double clicks on the email attachment, activating a virus, results from a

number of “insider attack’surveys show that viruses m

ay be exploited by

hostile employees.

Viruses

This category includes theft of anything from digitally stored inform

ation (like

customer credit card inform

ation to company critical financial data to internal

product engineering plans) to theft of physical devices.

Theft of inform

ation or

computing assets

This category includes inadvertent or deliberate destruction of system

operations or inform

ation assets. This category includes the physical

destruction of netw

ork cabling, computing devices, or disabling of electrical

or other environmental control.

Sabotage of inform

ation or

systems


36

ISACA

September 2007

So W

hat is the Answer ??

�Heavily regulated industries have been dealing with CIA

of customer/consumer inform

ation for years

–Financial Services

–Health Care

–Government Agencies

�But other industries are not so “lucky”

–Retail

–eRetail

–HR/Recruitment

–Higher Education

�These industries are a target

–They aggregate personal inform

ation

–Inform

ation sharing is typically part of the business model


37

ISACA

September 2007

PCI Overview

�The five major card associations jointly created the Paym

ent

Card Industry (PCI) Data Security Standard around security

and payment data

–Genesis was VISA CISP Program

–PCI standards apply to all members, merchants, and service

providers that store, process or transmit cardholder data

–Security requirements apply to all system components which is

defined as any network component, server, or application included

in, or connected to, the cardholder data environment

–Merchants are categorized by level which dictate validation

requirements against the standards


38

ISACA

September 2007

Merchant Levels Defined

Merchant

Level

Description

1Any merchant who processes over 6,000,000

transactions annually.

Any merchant that has suffered a breach.

Any merchant designated Level 1 by Visa

2Any merchant who processes between 150,000 and

6,000,000 e-commercetransactions annually.

3Any merchant who processes between 20,000 and

150,000 e-commercetransactions annually.

4Anyone else


39

ISACA

September 2007

PCI Overview (continued)

�Validation requirements

–Level 1 m

erchants

•annual on-site assessment by approved assessor

•quarterly network security scan by approved scan

vendor

–Level 2 and 3 m

erchants

•self-assessment questionnaire

•quarterly network security scan by approved scan

vendor

�All merchants, regardless of level, must comply

with all elements of the PCI DSS standards


40

ISACA

September 2007

The scope of the PCI Audit

�Scope of compliance validation is focused on any

system(s) or system component(s) related to

authorization and settlement where cardholder

data is processed, stored, or transmitted,

including:

–All external connections into the merchant network

–All connections to and from the authorization and

settlement environment

–Any data repositories outside of the authorization and

settlement environment where m

ore than 500K

account numbers are stored


41

ISACA

September 2007

Outsourcing

�For those entities that outsource processing,

transmitting, or storage of cardholder data to third-

party service providers, the Report On Compliance

must document the role of each service provider;

�Service providers are responsible for validating their

own compliance with the PCI Data Security Standard

independent of their customers.

�Additionally, merchants and service providers m

ust

contractually require all associated third partieswith

access to cardholder data to adhere to the PCI Data

Security Standard. (Requirement 12.8)


42

ISACA

September 2007

Consequences for lack of compliance

�Financial Risk

–Merchant banks may

pass on substantial fines

–Up to $500,000 per

incident from Visa alone

–Civil liability and cost of

providing ID theft

protection

�Compliance Risk

–Exposure to Level 1

validation requirements

�Operational Risk

–Visa-imposed operational

restrictions

–Potential loss of card

processing privileges


43

ISACA

September 2007

PCI Data Security Standards

The PCI Data Security

Standard consists of six of

major categories supported

by twelve basic

requirements. W

ithin these

categories is a total of 175

detailed requirements.

Audits assess both

implementation as well as

policy and process as

identified in the detailed sub

requirements.


44

ISACA

September 2007

PCI enterprise security m

odel

PCI awareness principles:

Value statements that the

business requires for the

delivery of PCI

Security processes:

Activities typically

perform

ed across

multiple organizations to

implement PCI required

policies and standards

PCI procedures:

Specific operational

steps that

individuals m

ust

take to achieve PCI

goals, which are

often stated in

policies

Security policy:

The security rules that

must be followed to m

eet

PCI compliance

Security architecture:

Details how all the

technologies fit together to

assure one of PCI

compliance

Security products:

PCI mitigating risk products

and tools

PCI standards:

Set of rules for im

plementation policy;

standards m

ake specific m

ention of

technologies, methodologies, im

plementation

procedures and other details factors to m

eet

company wide PCI compliance


45

ISACA

September 2007

Sample Solutions for PCI Compliance

PCI Reporting and Audit Dashboard

Perimeter

Security

Requirement 1:

Install & m

aintain a

firewall…

Access

Management

Requirement 2:

Do not use vendor

default passwords

Build and M

aintain

a Secure Netw

ork

Protect

Cardholder

Data

Maintain a

Vulnerability

Management

Program

Implement Strong

Access Control

Measures

Maintain an

Inform

ation

Security

Policy

Regularly

Monitor and

Test Netw

orks

Storage

Management

Requirement 3:

Protect stored

cardholder data

Data Encryption

Requirement 4:

Encrypt

transmission of

cardholder data

Anti-virus /

Vulnerability

Assesment

Requirement 5:

Use & update anti-

virus software

CCMDB /

Vulnerability

Assesment

Requirement 6:

Develop &

maintain secure

systems &

applications

Access

Management

Requirement 7:

Restrict access to

cardholder data

Identity

Management

Requirement 8:

Assign a unique ID

to each person

Physical Access

Controls

Requirement 9:

Restrict physical

access

Security Incident

Management

Requirement 10:

Track & m

onitor

access

Vulnerability

Assesment/

Security Incident

Management

Requirement 11:

Regularly test

security systems

& processes

IT Service

Management /

Consulting

Services

Requirement 12:

Maintain a policy

that addresses

inform

ation

security

Security Incident and Event Management


46

ISACA

September 2007

Security Incident and Event Management (SIEM)


47

ISACA

September 2007

SIEM Capabilities

Build and M

aintain a Secure Netw

ork

1:Install and maintain a firewall configuration to protect data

2:Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3:Protect stored data

4:Encrypt transmission of cardholder data and sensitive inform

ation across public networks

Maintain a Vulnerability Management Program

5:Use and regularly update anti-virus software

6:Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7:Restrict access to data by business need-to-know

8:Assign a unique ID to each person with computer access

9:Restrict physical access to cardholder data

Regularly M

onitor and Test Netw

orks

10:Track and monitor all access to network resources and cardholder data

11:Regularly test security systems and processes.

Maintain an Inform

ation Security Policy

12:Maintain a policy that addresses inform

ation security

supports

supports

supports

automates

automates

supports

Build and M

aintain a Secure Netw

ork

1:Install and maintain a firewall configuration to protect data

2:Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3:Protect stored data

4:Encrypt transmission of cardholder data and sensitive inform

ation across public networks

Maintain a Vulnerability Management Program

5:Use and regularly update anti-virus software

6:Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7:Restrict access to data by business need-to-know

8:Assign a unique ID to each person with computer access

9:Restrict physical access to cardholder data

Regularly M

onitor and Test Netw

orks

10:Track and monitor all access to network resources and cardholder data

11:Regularly test security systems and processes.

Maintain an Inform

ation Security Policy

12:Maintain a policy that addresses inform

ation security

supports

supports

supports

automates

automates

supports


48

ISACA

September 2007

Leveraging Control Activity for PCI

�Tell the story of the cardholder data environment

–Articulate activity

•To the auditors

•To Senior Management and the BOD

–Demonstrate

•Controls in place over time

•Routine activity

•Anomalous activity

•Incidents

–From discovery through resolution

–Lessons learned

–Document

•Controls narrative

–Risk tolerance

–Decisions and rationale

•Written policies and procedures

–Including enforcement plans and/or examples


49

ISACA

September 2007

Compliance Objective

�Is access to payment card account numbers restricted for users on a need-

to-know basis?

�Is all access to cardholder data, including root/administration access,

logged?

�Do access control logs contain successful and unsuccessful login

attempts

and access to audit logs?

�Are all critical system clocks and tim

es synchronized, and do logs include

date and tim

e stamp?

�Are the firewall, router, wireless access points, and authentication server

logs regularly reviewed for unauthorized traffic?

�Are audit logs regularly backed up, secured, and retained for atleast three

months online and one-year offline for all critical systems?

�Are inform

ation security policies, including policies for accesscontrol…

form

ally documented?

�When an employee leaves the company, are that employee’s user accounts

and passwords immediately revoked?

�Are security alerts from IDS/IPS’scontinuously m

onitored, and are the latest

IDS/IPS signatures installed?

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no


50

ISACA

September 2007

It W

orks Perfectly –

In Powerpoint

�It is obvious and it is EASY

–Here in this m

eeting room

–Devil in the details . . . .

�Demonstrate that you understand

–WHO

–has access to W

HAT

–for what PURPOSE

–at any given TIME

�There is no “one-size-fits-all”

�Remember why this is important

–Consider “harm

”


51

ISACA

September 2007

IBM Tivoli Security

•Tivoli Security Solutions (in Australia)

SecuritySpecialists for(VIC / SA / W

A & NZ)

–Barry M

etzger 0412 772 552

barry.m

etzger@

au.ibm.com

–Darren W

right 0402 892 296

darrenwr@

au1.ibm.com

Security Specialists for (NSW / QLD / NT)

–Paul Cooper 0411 892 296

pcooper@

au1.ibm.com

–Brad Anderson 0411 304 040

[email protected]

addressing pci requirements: protecting cardholder data · about 13 computers somewhere in your...

Documents