Your SlideShare is downloading. ×
0
Compliance-driven Security Requirements Warzaw 12 Oct 2010 10-10-13 [email_address] Bengt Berg, M.Sc, CISM, CISSP, QSA, .....
<ul><li>Who is Bengt Berg?  </li></ul><ul><li>What is Cybercom?  </li></ul><ul><li>1800 employees, 11 countries, 28 office...
External Compliance Requirements 10-10-13 [email_address] Sarbanes-Oxley Act ISO/EIC 27001:2006 CE certification FDA/Part1...
How PCI DSS has Transformed the Payment Security Area  10-10-13 [email_address]
PCI DSS 10-10-13 [email_address] Brands Bank PSP Merchant Solution vendor Service provider PA-QSA PTS PFI QSA ASV
But What are These Requirements?  10-10-13 [email_address] Requirement 1:   Install and maintain a firewall configuration ...
<ul><li>Conflict of interests </li></ul><ul><li>Banks initially uncoordinated </li></ul><ul><ul><li>Caused great problems ...
Response From Product Suppliers and Consultancy Companies 10-10-13 [email_address]
<ul><li>Retailers now have a very high level of security </li></ul><ul><li>Leveraging the investments into other business ...
<ul><li>Not possible to sell insecure software to retailers anymore  </li></ul>What Results Have Been Achieved?  10-10-13 ...
<ul><li>Software developers know about security nowadays </li></ul>What Results Have Been Achieved?  10-10-13 [email_addre...
<ul><li>Increased security amongst outsourcing companies </li></ul><ul><ul><li>And they make good business out of it! </li...
Emerging Methods for Managing External Compliance Requirements  10-10-13 [email_address]
<ul><li>A few trends growing more solid every day: </li></ul><ul><li>Portal solutions for compliance management  </li></ul...
<ul><li>Cybercom, Acrea, ARIS, and numerous others </li></ul><ul><ul><li>Binders in a bookshelf isn’t enough </li></ul></u...
Use of Issue Management Systems 10-10-13 [email_address] 27 workflows neccessary  to implement ISO 27001 Report Incident I...
Use of Issue Management Systems 10-10-13 [email_address]
All Documentation in Wiki format <ul><li>All documents easily accessible (read)  </li></ul><ul><ul><li>Policy documents  <...
All Documentation in Wiki format 10-10-13 [email_address]
Trend-oriented tests 10-10-13 [email_address]
<ul><li>What are the effects of external compliance requirements?  </li></ul>Conclusions  10-10-13 [email_address] New com...
Upcoming SlideShare
Loading in...5
×

Bengt Berg, Cybercom Security, Polen

913

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
913
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Alltså, jag tänkte inte tala om branscher där man skall arbeta med IT-säkerhet
  • Det är gratis att ställa krav på andra En allt större del av säkerhetsinvesteringarna går till att hantera andras krav, inte de egna Det finns alltid en struktur/organisation/uppföljning bakom dessa krav. Finns det inte kan man strunta i dem 
  • Poängtera att detta inte är en wiki där envar kan editera.
  • Poängtera att detta inte är en wiki där envar kan editera.
  • Transcript of "Bengt Berg, Cybercom Security, Polen"

    1. 1. Compliance-driven Security Requirements Warzaw 12 Oct 2010 10-10-13 [email_address] Bengt Berg, M.Sc, CISM, CISSP, QSA, ... Head of Compliance Management Services Cybercom Sweden East AB
    2. 2. <ul><li>Who is Bengt Berg? </li></ul><ul><li>What is Cybercom? </li></ul><ul><li>1800 employees, 11 countries, 28 offices </li></ul><ul><li>Turnover </li></ul><ul><ul><li>≈ 60 M€/2006 </li></ul></ul><ul><ul><li>≈ 200 M€/2009 </li></ul></ul><ul><li>Cybercom Secure: 80 full-time consultants </li></ul><ul><ul><li>Compliance Management and PCI DSS </li></ul></ul><ul><ul><li>IAM </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Development of secure software components </li></ul></ul><ul><ul><li>...and some other areas of expertise </li></ul></ul>So... Who’s Talking? 10-10-13 [email_address]
    3. 3. External Compliance Requirements 10-10-13 [email_address] Sarbanes-Oxley Act ISO/EIC 27001:2006 CE certification FDA/Part11 Basel3 Public Sector Procurement Laws ISO 14001 PCI DSS, Payment Card Industry Data Security Standard,
    4. 4. How PCI DSS has Transformed the Payment Security Area 10-10-13 [email_address]
    5. 5. PCI DSS 10-10-13 [email_address] Brands Bank PSP Merchant Solution vendor Service provider PA-QSA PTS PFI QSA ASV
    6. 6. But What are These Requirements? 10-10-13 [email_address] Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need-to-know : Requirement 8 Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security <ul><li>Requires solutions for change </li></ul><ul><li>Documentation of systems, firewalls, ... </li></ul><ul><li>... </li></ul><ul><li>Staging of systems, databases, routers, ... </li></ul><ul><li>System hardening </li></ul><ul><li>... </li></ul><ul><li>Encryption of stored cardholder data, ... </li></ul><ul><li>Never EVER store some data... </li></ul><ul><li>Key management... </li></ul><ul><li>... </li></ul><ul><li>Encryption of cardholder data sent over public networks </li></ul><ul><li>Some policies must exist </li></ul><ul><li>Anti-virus requirements </li></ul><ul><li>Centralized logs for AV solutions </li></ul><ul><li>Secure development methods </li></ul><ul><li>OWASP Top10 ( www.owasp.org ) </li></ul><ul><li>Test data, and test systems, requirements </li></ul><ul><li>Change management for access requests </li></ul><ul><li>” Need to know” </li></ul><ul><li>Policies, procedures, instructions </li></ul><ul><li>Access and identity management </li></ul><ul><li>Users, roles, logs </li></ul><ul><li>Physical security </li></ul><ul><li>Surveillance cameras </li></ul><ul><li>Visitor badges </li></ul><ul><li>IDS/IPS 7/24 </li></ul><ul><li>Centralized logging </li></ul><ul><li>File integrity monitoring </li></ul><ul><li>Wireless analyzer </li></ul><ul><li>ASV Scans (int/ext) quarterly </li></ul><ul><li>Penetration test yearly </li></ul><ul><li>Yearly risk assessments </li></ul><ul><li>Security policies </li></ul><ul><li>Security organization </li></ul><ul><li>Incident response plans </li></ul>
    7. 7. <ul><li>Conflict of interests </li></ul><ul><li>Banks initially uncoordinated </li></ul><ul><ul><li>Caused great problems </li></ul></ul><ul><ul><li>Situation fixed by PAN Nordic </li></ul></ul><ul><li>Self assessments (In Norway: ”self betrayal”  ) </li></ul><ul><ul><li>Almost always too nice </li></ul></ul><ul><li>First PA-DSS self-assessment: 45 minutes. </li></ul><ul><li>Lesson learned: Patience... Endurance... </li></ul>Initial Backlashes 10-10-13 [email_address]
    8. 8. Response From Product Suppliers and Consultancy Companies 10-10-13 [email_address]
    9. 9. <ul><li>Retailers now have a very high level of security </li></ul><ul><li>Leveraging the investments into other business areas </li></ul><ul><ul><li>Using the IDS for the whole company </li></ul></ul><ul><ul><li>Incident management methods covers the whole company </li></ul></ul>What Results Have Been Achieved? 10-10-13 [email_address] Investments in IS/IT Security
    10. 10. <ul><li>Not possible to sell insecure software to retailers anymore </li></ul>What Results Have Been Achieved? 10-10-13 [email_address]
    11. 11. <ul><li>Software developers know about security nowadays </li></ul>What Results Have Been Achieved? 10-10-13 [email_address]
    12. 12. <ul><li>Increased security amongst outsourcing companies </li></ul><ul><ul><li>And they make good business out of it! </li></ul></ul>What Results Have Been Achieved? 10-10-13 [email_address] Brands Bank PSP Merchant Solution vendor Service provider QSA ASV
    13. 13. Emerging Methods for Managing External Compliance Requirements 10-10-13 [email_address]
    14. 14. <ul><li>A few trends growing more solid every day: </li></ul><ul><li>Portal solutions for compliance management </li></ul><ul><li>Extreme use of issue management solutions </li></ul><ul><li>Using wikis for policies and other documentation.. </li></ul><ul><li>Trend-oriented tests of compliance status </li></ul>Emerging methods 10-10-13 [email_address]
    15. 15. <ul><li>Cybercom, Acrea, ARIS, and numerous others </li></ul><ul><ul><li>Binders in a bookshelf isn’t enough </li></ul></ul>Portal Solutions for Compliance Management 10-10-13 [email_address]
    16. 16. Use of Issue Management Systems 10-10-13 [email_address] 27 workflows neccessary to implement ISO 27001 Report Incident Incident response team Webb team Network team H/R Closed Incidents CISO
    17. 17. Use of Issue Management Systems 10-10-13 [email_address]
    18. 18. All Documentation in Wiki format <ul><li>All documents easily accessible (read) </li></ul><ul><ul><li>Policy documents </li></ul></ul><ul><ul><li>Instructions </li></ul></ul><ul><li>Edit only by document owner </li></ul><ul><ul><li>Easy to allow ”free for all” in draft mode </li></ul></ul><ul><li>Built-in discussion forum! </li></ul><ul><ul><li>Let people help each other... </li></ul></ul><ul><li>Built-in functionality for version control </li></ul>10-10-13 [email_address]
    19. 19. All Documentation in Wiki format 10-10-13 [email_address]
    20. 20. Trend-oriented tests 10-10-13 [email_address]
    21. 21. <ul><li>What are the effects of external compliance requirements? </li></ul>Conclusions 10-10-13 [email_address] New compliance-oriented business models Will always benefit the outsourcing providers The leader gets a competitive advantage Rational methods decrease investment Success depends on the governance framework Nobody wants to be a problem for their customer
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×