Skeletal Elements of your Organization’s IT Systems Deter, Detect and Defend Against Data Breaches Information Security Program & Payment Card Industry Data Security (PCI DSS) Compliance for Your Business
77 Million Users 10 Million Credit Card Compromised Accounts Losses ??? Millions of Names and Email Addresses of over 2,500 Major Companies Consequences??
94 Million Compromised Accounts 83 Million Dollars in Losses 4 Million Compromised Accounts 100’s of Compromised Accounts 50,000+ Credit Card Transactions Processed Yearly 20,000+ Credit Cards Numbers
The High Cost of Data Breaches Average Cost Per Record Breached $204 Average Cost Per Breach $6.75 million Range of Total Cost Per Breach $750,000 to almost $31 million Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009
Essentials Elements of a Successful Information Technology Security Program
Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.
Proactively identify IT related risks that require mitigation strategies, including anticipating future regulatory and external reporting expectations.
Aid in the overall IT Governance Activities and support the business’s operational risk initiatives.
Covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives.
Highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
Control Objectives for the Planning & Organization Domain PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization & Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims & Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects
Identifying IT requirements, Acquiring the Technology, and Implementing it within the company’s current business processes.
Addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
Control Objectives for the Acquire & Implement Domain AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
Execution of the applications within the IT system
The support processes that enable the effective and efficient execution of the IT systems
Support processes include security issues and training
Control Objectives for the Delivery & Support Domain DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations
Deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements
Covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.
Control Objectives for the Monitor & Evaluate Domain ME1 Monitor and Evaluate IT Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
Further Information: Information Systems Audit and Control Association (ISACA) http://www.isaca.org
32% of Compliant Organizations Never Had a Breach vs. 12% of Non Compliant Organizations
69% of Compliant Organizations Reported at Least One Breach vs. 88% of Non Compliant Organizations
We all can help to Deter, Detect and Defend against ID Theft with these 5 easy steps: Take Stock – Know Where the Info Is Scale Down – Keep Only What is Needed Lock It – Protect the Info We Do Keep Pitch It – Properly Dispose of What We Don’t Plan Ahead – Create a Plan to Response to a Breach
does not manage compliance programs and does not impose any consequences for non-compliance. may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.
The Road to PCI DSS Compliance is dependent on the Merchant Level & Self Assessment Questionnaire (SAQ) Validation Types
Merchant Levels based on Credit Card Transactions Processed