On Common Ground: The Overlap of PCI DSS and Data Protection
 

On Common Ground: The Overlap of PCI DSS and Data Protection

on

  • 657 views

The landscape today's CISO must work in presents tremendous challenges, from fewer resources to do their work, the need to meet compliance with multiple standards and regulations, to having little ...

The landscape today's CISO must work in presents tremendous challenges, from fewer resources to do their work, the need to meet compliance with multiple standards and regulations, to having little executive level support for their work. But the fear of brand damage, fines and other negative impacts of a security breach and audit findings have many organisations actually increasing budgets for compliance initiatives. Given that security and compliance have the same basic goal-namely, to safeguard sensitive data-the strategic CISO will try to see how IT security can benefit from this increased focus on compliance.

Statistics

Views

Total Views
657
Views on SlideShare
657
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Traditionally, the role of CISO has been to protect the IT infrastructure. Lately, that role has expanded. Now CISOs are increasingly responsible for ensuring compliance with a dizzying array of standards and regulations. This leaves CISOs around the globe asking these questions: • How can I meet my security objectives in this challenging landscape? • To what extent do my compliance initiatives such as PCI and data protection policies overlap? • If I’m compliant, am I also secure? • What technology investments can address both my compliance and data protection requirements? When wexplore the landscape in which CISOs now work—the new standards and regulations they face, increased attacks from hackers, and a more complex IT environment that includes virtualized infrastructure and outsourcing, we see that this challenging and complex landscape creates opportunity.As organizations allocate funds to address compliance initiatives, CISOs can benefit from this focus on compliance.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • The overarching goal of compliance mandates and information security is to protect critical systems that encapsulate specific application data, such as cardholder data or personal information. Although the type of data that must be secured varies—for example, cardholder data for PCI and personal information for data protection legislation—it is essential to protect the systems that hold or process sensitive information Unfortunately, many organisations miss the opportunity to develop a broader, end-to-end data protection strategy when focused solely on a single compliance mandate and its impending deadline. They use a narrowly-focused project approach that can result in the implementation of disparate technology tools that don’t integrate well. Over time and after several compliance “projects” are completed, an organization can find itself with little or no ability to correlate and leverage the data the different tools collect. For example, a file integrity monitoring tool may meet a specific requirement of collecting data on changes to configurations, files and file attributes. Still another tool may collect log files to satisfy a log data collection and retention requirement. The data collected by each tool typically resides in separate locations with no automated way to determine if detected changes relate to a series of events captured by a log tool. What’s more, in many instances logs are collected but because of the amount of data collected security analysts can’t analyze the information intelligently and in real time.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • We’ve talked about the need to protect sensitive data, and defined what I mean by that. But what’s the motivation to do this?A second, equally important shared goal of security frameworks, regulations and industry standards is to provide assurances to stakeholders of this data protection. For example: • Consumers need to be confident that their personal information is safeguarded through appropriate collection and secure storage; • Customers and partners need to know that the organisation can be trusted to provide appropriate, effective IT security; • Regulators need assurances that the right security rigour and discipline is in place, from PCI DSS to safeguard cardholder data, to data protection laws for personal information; and • Senior managers need confidence that business information—a key asset of the organisation—does not become a liability due to poor or inappropriate security strategy, and that breaches will be rapidly highlighted and costs minimised. Critically, they must be confident that brand reputation will not be jeopardised.
  • • Consumers need to be confident that their personal information is safeguarded through appropriate collection and secure storage; • Customers and partners need to know that the organisation can be trusted to provide appropriate, effective IT security;
  • Regulators need assurances that the right security rigour and discipline is in place, from PCI DSS to safeguard cardholder data, to data protection laws for personal information; and
  • • Senior managers need confidence that business information—a key asset of the organisation—does not become a liability due to poor or inappropriate security strategy, and that breaches will be rapidly highlighted and costs minimised. Critically, they must be confident that brand reputation will not be jeopardised.
  • So let’s break this down:Data is everywhere– whether it’s in the clouds, on your network, server, etc. and it’s dynamic; your infrastructure is dynamic.Every organization has security controls in place – whether they’re industry best practices, government requirements or internal best practices. These controls are in place to protect the availability of your infrastructure – and more importantly your data.Threatening your infrastructure – your data are all of these different attack vectors Malicious external threats – those are the hackers, cyber gangs, and cyber criminals specifically trying to get to your data. These external threats aren’t necessarily new but their methods of attack are – attaching themselves to viable and authorized activities and then laying dormant to avoid being caught.Human error or business as usual – not what you would consider an attack vector but it is the most common reason for how data was exposed. Configuration drift; a patch not deployed, etc.Despite increase in security threats – compliance spending continues to be a significant spend within IT. Fear of the auditor and fines and a check-box mentality of proving compliance adds addition churn on the system.Information security discussions have migrated to the board room, and c-level executives office. Increased scrutiny regarding security controls – as I mentioned earlier – protecting data so your company or agency’s name doesn’t become news.All of these activity is generating events and changes – authorized or unauthorized. And while this is complex – visibility – knowing the risks so you can protect against them is critical. But this much visibility makes it difficult to see anything.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • Over the next few years, companies will increasingly realise that good information security can be an asset and a differentiator from the competition. However, most organisations view compliance as an annual project; an exercise to perform the minimum requirements to pass the audit. The end-goal of each project is on ticking the box marked “compliance” rather than to improve security and safeguard valuable corporate assets—including brand reputation.
  • However, some do recognize the need for continuous security and compliance. For example, many believe that the International Organization for Standardization (responsible for ISO 27001), is an umbrella over other requirements of law or regulation—for example JSOX, SOX and the Data Protection Directive and contractual standards like PCI DSS, because it requires organisations to continuously demonstrate their commitment to high levels of information security. As Bob Russo, General Manager of the PCI Security Standards Council, stated before the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, “Achieving and maintaining compliance with PCI DSS and continuous vigilance regarding other security practices is an ongoing process that must systematically be integrated into every organization’s development and operational practices and policies in order to serve as the best line of defense against a data breach.” He insists that organizations must not take solely a checklist approach to security, or rely on periodic validation as their security goal, but must instead exercise continuous vigilance and maintain a strict security program that ensures constant and ongoing PCI DSS compliance.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • A centralized PCI approach can benefit your entire organisation. Using the PCI DSS as a baseline for security best practices can give organisations a tremendous head start on implementing a sound security strategy. This comprehensive standard is far more prescriptive and detailed, and far less open to interpretation compared to other regulations, such as the ISO 27000 series. PCI DSS does not replace overall information security, it should compliment it.
  • And all of this visibility leads to is way too much information.
  • Seeing only changes is not enough
  • Seeing only events is not enough
  • Relating or correlating change events to log events – establishing relationships between these types of data to alert you about a potential threat to your data.
  • Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.

On Common Ground: The Overlap of PCI DSS and Data Protection On Common Ground: The Overlap of PCI DSS and Data Protection Presentation Transcript

  • On Common Ground:The Overlap ofPCI DSS& Data Protection
  • Can I meet my security objectives?  Expanding attack surface  More frequent & costly attacksIf I’m PCI DSS compliant, Am I Secure?  Increasing risk of breach  Expanding and evolving complianceHow does Data Protection relate to PCI? demands  Cost of being secure and compliant is too high and labor intensiveIs there commonality across standards?
  • 1234
  • 1
  • 1
  • 2
  • 1
  • 2 • • • • • • •
  • 3
  • ISO 27001PCIDSS events events events Best Internal Practices Policy
  • 3
  • No Visibility DriftingDesired State High-risk Temporary Success Time
  • MaintainDesired State Non-stop monitoring & collection Dynamic analysis to find suspicious activities Assess & Achieve Alert on impact to policy Remediate options to speed remedy Time
  • 4
  • Tripwire VIA AUTOMATIONVISIBILITY INTELLIGENCE ReduceAcross the entire Enable better, manual, repetitiveIT infrastructure faster decisions tasks
  • Logging turned off New user added FTP enabled DLL modified by new user
  • FTP event to foreign IP Login successful10 failed logins
  • 5 failed loginsLogin successfulWindows event log clearedLogging turned offHost not generating eventsPolicy test fails
  • Answers To Your Two Essential Questions Raw Log Data AM I SECURE? AM I COMPLIANT? change event log event Events of Interest!
  • Tripwire VIAVISIBILITY INTELLIGENCE AUTOMATIONAcross the entire Enable better, Reduce manual,IT infrastructure faster decisions repetitive tasks
  • Change, Breaches, Audits and Outages Happen. TAKE CONTROL. Tripwire is a leading global provider of IT security and compliance automation solutions that enable organizations to protect, control and audit their entire IT infrastructure