Michael Kaishar Pci Dss Power Point Presentation

1,421 views
1,242 views

Published on

PCI-DSS: Protecting Stored Cardholder Data.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,421
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Michael Kaishar Pci Dss Power Point Presentation

  1. 1. PCI-DSS By Michael Kaishar, MSIA, CISSP Protecting Stored Cardholder Data
  2. 2. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Reasons for Protecting Stored Data </li></ul><ul><ul><li>PCI-DSS Compliance </li></ul></ul><ul><ul><ul><li>Protect Stored Cardholder Data </li></ul></ul></ul><ul><ul><li>Government Regulatory Compliance </li></ul></ul><ul><ul><ul><li>GLBA, HIPAA, SOX </li></ul></ul></ul><ul><ul><li>Data Breach Risk Mitigation </li></ul></ul><ul><ul><ul><li>Keep out of News Headlines </li></ul></ul></ul><ul><ul><ul><li>Keep Customer Trust </li></ul></ul></ul><ul><ul><ul><li>Protect Reputation </li></ul></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  3. 3. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Solutions for Protecting Stored Data </li></ul><ul><ul><li>Encryption Tools </li></ul></ul><ul><ul><ul><li>Decru </li></ul></ul></ul><ul><ul><ul><li>PointSec </li></ul></ul></ul><ul><ul><li>Data Classification </li></ul></ul><ul><ul><ul><li>Procedural Approach </li></ul></ul></ul><ul><ul><ul><li>Categories and Discretionary Access </li></ul></ul></ul><ul><ul><ul><li>Reconnex iGuard </li></ul></ul></ul><ul><ul><li>Policies and Procedures </li></ul></ul><ul><ul><ul><li>Threat Matrices </li></ul></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  4. 4. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Tape Media Encryption Solution </li></ul><ul><ul><li>Decru – Best in class Tape Encryption </li></ul></ul>Figure 1. Decru Encrypting Backup Tapes (Used with permission, Decru, 2007) PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  5. 5. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Laptop & PC Encryption Solution </li></ul><ul><ul><li>PointSec – Wipe-Out Data Remotely </li></ul></ul>Figure 2. PointSec Encrypting Laptops (Used with permission, Checkpoint, 2007) PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  6. 6. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Data Classification </li></ul><ul><ul><li>Procedural Approach </li></ul></ul><ul><ul><ul><li>The manual and subjective process of </li></ul></ul></ul><ul><ul><ul><li>classifying data is to go through the stored </li></ul></ul></ul><ul><ul><ul><li>data, analyze it, identify its importance then </li></ul></ul></ul><ul><ul><ul><li>designate it to a category (Woodbury, 2007). </li></ul></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  7. 7. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Data Classification </li></ul><ul><ul><li>Categories and Discretionary Access </li></ul></ul><ul><ul><ul><li>The Military follows a strict classification model based on </li></ul></ul></ul><ul><ul><ul><li>Bell-LaPadula Mandatory Access Controls (Schneier, 2004); </li></ul></ul></ul><ul><ul><ul><li>where the categories are: Top Secret, Secret, Confidential </li></ul></ul></ul><ul><ul><ul><li>and unclassified (Bishop, 2003). Too restrictive for </li></ul></ul></ul><ul><ul><ul><li>commercial use! </li></ul></ul></ul><ul><ul><ul><li>Categories such as confidential/private, internal official use </li></ul></ul></ul><ul><ul><ul><li>only and public, work well in the commercial sector. Once </li></ul></ul></ul><ul><ul><ul><li>data is categorized, access controls are put in place to allow </li></ul></ul></ul><ul><ul><ul><li>or deny users. </li></ul></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  8. 8. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Data Classification </li></ul><ul><ul><li>Categories and Discretionary Access </li></ul></ul>I created the diagram in order to provide a visual illustration of how data can be categorized in an organization. For example: the CEO has access to Private & Confidential data which are salaries and social security numbers. Figure 3. Information Classification Hierarchy PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  9. 9. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Data Classification </li></ul><ul><ul><li>Reconnex automates Data Classification </li></ul></ul>Figure 4. Reconnex iGuard (Used with permission, Reconnex, 2007) PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  10. 10. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Policies and Procedures </li></ul><ul><ul><li>In order to have good security there needs to be good structure and framework in the design and deployment of security solutions. A way of creating frameworks for security policies is to build threat matrices (Platt, 2002). </li></ul></ul><ul><ul><li>The threat matrices lists all risks and their associated likelihood of occurrence. Once the threat matrices are formulated and in place, it is much easier for organizations to implement security measures pertaining to identified threats. </li></ul></ul><ul><ul><li>Policies and procedures are not developed overnight and require careful consideration and constant updates. </li></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  11. 11. PCI-DSS: Protecting Stored Cardholder Data <ul><li>Recent News and Opinion </li></ul><ul><ul><li>California Governor Arnold Schwarzenegger vetoed the Retail Data Security Bill (Krebs, 2007). </li></ul></ul><ul><ul><ul><li>Why should this bill be passed as law? </li></ul></ul></ul><ul><ul><ul><ul><li>Credit card companies need to come up with better security for their financial instruments and not pass the problem onto the merchants. The Payment Card Industry can certainly afford it. The PCI-DSS is a good model for merchants to follow and it is a step in the right direction. PCI-DSS is a framework and should not be made mandatory nor into law; it should just remain as is, a helpful standard for securing and protecting the merchants’ data infrastructure. </li></ul></ul></ul></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP
  12. 12. PCI-DSS: Protecting Stored Cardholder Data <ul><li>References </li></ul><ul><li>Bishop, M. (2003). Computer Security Art and Science. Upper Saddle River: Addison-Wesley. </li></ul><ul><li>CheckPoint. (2007). Full Disk Encryption Software for Desktop PC and Laptop Security. Retrieved </li></ul><ul><li>October 28, 2007, from CheckPoint Software Technologies Web site: </li></ul><ul><li>http://www.checkpoint.com/products/datasecurity/images/lgdiagramPC.gif </li></ul><ul><li>Decru. (2007). Decru Solutions for PCI Compliance. Retrieved October 27, 2007, from Decru Web </li></ul><ul><li>site: http://www.decru.com/solutions/pdf/pci.pdf </li></ul><ul><li>Krebs, B. (2007, October 26). Schwarzenegger Vetoes Retail Data Security Bill. Retrieved </li></ul><ul><li>October 28, 2007, from Washington Post Web site: </li></ul><ul><li>http://blog.washingtonpost.com/securityfix/2007/10/schwarzenegger_vetoes_retail_d.html </li></ul><ul><li>Platt, F. N. (2002). Physical Threats To The Information Infrastructure. In S. Bosworth, & M. </li></ul><ul><li>Kabay, Computer Security Handbook (pp. 14.1-14.25). New York: John Wiley and Sons </li></ul><ul><li>Incorporated. </li></ul><ul><li>Reconnex. (2007). Data at rest. Retrieved October 28, 2007, from Reconnex Web site: </li></ul><ul><li>http://www.reconnex.net/images/products/diagram_dataatrest_lg.jpg </li></ul><ul><li>Schneier, B. (2004). Secrets and Lies. In B. Schneier, Secrets and Lies (pp. 122-127). </li></ul><ul><li>Indianapolis: Wiley Publishing Incorporated. </li></ul><ul><li>Woodbury, C. (2007). Sky View Partners Incorporated. Retrieved October 28, 2007, </li></ul><ul><li>from The Importance of Data Classification and Ownership: </li></ul><ul><li>http://www.skyviewpartners.com/pdf/Data_Classification_Ownership.pdf </li></ul>PCI-DSS: Protecting Stored Cardholder Data Michael Kaishar, MSIA, CISSP

×