Executive Alliance, Inc.
October 16, 2008
New York, New York
ISE UK and Ireland
Summit and Awards
NOMINEE SHOWCASE
PRESENT...
by
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2
Vladimir Jirasek
Informat...
ISE Northeast 2008 Executive Alliance, Inc.
Today’s Discussion Points
• About DSG International
• PCI DSS programme and be...
ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4
DSG International plc
• Major electrical and computin...
ISE Northeast 2008 Executive Alliance, Inc.
PCI DSS is good but ...
• Why good? The first standard that retailers take
ser...
ISE Northeast 2008 Executive Alliance, Inc.
Requirements
• Compliant with 11.2, i.e. ASV
• Whole group in the scope (regar...
ISE Northeast 2008 Executive Alliance, Inc.
Goals
• Develop patching and vulnerability scanning
policy
• Quick win - find ...
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8
Challenges
• Distributed IT ...
ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9
Project team
ISE UK and Ireland 2008
Accountable and...
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10
Overcoming challenges
• Res...
ISE Northeast 2008 Executive Alliance, Inc.
Risk based approach
Internet
Internal network
Head office
DMZ
mainframe
eBusine...
ISE Northeast 2008 Executive Alliance, Inc.
Risk based approach (cont)
ISE UK and Ireland 2008 Executive Alliance, Inc. 14...
ISE Northeast 2008 Executive Alliance, Inc.
Project results
Patching policy agreed buy IT teams
Weekly vulnerability scans...
ISE Northeast 2008 Executive Alliance, Inc.
Conclusion
• Looked beyond PCI DSS and adopted risk
based approach (now compli...
ISE Northeast 2008 Executive Alliance, Inc.
Thank You!
• Questions?
• Contact Info:
• Vladimir.jirasek@dgiplc.com or Vladi...
Upcoming SlideShare
Loading in...5
×

ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek

326

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
326
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek

    1. 1. Executive Alliance, Inc. October 16, 2008 New York, New York ISE UK and Ireland Summit and Awards NOMINEE SHOWCASE PRESENTATION October 22, 2008 London, United Kingdom
    2. 2. by ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2 Vladimir Jirasek Information Security & Compliance manage DSG International plc Vulnerability scanning for PCI DSS compliance and risk management
    3. 3. ISE Northeast 2008 Executive Alliance, Inc. Today’s Discussion Points • About DSG International • PCI DSS programme and beyond compliance • Vulnerability scanning project • Lessons learned ISE UK and Ireland 2008 Executive Alliance, Inc. 3
    4. 4. ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4 DSG International plc • Major electrical and computing retailer in Europe with both traditional stores and Web store • We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop • No 1 in the UK • Head office in Hemel Hempsted, UK • 40,000 employees in the Group • Annual revenue over £6b • Processes large amounts of customer data
    5. 5. ISE Northeast 2008 Executive Alliance, Inc. PCI DSS is good but ... • Why good? The first standard that retailers take seriously • But scope is/can be limited • DSGi started work on PCI DSS in 2007 with most of the projects kicked off • Requirement 11.2 handled by this project • Limited budget • Although the scope is limited the approach was to take risk based approach ISE UK and Ireland 2008 Executive Alliance, Inc. 5
    6. 6. ISE Northeast 2008 Executive Alliance, Inc. Requirements • Compliant with 11.2, i.e. ASV • Whole group in the scope (regardless of the PCI DSS scope) • Minimal operational overhead • Potential to satisfy other requirements • Easy to use • Fit for distributed IT teams in the Group ISE UK and Ireland 2008 Executive Alliance, Inc. 6
    7. 7. ISE Northeast 2008 Executive Alliance, Inc. Goals • Develop patching and vulnerability scanning policy • Quick win - find the state of DSGi network (external then internal) • Deliver first “PASS” PCI DSS scans • Make this activity BAU for IT teams ISE UK and Ireland 2008 Executive Alliance, Inc. 7
    8. 8. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8 Challenges • Distributed IT teams • No standardised patching policy • Limited budget and overstretched IT resources in most countries • Missing risk assessment in IT patching • Scepticism and wary of vulnerability scanning
    9. 9. ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9 Project team ISE UK and Ireland 2008 Accountable and project lead: Vladimir Jirasek - DSGi Information security manager Team members: Matt Leggett - Security project manager (UK) Stelios Kavalaris - Security admin (Greece) Samy Elmalki - Network admin (France) Ana Maria Munoz Ponce - System admin (Spain) Lars-Andre Johannessen - System manager (Nordic group) Oyvind Gulikstad - Security manager (Nordic group) Paolo Asioli - Security manager (Italy) Ed Brown - Systems manager (UK, Techguys) Michael Braid - Systems admins (UK, DSGi Business)
    10. 10. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10 Overcoming challenges • Responsibility for “clean” scans transferred to business units IT managers • Group wide standardised patching policy agreed • Limited budget addressed by using Software as a service model • Qualys service is easy to use and understood by IT teams. Virtually no training required • Business units in Qualys made group wide rollout easy to manage • Testing of impact of scanning to existing IT systems
    11. 11. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach Internet Internal network Head office DMZ mainframe eBusiness VPN GW acquirer setlement Store network
    12. 12. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach (cont) ISE UK and Ireland 2008 Executive Alliance, Inc. 14 Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix
    13. 13. ISE Northeast 2008 Executive Alliance, Inc. Project results Patching policy agreed buy IT teams Weekly vulnerability scans carried on all external and critical internal assets - 14 internal appliances in 7 business units 80% of security issues fixed across the group within first 3 months Qualys accepted by IT teams as a “good” tool for highlighting security issues Scanning is now BAU activity 13
    14. 14. ISE Northeast 2008 Executive Alliance, Inc. Conclusion • Looked beyond PCI DSS and adopted risk based approach (now compliant with v 1.2) • Each IT team is a separate business unit • Responsibility for scanning and fixing transferred to IT managers ISE UK and Ireland 2008 Executive Alliance, Inc. 15
    15. 15. ISE Northeast 2008 Executive Alliance, Inc. Thank You! • Questions? • Contact Info: • Vladimir.jirasek@dgiplc.com or Vladimir@Jirasek.eu • +447959040187 ISE UK and Ireland 2008 Executive Alliance, Inc. 16
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×