On Common Ground: The Overlap of PCI DSS and Data Protection

705 views

Published on

The landscape today's CISO must work in presents tremendous challenges, from fewer resources to do their work, the need to meet compliance with multiple standards and regulations, to having little executive level support for their work. But the fear of brand damage, fines and other negative impacts of a security breach and audit findings have many organisations actually increasing budgets for compliance initiatives. Given that security and compliance have the same basic goal-namely, to safeguard sensitive data-the strategic CISO will try to see how IT security can benefit from this increased focus on compliance.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
705
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Traditionally, the role of CISO has been to protect the IT infrastructure. Lately, that role has expanded. Now CISOs are increasingly responsible for ensuring compliance with a dizzying array of standards and regulations. This leaves CISOs around the globe asking these questions: • How can I meet my security objectives in this challenging landscape? • To what extent do my compliance initiatives such as PCI and data protection policies overlap? • If I’m compliant, am I also secure? • What technology investments can address both my compliance and data protection requirements? When wexplore the landscape in which CISOs now work—the new standards and regulations they face, increased attacks from hackers, and a more complex IT environment that includes virtualized infrastructure and outsourcing, we see that this challenging and complex landscape creates opportunity.As organizations allocate funds to address compliance initiatives, CISOs can benefit from this focus on compliance.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • The overarching goal of compliance mandates and information security is to protect critical systems that encapsulate specific application data, such as cardholder data or personal information. Although the type of data that must be secured varies—for example, cardholder data for PCI and personal information for data protection legislation—it is essential to protect the systems that hold or process sensitive information Unfortunately, many organisations miss the opportunity to develop a broader, end-to-end data protection strategy when focused solely on a single compliance mandate and its impending deadline. They use a narrowly-focused project approach that can result in the implementation of disparate technology tools that don’t integrate well. Over time and after several compliance “projects” are completed, an organization can find itself with little or no ability to correlate and leverage the data the different tools collect. For example, a file integrity monitoring tool may meet a specific requirement of collecting data on changes to configurations, files and file attributes. Still another tool may collect log files to satisfy a log data collection and retention requirement. The data collected by each tool typically resides in separate locations with no automated way to determine if detected changes relate to a series of events captured by a log tool. What’s more, in many instances logs are collected but because of the amount of data collected security analysts can’t analyze the information intelligently and in real time.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • We’ve talked about the need to protect sensitive data, and defined what I mean by that. But what’s the motivation to do this?A second, equally important shared goal of security frameworks, regulations and industry standards is to provide assurances to stakeholders of this data protection. For example: • Consumers need to be confident that their personal information is safeguarded through appropriate collection and secure storage; • Customers and partners need to know that the organisation can be trusted to provide appropriate, effective IT security; • Regulators need assurances that the right security rigour and discipline is in place, from PCI DSS to safeguard cardholder data, to data protection laws for personal information; and • Senior managers need confidence that business information—a key asset of the organisation—does not become a liability due to poor or inappropriate security strategy, and that breaches will be rapidly highlighted and costs minimised. Critically, they must be confident that brand reputation will not be jeopardised.
  • • Consumers need to be confident that their personal information is safeguarded through appropriate collection and secure storage; • Customers and partners need to know that the organisation can be trusted to provide appropriate, effective IT security;
  • Regulators need assurances that the right security rigour and discipline is in place, from PCI DSS to safeguard cardholder data, to data protection laws for personal information; and
  • • Senior managers need confidence that business information—a key asset of the organisation—does not become a liability due to poor or inappropriate security strategy, and that breaches will be rapidly highlighted and costs minimised. Critically, they must be confident that brand reputation will not be jeopardised.
  • So let’s break this down:Data is everywhere– whether it’s in the clouds, on your network, server, etc. and it’s dynamic; your infrastructure is dynamic.Every organization has security controls in place – whether they’re industry best practices, government requirements or internal best practices. These controls are in place to protect the availability of your infrastructure – and more importantly your data.Threatening your infrastructure – your data are all of these different attack vectors Malicious external threats – those are the hackers, cyber gangs, and cyber criminals specifically trying to get to your data. These external threats aren’t necessarily new but their methods of attack are – attaching themselves to viable and authorized activities and then laying dormant to avoid being caught.Human error or business as usual – not what you would consider an attack vector but it is the most common reason for how data was exposed. Configuration drift; a patch not deployed, etc.Despite increase in security threats – compliance spending continues to be a significant spend within IT. Fear of the auditor and fines and a check-box mentality of proving compliance adds addition churn on the system.Information security discussions have migrated to the board room, and c-level executives office. Increased scrutiny regarding security controls – as I mentioned earlier – protecting data so your company or agency’s name doesn’t become news.All of these activity is generating events and changes – authorized or unauthorized. And while this is complex – visibility – knowing the risks so you can protect against them is critical. But this much visibility makes it difficult to see anything.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • Over the next few years, companies will increasingly realise that good information security can be an asset and a differentiator from the competition. However, most organisations view compliance as an annual project; an exercise to perform the minimum requirements to pass the audit. The end-goal of each project is on ticking the box marked “compliance” rather than to improve security and safeguard valuable corporate assets—including brand reputation.
  • However, some do recognize the need for continuous security and compliance. For example, many believe that the International Organization for Standardization (responsible for ISO 27001), is an umbrella over other requirements of law or regulation—for example JSOX, SOX and the Data Protection Directive and contractual standards like PCI DSS, because it requires organisations to continuously demonstrate their commitment to high levels of information security. As Bob Russo, General Manager of the PCI Security Standards Council, stated before the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, “Achieving and maintaining compliance with PCI DSS and continuous vigilance regarding other security practices is an ongoing process that must systematically be integrated into every organization’s development and operational practices and policies in order to serve as the best line of defense against a data breach.” He insists that organizations must not take solely a checklist approach to security, or rely on periodic validation as their security goal, but must instead exercise continuous vigilance and maintain a strict security program that ensures constant and ongoing PCI DSS compliance.
  • Data protection and compliance—two seemingly different objectives—actually may have so much in common that by addressing one you’ve made significant inroads to addressing the other. Let’s discuss what compliance and data protection have in common:-- Protection of sensitive data-- Need for continuous vigilance-- Utilize compliance as a foundation to security best practices
  • A centralized PCI approach can benefit your entire organisation. Using the PCI DSS as a baseline for security best practices can give organisations a tremendous head start on implementing a sound security strategy. This comprehensive standard is far more prescriptive and detailed, and far less open to interpretation compared to other regulations, such as the ISO 27000 series. PCI DSS does not replace overall information security, it should compliment it.
  • And all of this visibility leads to is way too much information.
  • Seeing only changes is not enough
  • Seeing only events is not enough
  • Relating or correlating change events to log events – establishing relationships between these types of data to alert you about a potential threat to your data.
  • Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.
  • ×