SlideShare a Scribd company logo

IT Security and Compliance Program Plan for Maxistar Medical Supplies Company

J
James Konderla

This document outlines a plan to improve IT security and compliance at Maxistar Medical Supplies Company. It identifies three main risks: a flat network topology, consolidated server functions, and lack of database encryption. The plan proposes implementing a layered network topology for defense in depth, virtualizing servers to separate functions, and encrypting databases according to PCI guidelines. It also recommends adopting the NIST risk management framework to identify and address risks in alignment with business needs through a continuous feedback cycle.

1 of 16
Download to read offline
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program for PCI, HIPAA and NIST standards as applicable to the Maxistar Medical Supplies Company’s IT operations. This paper was created as part of a case study for CYBS 6355 in the spring 2015 semester at the University of Dallas. James Konderla 3/18/2015 0 | P a g e
Table of Contents Executive Summary.......................................................................................................................................1 Known Risks and Priorities............................................................................................................................2 Risk 1: Flat Network Topology ..................................................................................................................2 Risk 2: Consolidated Server Functions......................................................................................................3 Risk 3: Database Encryption......................................................................................................................5 Implementing a Risk Management Framework............................................................................................6 The New Security Program ...........................................................................................................................8 Conclusion...................................................................................................................................................13 References ..................................................................................................................................................14 Table of Figures Figure 1, Bedford Site Topology....................................................................................................................2 Figure 2, Proposed Network Topology for Bedford Site...............................................................................3 Figure 3, Current Server Layout....................................................................................................................4 Figure 4, Virtualized Server Layout...............................................................................................................4 Figure 5, PCI Data Storage Guidelines (PCI, 2008)........................................................................................5 Figure 6, NIST Risk Management Approach..................................................................................................6 Figure 7, Security Life Cycle ..........................................................................................................................7
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company Executive Summary As Maxistar Medical Supplies Company grows and expands operations it becomes increasingly important to keep IT operations secure while also enabling the business to quickly and effectively meet customer needs. During a recent assessment Maxistar identified several changes that needed to be implemented to their IT operations to secure their business to align with regulatory and legal compliance for the Payment Card Industry (PCI), HIPAA, and NIST 800-53 standards. As part of this assessment, several known risks were identified and 5 areas specifically were targeted as the beginning of Maxistar’s Security and Compliance program. This document will outline those risks as well as the guidelines for our plan to bring Maxistar into compliance with these three key standards. We will do this by addressing the following topics: • List of Known risks and Major Priorities • Implementation of a Risk Management Framework • Overview of the new IT Security Strategy • Overview and guidelines of the IT Compliance Strategy 1 | P a g e
Known Risks and Priorities As part of our initial assessment of Maxistar’s current IT Security state we were given exclusive access to the entire IT Operation. Due to this access we were able to determine that there are 3 major risk areas that Maxistar must initially address to both align with PCI, HIPAA and NIST standards and to secure their network in the interim as the compliance program rolls out. Risk 1: Flat Network Topology As seen below, Maxistar has a somewhat flat network architecture with only 1 firewall (per site) protecting the network from external environments. This architecture is not just seen at the Bedford site, but is repeated at every site and presents an easy target for external entities, allowing them to traverse the network as easy as the IT group. Figure 1, Bedford Site Topology Due to this, we suggest that Maxistar implement a layered topology, also known as “Defense in Depth”. As seen below, this topology places a secondary firewall between the central network and the
externally-exposed machines. This approach allows the IT assets that need to be accessed externally to still be accessed but keeps attackers from traversing the corporate network as well, effectively segregating the systems that should not be accessed externally. Figure 2, Proposed Network Topology for Bedford Site As each firewall acts as a router, it is suggested that the Demilitarized Zone (DMZ) between the 2 firewalls be separated from the internal network by a separate Virtual LAN (VLAN) to further complicate any attempts by external entities to traverse beyond the DMZ. The performance decreases by implementing this topology should be minimal, if they are even noticed. Risk 2: Consolidated Server Functions Maxistar’s current network infrastructure has functioned for many years using a “consolidated” roles type infrastructure for their servers, as seen below.
Physical Server First Role Second Role Figure 3, Current Server Layout While this consolidation worked well in the past it presents many potential dangers to the enterprise: if a server sharing a customer database role and a web server role, for example, is compromised then a customer’s data may be exposed. Our proposal is to separate the server functions through virtualization, such as the same physical server represented below: Physical Server Virtual Machine First Role Virtual Machine Second Role Figure 4, Virtualized Server Layout By separating server functions and limiting them to 1 per machine (or virtual machine) Maxistar can negate these risks while also coming closer to compliance with PCI, HIPAA and NIST standards, as each of these standards defines a separation of duties per server.
Risk 3: Database Encryption One of the most noticeable shortcomings in Maxistar’s current infrastructure is the lack of encryption on databases. While some databases, such as product information, are unencrypted with good reason, others such as sales information, customer data or billing information should be encrypted immediately. This is also one of the core components of PCI, HIPAA and NIST standards and should be the primary focus as Maxistar begins converting to their new Security and Compliance program. We recommend a minimum of 128-bit encryption on systems that contain any Personally Identifiable Information, store sales or company-sensitive data, or contain payment information. The base guidelines for which systems require encryption can be found in the chart below, provided by PCI (2008). Figure 5, PCI Data Storage Guidelines (PCI, 2008) Of course this table also provides the guidelines for what data should and should not be stored for PCI purposes but as PCI is the most strenuous on data storage requirements we recommend that Maxistar follow their guidelines on both storing and encrypting data.
Implementing a Risk Management Framework A key factor of success for any Security and Compliance program is a risk management framework, as risks to a business cannot be properly mitigated without first being defined. A risk management framework will enable Maxistar to combine their IT security and risk management programs in a way that aligns to the business needs of the company while also protecting the company’s IT infrastructure by defining the risks facing Maxistar and standardizing how those risks will be handled. Due to the continuous changing nature of cyber threats, establishing such a framework as part of the new security and compliance program now will save time, money and resources for current and future threats. We have selected the NIST framework (NIST, 2014), which was created for Federal Information Systems, as it is flexible while also providing a strong foundation for Maxistar’s new program. This framework has a three-tiered approach to risk management, as seen below. Figure 6, NIST Risk Management Approach As can be seen in Figure 4, the NIST framework begins with the organization in mind. Only by understanding and aligning IT with the business can risks fully be identified and addressed. Once IT has
aligned themselves with the business they can identify the mission and business processes involved with keeping the business running efficiently and safely before, finally, moving on to securing the information systems and architecture of the company. Seen below, the 3rd Tier of the NIST framework focuses on the “Security Life Cycle”, which guides organizations by using Architecture and Organizational inputs and implementing a continuous feedback cycle. Figure 7, Security Life Cycle Continuous feedback becomes very important, allowing the continuous improvement of the company’s risk management policies as business or architecture needs change. NIST is a very robust framework but allows a lot of flexibility for different kinds of businesses and industries and is a perfect choice for Maxistar.
The New Security Program By implementing a risk management framework with a “company first” mindset we can see that Maxistar has many steps on the way to PCI, HIPAA and NIST 800-53 compliance. To aid in this journey two security plans were proposed and the Maxistar board decided on the later plan, outlined below. Phase 1 Need: Eventual / Time Length: 1 Months Overview: This phase has Maxistar's IT Group immediately establish Encryption and Database security controls on their databases. This phase also sees the overhaul of access control for software and hardware systems to match employee job roles. Steps and Requirements 1.) Immediately implement data encryption to all databases containing customer or payment information 2.) Conduct an overhaul of access controls and limit the use of equipment, software and systems to employees on a "least privileged" basis. 3.) Implement Emergency Access Controls to give elevated access in the event of technical or incident- driven emergencies. 4.) Implement workstation security by increasing patching of business-critical systems to every 2 months and non business-critical systems to once a quarter. Phase 2 Need: Eventual / Time Length: 2 Months Overview: This phase sees the creation of Maxistar's Security and Compliance team, a subset of the IT Group governed by the Chief Security Officer and responsible for auditing and securing Maxistar's IT systems in compliance with company policies, industry regulations and international standards in all countries and markets Maxistar operates in. Steps and Requirements 1.) Create the IT Security and Compliance team with a minimum of 4 employees (2 domestic and 2 international) with 2 supervisory positions and 2 analyst positions. 2.) Create a standards document for Device and Media Controls with a focus on the disposal, re-use and resell of retired technologies and media. 3.) Create a security management process with a focus on risk analysis, risk management, system activity review and a sanction policy. 4.) Create an incident response and reporting program (may require additional employees) that focuses on security incident response, reporting and disaster recovery procedures. Phase 3
Need: Eventual / Time Length: 1 Months Overview: This phase sees the education of Maxistar employees on the new standards and access controls, as well as compliance and punishments for non-compliance, of the new IT security program. Steps and Requirements 1.) Create a training program and implement training classes for the new program. This step includes the publishing of documents on the company's intranet or in easily-accessible locations for all employees' review. 2.) Provide notification to customers and any other required entities (state, federal or regulatory) of the new security program. 3.) Establish a continued audit program and set schedule for the audit to occur through the new Security and Compliance team. Phase 4 Need: Eventual / Time Length: 2 Months Overview: For the software group, this phase sees the introduction of code revision and quality control to the group. For the hardware group this phase sees a change in the network topology to account for an additional firewall layer and a small testing infrastructure for both groups. Steps and Requirements 1.) SOFTWARE - Implement version control standards through GitHub Enterprise to allow easier backout of errors and expedited documentation of changes between software patches and revisions. 2.) SOFTWARE - Implement a code review internal to the company prior to implementing code changes to existing products or publishing new products. 3.) HARDWARE - Implement a secondary firewall with the current remaining at the perimiter (internet- facing) infrastructure. Move the web and (optional) email servers to the zone between the two firewalls, creating a demilitarized zone for internet-facing traffic. 4.) HARDWARE - Implement a testing infrastructure that shares access controls and a baseline with the current infrastructure. Phase 5 Need: Eventual / Time Length: 3-4 Months Overview: This phase will see the implementation of a shared knowledgebase, service catalog and ticket tracking system in accordance with ITIL and ITSM standards. Steps and Requirements 1.) Implement a service management solution (for example HP Service Management) to allow the access of a shared knowledgebase, service catalog and trouble/issue tracking system. 2.) Create a service catalog and corresponding website for the ordering and cataloging of IT Assets and services. As can be seen, this plan is aggressive and will take 10 months to roll out. This plan will focus mainly on the implementation of the new security group, which will establish the security standards and
policies for Maxistar using the NIST risk management framework for guidance. Once this program rolls out, the new security team will focus first on PCI compliance with HIPAA and NIST compliance also in mind. To aide in this endeavor the security group’s first major task will be to take a baseline of Maxistar’s current security using the PCI DSS D questionnaire for Merchants to assess how close Maxistar is to PCI compliance. Using the answers to the questionnaire, the security group will then move on to actually developing the new policies using the “Common Authorities on Information Assurance” (CAIA) spreadsheet (Cloud Audit Controls, 2012). By using this spreadsheet we can see that there are many common elements to each program and, as Maxistar moves closer to PCI compliance these common elements can be assessed as well. Here are a few examples of how these standards can be assessed using the CAIA to note the corresponding HIPAA and NIST standards. Assessment Procedure ASSESSMENT OBJECTIVE: Pertaining to firewalls and routers: Restrict Inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Examine Firewall Configurations To verify that all inbound and outbound traffic necessary for the cardholder agreement is identifiable, that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, that all non-necessary inbound and outbound traffic is specifically denied either by an explicit "deny all" rule or implicit deny after allow statement] Compliance Elements: NIST 800-53: SC-7 PCI DSS: 1.2.1 ASSESSMENT OBJECTIVE: Verify that file-integrity monitoring or change-detection software has been implemented on system logs to ensure that existing log data cannot be changed without generating alerts. POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: system settings, monitored files, results from file monitoring/change-detection activies/applications] Compliance Elements: NIST 800-53: AU-9, AU-11, AU-14 PCI DSS: 10.5.5 ASSESSMENT OBJECTIVE: Verify that quarterly internal vulnerability scans have been performed by qualified personnel. This includes rescans performed until all "high-risk" vulnerabilities are resolved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT ALL: review scan reports and verify that four quarterly internal scans occurred in the most recent 12-month periods; Review scan reports and verify that scan process includes rescans until all "high-risk" vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.] Compliance Elements: NIST 800-53: CM-3, CM-4, CP-10, RA-5, SA-7, SI-1, SI-2, SI-5 PCI DSS: 11.2.1 HIPAA: 164.308(A)(1)(I)(II)(A), 164.308(a)(1)(i)(ii)(B), 164.308(a)(5)(i)(ii)(B) ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed to appropriate personnel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appriate information security and business unit management personnel is formally assigned.] Compliance Elements: NIST 800-53: IR-2, IR-6, IR-7 PCI DSS: 12.5.2 HIPAA: 164.312(a)(6)(ii), 318.3(a)(New), 318.5(a)(New)
ASSESSMENT OBJECTIVE: Verify that all personnel are trained in a security awareness program upon hire and at least once annually. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that the program provides multiple methods of communicating awareness and educating personnel; verify that personnel attend security awareness training upon hire and at least once annually] Interview: [SELECT FROM: randomly sample personnel to verify they have completed awareness training and are aware of the importance of cardholder security.] Compliance Elements: NIST 800-53: AT-1, AT-2, AT-3, AT-4 PCI DSS: 12.6.1 HIPAA: 164,308(a)(5)(i), 164.308(a)(5)(ii)(A) By using this same technique we can match the compliance elements for all 3 frameworks (PCI, NIST and HIPAA) into a common framework to make implementation easier. Once PCI compliance has been achieved we should have a better security posture and also be closer to meeting HIPAA and NIST compliance as well. By using the HIPAA security risk assessment tool (HHS, 2014) we can more onto meeting HIPAA compliance first and then finish the implementation of our security and compliance program by qualifying for NIST certification as our last step. We plan on dedicating 1 person as the lead on this project, who will work full time and lead the compliance efforts with the remaining security and IT staff dedicating 20% of their time to the program with the remaining 80% focused on their normal jobs.
Conclusion As can be seen, Maxistar has a ways to go before they are PCI, HIPAA and NIST compliant. This road, however, will be shorter by relying on NIST as the risk management framework for Maxistar’s new Security and Compliance Program. After the initial 10 month rollout Maxistar’s infrastructure will run smoother and more secure for the remaining rollout. Over the course of the final rollout, which should take an estimated year, Maxistar will see themselves moved completely into compliance with all 3 standards. Although ideally compliance would be done at a faster rate, we must keep in mind that Maxistar has limited resources, like every other company, and the main resources, people, will be devoted to their own jobs. With 1 person leading the efforts and an 80/20 split between their normal jobs and work on the compliance program Maxistar’s journey towards compliance should be smoother than many other companies but, unlike most other companies, Maxistar will be in complete alignment with PCI, HIPAA and NIST 800-53 standards.
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company References Data Security Standard - Requirements and Security Assessment Procedures. (2013, November 1). Retrieved March 19, 2015, from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Guide for Assessing the Security Controls in Federal Information Systems and Organizations. (2010, June 1). Retrieved March 19, 2015, from http://csrc.nist.gov/publications/nistpubs/800-53A- rev1/sp800-53A-rev1-final.pdf PCI Data Storage Do’s and Don'ts. (2008). Retrieved April 9, 2015, from https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf NIST SP800-53 R3. (2014). Retrieved April 9, 2015, from http://www.nist.gov/cyberframework/ Cloud Audit Controls. (2012). Retrieved April 9, 2015, from http://www.cloudauditcontrols.com/2012/05/spreadsheet-iso-pci-hipaa-800-53.html News. (2014). Retrieved April 9, 2015, from http://www.hhs.gov/news/press/2014pres/03/20140328a.html 14 | P a g e

Recommended

Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportJames Konderla
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 

Recommended

Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportJames Konderla
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMatthew J McMahon
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safeALI ANWAR, OCP®
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the EnterpriseADGP, Public Grivences, Bangalore
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec
 
Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...IRJET Journal
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data securitySaranSwathi1
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for EnterpriseCisco Russia
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 

More Related Content

What's hot

Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMatthew J McMahon
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec
 
Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...IRJET Journal
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data securitySaranSwathi1
 

What's hot (17)

Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management Strategy
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
 
Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...Big Data Security Challenges: An Overview and Application of User Behavior An...
Big Data Security Challenges: An Overview and Application of User Behavior An...
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
 

Similar to IT Security and Compliance Program Plan for Maxistar Medical Supplies Company

The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for EnterpriseCisco Russia
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Assessing the Business Value of SDN Datacenter Security Solutions
Assessing the Business Value of SDN Datacenter Security SolutionsAssessing the Business Value of SDN Datacenter Security Solutions
Assessing the Business Value of SDN Datacenter Security Solutionsxband
 
Symantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitSymantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitLluis Altes
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxcatheryncouper
 
VMSDeploymentGuide_Extract1a
VMSDeploymentGuide_Extract1aVMSDeploymentGuide_Extract1a
VMSDeploymentGuide_Extract1aTom - Creed
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxdanas19
 
Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Finalrjt01
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)Vince Garr
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)Chet Fincke
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsChris Farwell
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]LinkedIn
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET Journal
 

Similar to IT Security and Compliance Program Plan for Maxistar Medical Supplies Company (20)

The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for Enterprise
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Assessing the Business Value of SDN Datacenter Security Solutions
Assessing the Business Value of SDN Datacenter Security SolutionsAssessing the Business Value of SDN Datacenter Security Solutions
Assessing the Business Value of SDN Datacenter Security Solutions
 
Cisco Award Write Up
Cisco Award Write UpCisco Award Write Up
Cisco Award Write Up
 
Symantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitSymantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company split
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
VMSDeploymentGuide_Extract1a
VMSDeploymentGuide_Extract1aVMSDeploymentGuide_Extract1a
VMSDeploymentGuide_Extract1a
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Final
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage Structure
 

IT Security and Compliance Program Plan for Maxistar Medical Supplies Company

  • 1. IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program for PCI, HIPAA and NIST standards as applicable to the Maxistar Medical Supplies Company’s IT operations. This paper was created as part of a case study for CYBS 6355 in the spring 2015 semester at the University of Dallas. James Konderla 3/18/2015 0 | P a g e
  • 2. Table of Contents Executive Summary.......................................................................................................................................1 Known Risks and Priorities............................................................................................................................2 Risk 1: Flat Network Topology ..................................................................................................................2 Risk 2: Consolidated Server Functions......................................................................................................3 Risk 3: Database Encryption......................................................................................................................5 Implementing a Risk Management Framework............................................................................................6 The New Security Program ...........................................................................................................................8 Conclusion...................................................................................................................................................13 References ..................................................................................................................................................14 Table of Figures Figure 1, Bedford Site Topology....................................................................................................................2 Figure 2, Proposed Network Topology for Bedford Site...............................................................................3 Figure 3, Current Server Layout....................................................................................................................4 Figure 4, Virtualized Server Layout...............................................................................................................4 Figure 5, PCI Data Storage Guidelines (PCI, 2008)........................................................................................5 Figure 6, NIST Risk Management Approach..................................................................................................6 Figure 7, Security Life Cycle ..........................................................................................................................7
  • 3. IT Security and Compliance Program Plan for Maxistar Medical Supplies Company Executive Summary As Maxistar Medical Supplies Company grows and expands operations it becomes increasingly important to keep IT operations secure while also enabling the business to quickly and effectively meet customer needs. During a recent assessment Maxistar identified several changes that needed to be implemented to their IT operations to secure their business to align with regulatory and legal compliance for the Payment Card Industry (PCI), HIPAA, and NIST 800-53 standards. As part of this assessment, several known risks were identified and 5 areas specifically were targeted as the beginning of Maxistar’s Security and Compliance program. This document will outline those risks as well as the guidelines for our plan to bring Maxistar into compliance with these three key standards. We will do this by addressing the following topics: • List of Known risks and Major Priorities • Implementation of a Risk Management Framework • Overview of the new IT Security Strategy • Overview and guidelines of the IT Compliance Strategy 1 | P a g e
  • 4. Known Risks and Priorities As part of our initial assessment of Maxistar’s current IT Security state we were given exclusive access to the entire IT Operation. Due to this access we were able to determine that there are 3 major risk areas that Maxistar must initially address to both align with PCI, HIPAA and NIST standards and to secure their network in the interim as the compliance program rolls out. Risk 1: Flat Network Topology As seen below, Maxistar has a somewhat flat network architecture with only 1 firewall (per site) protecting the network from external environments. This architecture is not just seen at the Bedford site, but is repeated at every site and presents an easy target for external entities, allowing them to traverse the network as easy as the IT group. Figure 1, Bedford Site Topology Due to this, we suggest that Maxistar implement a layered topology, also known as “Defense in Depth”. As seen below, this topology places a secondary firewall between the central network and the
  • 5. externally-exposed machines. This approach allows the IT assets that need to be accessed externally to still be accessed but keeps attackers from traversing the corporate network as well, effectively segregating the systems that should not be accessed externally. Figure 2, Proposed Network Topology for Bedford Site As each firewall acts as a router, it is suggested that the Demilitarized Zone (DMZ) between the 2 firewalls be separated from the internal network by a separate Virtual LAN (VLAN) to further complicate any attempts by external entities to traverse beyond the DMZ. The performance decreases by implementing this topology should be minimal, if they are even noticed. Risk 2: Consolidated Server Functions Maxistar’s current network infrastructure has functioned for many years using a “consolidated” roles type infrastructure for their servers, as seen below.
  • 6. Physical Server First Role Second Role Figure 3, Current Server Layout While this consolidation worked well in the past it presents many potential dangers to the enterprise: if a server sharing a customer database role and a web server role, for example, is compromised then a customer’s data may be exposed. Our proposal is to separate the server functions through virtualization, such as the same physical server represented below: Physical Server Virtual Machine First Role Virtual Machine Second Role Figure 4, Virtualized Server Layout By separating server functions and limiting them to 1 per machine (or virtual machine) Maxistar can negate these risks while also coming closer to compliance with PCI, HIPAA and NIST standards, as each of these standards defines a separation of duties per server.
  • 7. Risk 3: Database Encryption One of the most noticeable shortcomings in Maxistar’s current infrastructure is the lack of encryption on databases. While some databases, such as product information, are unencrypted with good reason, others such as sales information, customer data or billing information should be encrypted immediately. This is also one of the core components of PCI, HIPAA and NIST standards and should be the primary focus as Maxistar begins converting to their new Security and Compliance program. We recommend a minimum of 128-bit encryption on systems that contain any Personally Identifiable Information, store sales or company-sensitive data, or contain payment information. The base guidelines for which systems require encryption can be found in the chart below, provided by PCI (2008). Figure 5, PCI Data Storage Guidelines (PCI, 2008) Of course this table also provides the guidelines for what data should and should not be stored for PCI purposes but as PCI is the most strenuous on data storage requirements we recommend that Maxistar follow their guidelines on both storing and encrypting data.
  • 8. Implementing a Risk Management Framework A key factor of success for any Security and Compliance program is a risk management framework, as risks to a business cannot be properly mitigated without first being defined. A risk management framework will enable Maxistar to combine their IT security and risk management programs in a way that aligns to the business needs of the company while also protecting the company’s IT infrastructure by defining the risks facing Maxistar and standardizing how those risks will be handled. Due to the continuous changing nature of cyber threats, establishing such a framework as part of the new security and compliance program now will save time, money and resources for current and future threats. We have selected the NIST framework (NIST, 2014), which was created for Federal Information Systems, as it is flexible while also providing a strong foundation for Maxistar’s new program. This framework has a three-tiered approach to risk management, as seen below. Figure 6, NIST Risk Management Approach As can be seen in Figure 4, the NIST framework begins with the organization in mind. Only by understanding and aligning IT with the business can risks fully be identified and addressed. Once IT has
  • 9. aligned themselves with the business they can identify the mission and business processes involved with keeping the business running efficiently and safely before, finally, moving on to securing the information systems and architecture of the company. Seen below, the 3rd Tier of the NIST framework focuses on the “Security Life Cycle”, which guides organizations by using Architecture and Organizational inputs and implementing a continuous feedback cycle. Figure 7, Security Life Cycle Continuous feedback becomes very important, allowing the continuous improvement of the company’s risk management policies as business or architecture needs change. NIST is a very robust framework but allows a lot of flexibility for different kinds of businesses and industries and is a perfect choice for Maxistar.
  • 10. The New Security Program By implementing a risk management framework with a “company first” mindset we can see that Maxistar has many steps on the way to PCI, HIPAA and NIST 800-53 compliance. To aid in this journey two security plans were proposed and the Maxistar board decided on the later plan, outlined below. Phase 1 Need: Eventual / Time Length: 1 Months Overview: This phase has Maxistar's IT Group immediately establish Encryption and Database security controls on their databases. This phase also sees the overhaul of access control for software and hardware systems to match employee job roles. Steps and Requirements 1.) Immediately implement data encryption to all databases containing customer or payment information 2.) Conduct an overhaul of access controls and limit the use of equipment, software and systems to employees on a "least privileged" basis. 3.) Implement Emergency Access Controls to give elevated access in the event of technical or incident- driven emergencies. 4.) Implement workstation security by increasing patching of business-critical systems to every 2 months and non business-critical systems to once a quarter. Phase 2 Need: Eventual / Time Length: 2 Months Overview: This phase sees the creation of Maxistar's Security and Compliance team, a subset of the IT Group governed by the Chief Security Officer and responsible for auditing and securing Maxistar's IT systems in compliance with company policies, industry regulations and international standards in all countries and markets Maxistar operates in. Steps and Requirements 1.) Create the IT Security and Compliance team with a minimum of 4 employees (2 domestic and 2 international) with 2 supervisory positions and 2 analyst positions. 2.) Create a standards document for Device and Media Controls with a focus on the disposal, re-use and resell of retired technologies and media. 3.) Create a security management process with a focus on risk analysis, risk management, system activity review and a sanction policy. 4.) Create an incident response and reporting program (may require additional employees) that focuses on security incident response, reporting and disaster recovery procedures. Phase 3
  • 11. Need: Eventual / Time Length: 1 Months Overview: This phase sees the education of Maxistar employees on the new standards and access controls, as well as compliance and punishments for non-compliance, of the new IT security program. Steps and Requirements 1.) Create a training program and implement training classes for the new program. This step includes the publishing of documents on the company's intranet or in easily-accessible locations for all employees' review. 2.) Provide notification to customers and any other required entities (state, federal or regulatory) of the new security program. 3.) Establish a continued audit program and set schedule for the audit to occur through the new Security and Compliance team. Phase 4 Need: Eventual / Time Length: 2 Months Overview: For the software group, this phase sees the introduction of code revision and quality control to the group. For the hardware group this phase sees a change in the network topology to account for an additional firewall layer and a small testing infrastructure for both groups. Steps and Requirements 1.) SOFTWARE - Implement version control standards through GitHub Enterprise to allow easier backout of errors and expedited documentation of changes between software patches and revisions. 2.) SOFTWARE - Implement a code review internal to the company prior to implementing code changes to existing products or publishing new products. 3.) HARDWARE - Implement a secondary firewall with the current remaining at the perimiter (internet- facing) infrastructure. Move the web and (optional) email servers to the zone between the two firewalls, creating a demilitarized zone for internet-facing traffic. 4.) HARDWARE - Implement a testing infrastructure that shares access controls and a baseline with the current infrastructure. Phase 5 Need: Eventual / Time Length: 3-4 Months Overview: This phase will see the implementation of a shared knowledgebase, service catalog and ticket tracking system in accordance with ITIL and ITSM standards. Steps and Requirements 1.) Implement a service management solution (for example HP Service Management) to allow the access of a shared knowledgebase, service catalog and trouble/issue tracking system. 2.) Create a service catalog and corresponding website for the ordering and cataloging of IT Assets and services. As can be seen, this plan is aggressive and will take 10 months to roll out. This plan will focus mainly on the implementation of the new security group, which will establish the security standards and
  • 12. policies for Maxistar using the NIST risk management framework for guidance. Once this program rolls out, the new security team will focus first on PCI compliance with HIPAA and NIST compliance also in mind. To aide in this endeavor the security group’s first major task will be to take a baseline of Maxistar’s current security using the PCI DSS D questionnaire for Merchants to assess how close Maxistar is to PCI compliance. Using the answers to the questionnaire, the security group will then move on to actually developing the new policies using the “Common Authorities on Information Assurance” (CAIA) spreadsheet (Cloud Audit Controls, 2012). By using this spreadsheet we can see that there are many common elements to each program and, as Maxistar moves closer to PCI compliance these common elements can be assessed as well. Here are a few examples of how these standards can be assessed using the CAIA to note the corresponding HIPAA and NIST standards. Assessment Procedure ASSESSMENT OBJECTIVE: Pertaining to firewalls and routers: Restrict Inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Examine Firewall Configurations To verify that all inbound and outbound traffic necessary for the cardholder agreement is identifiable, that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, that all non-necessary inbound and outbound traffic is specifically denied either by an explicit "deny all" rule or implicit deny after allow statement] Compliance Elements: NIST 800-53: SC-7 PCI DSS: 1.2.1 ASSESSMENT OBJECTIVE: Verify that file-integrity monitoring or change-detection software has been implemented on system logs to ensure that existing log data cannot be changed without generating alerts. POTENTIAL ASSESSMENT METHODS AND OBJECTS:
  • 13. Examine: [SELECT FROM: system settings, monitored files, results from file monitoring/change-detection activies/applications] Compliance Elements: NIST 800-53: AU-9, AU-11, AU-14 PCI DSS: 10.5.5 ASSESSMENT OBJECTIVE: Verify that quarterly internal vulnerability scans have been performed by qualified personnel. This includes rescans performed until all "high-risk" vulnerabilities are resolved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT ALL: review scan reports and verify that four quarterly internal scans occurred in the most recent 12-month periods; Review scan reports and verify that scan process includes rescans until all "high-risk" vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.] Compliance Elements: NIST 800-53: CM-3, CM-4, CP-10, RA-5, SA-7, SI-1, SI-2, SI-5 PCI DSS: 11.2.1 HIPAA: 164.308(A)(1)(I)(II)(A), 164.308(a)(1)(i)(ii)(B), 164.308(a)(5)(i)(ii)(B) ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed to appropriate personnel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appriate information security and business unit management personnel is formally assigned.] Compliance Elements: NIST 800-53: IR-2, IR-6, IR-7 PCI DSS: 12.5.2 HIPAA: 164.312(a)(6)(ii), 318.3(a)(New), 318.5(a)(New)
  • 14. ASSESSMENT OBJECTIVE: Verify that all personnel are trained in a security awareness program upon hire and at least once annually. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that the program provides multiple methods of communicating awareness and educating personnel; verify that personnel attend security awareness training upon hire and at least once annually] Interview: [SELECT FROM: randomly sample personnel to verify they have completed awareness training and are aware of the importance of cardholder security.] Compliance Elements: NIST 800-53: AT-1, AT-2, AT-3, AT-4 PCI DSS: 12.6.1 HIPAA: 164,308(a)(5)(i), 164.308(a)(5)(ii)(A) By using this same technique we can match the compliance elements for all 3 frameworks (PCI, NIST and HIPAA) into a common framework to make implementation easier. Once PCI compliance has been achieved we should have a better security posture and also be closer to meeting HIPAA and NIST compliance as well. By using the HIPAA security risk assessment tool (HHS, 2014) we can more onto meeting HIPAA compliance first and then finish the implementation of our security and compliance program by qualifying for NIST certification as our last step. We plan on dedicating 1 person as the lead on this project, who will work full time and lead the compliance efforts with the remaining security and IT staff dedicating 20% of their time to the program with the remaining 80% focused on their normal jobs.
  • 15. Conclusion As can be seen, Maxistar has a ways to go before they are PCI, HIPAA and NIST compliant. This road, however, will be shorter by relying on NIST as the risk management framework for Maxistar’s new Security and Compliance Program. After the initial 10 month rollout Maxistar’s infrastructure will run smoother and more secure for the remaining rollout. Over the course of the final rollout, which should take an estimated year, Maxistar will see themselves moved completely into compliance with all 3 standards. Although ideally compliance would be done at a faster rate, we must keep in mind that Maxistar has limited resources, like every other company, and the main resources, people, will be devoted to their own jobs. With 1 person leading the efforts and an 80/20 split between their normal jobs and work on the compliance program Maxistar’s journey towards compliance should be smoother than many other companies but, unlike most other companies, Maxistar will be in complete alignment with PCI, HIPAA and NIST 800-53 standards.
  • 16. IT Security and Compliance Program Plan for Maxistar Medical Supplies Company References Data Security Standard - Requirements and Security Assessment Procedures. (2013, November 1). Retrieved March 19, 2015, from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Guide for Assessing the Security Controls in Federal Information Systems and Organizations. (2010, June 1). Retrieved March 19, 2015, from http://csrc.nist.gov/publications/nistpubs/800-53A- rev1/sp800-53A-rev1-final.pdf PCI Data Storage Do’s and Don'ts. (2008). Retrieved April 9, 2015, from https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf NIST SP800-53 R3. (2014). Retrieved April 9, 2015, from http://www.nist.gov/cyberframework/ Cloud Audit Controls. (2012). Retrieved April 9, 2015, from http://www.cloudauditcontrols.com/2012/05/spreadsheet-iso-pci-hipaa-800-53.html News. (2014). Retrieved April 9, 2015, from http://www.hhs.gov/news/press/2014pres/03/20140328a.html 14 | P a g e