Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (20)
Similar to RSA Presentation - 5 Steps to Improving PCI Compliance
Similar to RSA Presentation - 5 Steps to Improving PCI Compliance (20)
More from EMC
More from EMC (20)
Recently uploaded
Recently uploaded (20)
RSA Presentation - 5 Steps to Improving PCI Compliance
- 1. + A Practical Guide to Improving PCI Compliance Posture Presented by Sponsored by RSA Diana Kelley, SecurityCurve
- 2. + Agenda Failure is not Cheap – But There is a Better Way Five Things you Can Do to Improve your PCI Posture Practical Guide for Establishing PCI Improvements Conclusion Sponsored by RSA
- 3. + Failing PCI is Not Cheap – But There is a Better Way If you store, process, or transmit credit card data from one of the card brands you must be compliant with the PCI-DSS Failure isn’t cheap Must repeat the assessment process- average cost of $225,000 US for a tier/level 1 Other fees may apply WorldPay: monthly $25k fee from Visa & one time 25k fee from Mastercard Acquiring banks can increase transaction fees PCI is a people and information problem Requires a people and information centric solution Sponsored by RSA
- 4. + Five Things Sponsored by RSA
- 5. + The Five Steps Explained 1. Get Scope Under Control – Information Centric Anywhere cardholder data resides is considered “in scope” of the assessment 2. Monitor Traffic in Real-time to Identify Broken Business Processes – Information Centric Once you know where the data is, you need to monitor where it’s going and who is using it. Sponsored by RSA
- 6. + The Five Steps Explained 3. Establish a Repeatable Process for Assessments - People and Process Centric So the information is there when it’s needed 4. Establish a Process to Mitigate PCI Risk - People Centric A methodology that engages both IT and the business 5. Enforcement Containment of Cardholder Data – Information and People Centric Technical controls to enforce the policy Sponsored by RSA
- 7. + Practical Guide for Establishing PCI Improvement Sponsored by RSA
- 8. + Get Scope Under Control Discover and Identify CardHolder Data throughout the organization Restrictit to the CDE Use automation for maximum effectiveness Things to Look For Accuracy Scalability Coverage Breadth Minimum Impact Sponsored by RSA
- 9. + Monitor Traffic in Real-Time to Identify Broken Business Processes Oncethe CHD is located and contained, make sure it doesn’t leave DLP can help but requires Accuracy Flexibility Non-Intrusive Alerting Sponsored by RSA
- 10. + Microsoft used DLP to discover PCI Data “Before we could do anything, we knew we had to locate our sensitive information and measure compliance to the policies already in place,” Olav Opedal, Security Program Manager at Microsoft. 12TB of data 30,000 file shares 120,000 SharePoint sites Microsoft needed to scan everywhere sensitive data could be stored. “The unparalleled accuracy and unique features of RSA DLP Datacenter made it the only viable choice for discovering all our sensitive content.” Sponsored by RSA
- 11. + Establish a Repeatable Process Be prepared for the audit Gather data in advance Perform continuous monitoring Use report templates Things to Look For Tracking Progress Centralized Management Historical Data Sponsored by RSA
- 12. + EMC Created and implemented a repeatable data management process in just 4 weeks 30,000 files 1,200 owners 43 countries Scanned Structured and un-structured Answered the questions: Where is it? How is it stored? How is it used? Who uses it? Sponsored by RSA
- 13. + EMC - Continued Team of 6 dedicated resources Integrated DLP discovery information into Archer Benefits Improved corporate risk posture Demonstration of due care in providing protection Repeatable process quarter over quarter End user awareness Identification in trends quarter over quarter Knowledge base of end user data usage Sponsored by RSA
- 14. + Establish a Process to Mitigate PCI Risk Newthreats may be discovered, new risks exposed Have a process in place to address them Tips on Making it Work Engage End Users Automate Work Flow Track and Report Sponsored by RSA
- 15. + Enforcing Controls to Prevent Leakage of Credit Card Data Back up all the policy and process work with technical controls Consider ExistingControls Risk Based Enforcement Containment Sponsored by RSA
- 16. + Special Considerations Tools used for PCI compliance may need to support RBAC Multi-Factor AuthN Complete Visibility Data Protection in Transit Data Protection at Rest Key Management Nothing Unnecessary Sponsored by RSA
- 17. + Sponsored by RSA
- 18. + Conclusion Start with Scope It’s a People, Process and Information problem So Take a People, Process and Information (PPI) Approach And use Tools that Support It Using the 5 Steps Won’t Make PCI Easy But they will make the process easier And support continuous improvement and efficiencies over time Sponsored by RSA
- 19. Next Steps & How RSA Can Help • Discover assets and data Scope • Classify assets and data • Map to business processes Archer • Monitor web/email/hosts 24x7 Monitor • Monitor assets through logs DLP • Manage comprehensive processes Assessment • Customize and automate workflows Security Analytics • Involve business and data owners Risk Mitigation • Enable communication with business Services • Enforce controls based on risk Controls • Automate controls enforcement © Copyright 2011 EMC Corporation. All rights reserved. 19
- 20. Thank You © Copyright 2011 EMC Corporation. All rights reserved. 20