Volume 2, April 2011Come join the discussion! Pritam Bankar and Sharad

Verma will be responding to questions and comments in the topic beginning 21 April 2011.

Mapping PCI DSS v2.0 With COBIT 4.1By Pritam Bankar, CISA, CISM, and Sharad VermaIn today’s era, every organization across the globe, regardless of its size or industry, faces security issues pertaining to new and evolving threats, vulnerabilities, risks or regulatory/compliance landscapes. As such, there arises a need for organizations to make stringent efforts to ensure that their security and enterprise risk management (ERM) programs address multiple compliance requirements.

This article contains the results of a mapping of Payment Card Industry Data Security Standard (PCI DSS) v2.0 controls with COBIT 4.1. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis.

This mapping provides guidance to organizations seeking PCI compliance by identifying and highlighting the COBIT areas that should be considered for each requirement within PCI DSS. It also highlights how the processes in COBIT can support PCI DSS compliance activity. As a result, the mapping can be used as a reference for formulating an integrated and customized control framework for an organization.

Since COBIT covers the broad spectrum of IT control processes and PCI DSS is strictly focused on protecting cardholder data, any user of COBIT must first determine the relevance and applicability of IT processes and subprocesses within the COBIT framework. COBIT, a framework for the governance of enterprise IT (GEIT), has a broader scope and is applicable to all organizations, whereas PCI DSS v2.0 focuses more on the area of protecting cardholder data and is applicable to all organizations that hold, process or exchange cardholder information. PCI DSS controls are mandatory for organizations that collect credit card data, whereas COBIT has general controls that can be leveraged based on an organization’s requirements.

The implicit benefits of mapping PCI DSS v2.0 with COBIT include: A unique set of controls—Organizations planning to implement PCI DSS can easily manage, measure and provide

evidence of satisfying multiple compliance and governance requirements through a single unique set of controls. Adherence to multiple standards—Organizations can adhere to multiple industry standards for securing credit card data

by adopting the unique set of controls and can increase operational efficiency. Increased performance—Each PCI DSS control and requirement is mapped extensively with COBIT controls after

assessing the in-depth objective of the control, which results in increasing the performance efficiency of the security program.

PCI DSS compliance made easy—While compliance with PCI DSS is mandatory for organizations that process financial transactions through payment cards, its scope is limited to protecting cardholder data. However COBIT is like an integrator for best practices and an umbrella framework for IT governance designed to apply across a variety of organizations, and it is universally recognized. For certain enterprises, PCI compliance is mandatory, and COBIT is used as a guideline.

Figure 1 provides a mapping of PCI DSS v2.0 to COBIT 4.1. Please note that multiple PCI DSS requirements can map to a single control in COBIT 4.1, as seen in requirements 11 and 12.

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1

Requirement Number

PCI DSS v2.0 Control Requirements COBIT 4.1 Control Objective/Process

1Install and maintain a firewall to protect cardholder data.

AI2.5 Configuration and implementation of acquired application software

AI3.2 Infrastructure resource protection and availability

DS5.5 Security testing, surveillance and monitoring

DS5.7 Protection of security technology

DS5.10 Network security

DS13.3 IT infrastructure monitoring

2Do not use vendor-supplied defaults for system passwords or other security parameters.

DS5.5 Security testing, surveillance and monitoring

DS5.7 Protection of security technology

PO2.3 Data classification scheme

DS4.9 Offsite backup storage

3 Protect stored cardholder data.

DS5.8 Cryptographic key management

DS11.2 Storage and retention arrangements

DS11.4 Disposal

DS11.6 Security requirements for data management

DS5.1 Management of IT security

DS5.7 Protection of security technology

4Encrypt transmission of cardholders’ data across open public networks.

DS5.8 Cryptographic key management

DS5.10 Network security

DS11.6 Security requirements for data management

DS5.9 Malicious software prevention, detection and correction

PO8.3 Development and acquisition standards

5Use and regularly update antivirus software on all systems commonly affected by malware.

PO9.3 Event identification

Volume 2, April 2011 Page 2

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued)

Requirement Number

PCI DSS v2.0 Control Requirements COBIT 4.1 Control Objective/Process

6Develop and maintain secure systems and applications.

PO9.4 Risk assessment

AI3.3 Infrastructure maintenance

AI3.4 Feasibility test environment

AI6.1 Change standards and procedures

AI6.2 Impact assessment, prioritization and authorization

AI7.3 Implementation plan

AI7.4 Test environment

AI7.6 Testing of changes

AI7.8 Promotion to production

DS5.9 Malicious software prevention, detection and correction

7Restrict access by business to cardholders’ data to need to know.

DS5.3 Identity management

DS5.4 User account management

8Assign a unique ID to each person with computer access.

PO2.3 Data classification scheme

PO7.8 Job change and termination

9Restrict physical access to cardholders’ data.

DS5.3 Identity management

DS5.4 User account management

DS5.7 Protection of security technology

PO4.8 Responsibility for risk, security and compliance

DS4.9 Offsite backup storage

10Track and monitor all access to network resource and cardholder data.

DS5.4 User account management

DS11.2 Storage and retention arrangements

DS11.3 Media library management system

DS11.4 Disposal

Volume 2, April 2011 Page 3

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued)

Requirement Number

PCI DSS v2.0 Control Requirements COBIT 4.1 Control Objective/Process

DS11.6 Security requirements for data management

DS12.2 Physical security measures

DS12.3 Physical access

DS5.5 Security testing, surveillance and monitoring

DS13.3 IT infrastructure monitoring

11Regularly track security systems and processes.

PO9.3 Event identification

DS5.5 Security testing, surveillance and monitoring

DS5.6 Security incident definition

ME1.2 Definition and collection of monitoring data

ME1.3 Monitoring method

ME1.4 Performance assessment

ME2.1 Monitoring of internal control framework

ME2.2 Supervisory review

ME2.3 Control exceptions

ME2.4 Control self-assessment

ME2.7 Remedial actions

PC5 Policy, plans and procedures

PO2.3 Data classification scheme

12 Maintain an information security policy.

PO4.3 IT steering committee

PO4.4 Organizational placement of the IT function

PO4.6 Establishment of roles and responsibilities

PO4.8 Responsibility for risk, security and compliance

PO4.9 Data and system ownership

PO6.1 IT policy and control environment

Volume 2, April 2011 Page 4

Framework CommitteePatrick Stachtchenko, CISA, CGEIT, CA, France, chairSteven A. Babb, CGEIT, UKSushil Chatterji, CGEIT, SingaporeSergio Fleginsky, CISA, UruguayJohn W. Lainhart IV, CISA, CISM, CGEIT, USAMario C. Micallef, CGEIT, CPAA, FIA, MaltaDerek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UKRobert G. Parker, CISA, CA, CMC, FCA, CanadaJo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, AustraliaRobert E. Stroud, CGEIT, USARolf M. von Roessing, CISA, CISM, CGEIT, Germany

Editorial ContentComments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at jhajigeorgiou@isaca.org.

COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at jfullerton@isaca.org.

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued)

Requirement Number

PCI DSS v2.0 Control Requirements COBIT 4.1 Control Objective/Process

PO6.3 IT policies management

PO6.4 Policy, standard and procedures rollout

PO6.5 Communication of IT objectives and direction

PO7.1 Personnel recruitment and retention

PO7.3 Staffing of roles

PO7.4 Personnel training

PO7.6 Personnel clearance procedures

PO9 Assess and manage IT risks.

DS5.1 Management of IT security

DS5.2 IT security plan

DS5.3 Identity management

ME2.1 Monitoring of internal control framework

ME2.2 Supervisory review

ME2.4 Control self-assessment

ConclusionInformation security will always remain a challenge for every organization dealing with customer information. Complying with PCI DSS v2.0 along with COBIT 4.1 controls, the organization can work efficiently with IT compliance and IT governance. PCI DSS v2.0 focuses on the compliance area, and COBIT 4.1 provides the overall governance. PCI DSS v2.0 gives a detailed description of a number of important IT controls that can be applied to achieve compliance for the organization dealing with payment card transactions and storing customer information. COBIT provides managers, auditors and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of IT and in developing appropriate IT governance and control in an organization.

Pritam Bankar, CISA, CISM, is a senior consultant with Infosys Technologies Limited and has more than seven years of experience in information security, IT/information systems (IS) audits, compliance and regulations (e.g., the US Sarbanes-Oxley Act, PCI DSS, SAS 70), and IT governance and strategy. Bankar is part of an IT controls and compliance practice and leads PCI DSS service offerings for Infosys.

Sharad Verma is a senior associate consultant with Infosys Technologies Ltd. and has several years of diversified experience across various domains such as IT and business operations. Verma is certified in COBIT 4.1 and has worked in capability development for PCI DSS and designed a PCI DSS framework for Infosys. He has expertise in the security domain and experience in implementing ISO 27001.

Volume 2, April 2011 Page 5

©2011 ISACA. All rights reserved.

Volume 2, April 2011 Page 6