rsa presentation - 5 steps to improving pci compliance
DESCRIPTION
Did you know that if a company fails a PCI assessment they are subject to penalty fees and need to re-do the assessment at an average cost of $225,000 for a tier/level 1 merchant or retailer? And that 71% of companies that fail PCI audits do so because they cannot adequately meet the PCI DSS requirement 10, “Track and monitor all access to network resources and cardholder data.”With a little upfront planning and careful scoping, organizations can prepare themselves for the assessment and pre-check their own systems against the testing procedures as defined in v2.0 of the PCI DSS. Implementing the 5 steps of information- and people-centric approaches outlined by Diana Kelley, Principal Analyst at SecurityCurve, in her latest paper “Practical Guide to Improving PCI Compliance Posture” will help ease the compliance burden.TRANSCRIPT
+ A Practical
Guide to
Improving PCI
Compliance
Posture
Presented by
Diana Kelley, SecurityCurve Sponsored by RSA
Sponsored by RSA
+ Agenda
Failure is not Cheap – But There is a Better
Way
Five Things you Can Do to Improve your
PCI Posture
Practical Guide for Establishing PCI
Improvements
Conclusion
Sponsored by RSA
+ Failing PCI is Not Cheap – But
There is a Better Way
If you store, process, or transmit credit card data from one of the card brands you must be compliant with the PCI-DSS
Failure isn’t cheap Must repeat the assessment process- average cost of $225,000
US for a tier/level 1
Other fees may apply
WorldPay: monthly $25k fee from Visa & one time 25k fee from Mastercard
Acquiring banks can increase transaction fees
PCI is a people and information problem Requires a people and information centric solution
Sponsored by RSA
+ Five Things
Sponsored by RSA
+ The Five Steps Explained
1. Get Scope Under Control – Information
Centric
Anywhere cardholder data resides is
considered “in scope” of the assessment
2. Monitor Traffic in Real-time to Identify
Broken Business Processes – Information
Centric
Once you know where the data is, you need to
monitor where it’s going and who is using it.
Sponsored by RSA
+ The Five Steps Explained
3. Establish a Repeatable Process for Assessments - People and Process Centric So the information is there when it’s needed
4. Establish a Process to Mitigate PCI Risk - People Centric A methodology that engages both IT and the
business
5. Enforcement Containment of Cardholder Data – Information and People Centric Technical controls to enforce the policy
Sponsored by RSA
+
Practical Guide for
Establishing PCI
Improvement
Sponsored by RSA
+ Get Scope Under Control
Discover and Identify CardHolder Data throughout the organization
Restrict it to the CDE
Use automation for maximum effectiveness
Things to Look For
Accuracy
Scalability
Coverage Breadth
Minimum Impact
Sponsored by RSA
+ Monitor Traffic in Real-Time to Identify
Broken Business Processes
Once the CHD is located and contained,
make sure it doesn’t leave
DLP can help but requires
Accuracy
Flexibility
Non-Intrusive
Alerting
Sponsored by RSA
+ Microsoft used DLP to discover PCI
Data
“Before we could do anything, we knew we had to locate our sensitive information and measure compliance to the policies already in place,”
Olav Opedal, Security Program Manager at Microsoft.
12TB of data
30,000 file shares 120,000 SharePoint sites
Microsoft needed to scan everywhere sensitive data could be stored.
“The unparalleled accuracy and unique features of RSA DLP Datacenter made it the only viable choice for discovering all our sensitive content.”
Sponsored by RSA
+ Establish a Repeatable Process
Be prepared for the audit
Gather data in advance
Perform continuous monitoring
Use report templates
Things to Look For
Tracking Progress
Centralized Management
Historical Data
Sponsored by RSA
+ EMC
Created and implemented a repeatable data management process in just 4 weeks
30,000 files
1,200 owners
43 countries
Scanned Structured and un-structured
Answered the questions:
Where is it?
How is it stored?
How is it used?
Who uses it?
Sponsored by RSA
+ EMC - Continued
Team of 6 dedicated resources
Integrated DLP discovery information into Archer
Benefits
Improved corporate risk posture
Demonstration of due care in providing protection
Repeatable process quarter over quarter
End user awareness
Identification in trends quarter over quarter
Knowledge base of end user data usage
Sponsored by RSA
+ Establish a Process to Mitigate PCI
Risk
New threats may be discovered, new risks
exposed
Have a process in place to address them
Tips on Making it Work
Engage End Users
Automate Work Flow
Track and Report
Sponsored by RSA
+ Enforcing Controls to Prevent
Leakage of Credit Card Data
Back up all the policy and process work
with technical controls
Consider
Existing Controls
Risk Based Enforcement Containment
Sponsored by RSA
+ Special Considerations
Tools used for PCI compliance may need to
support
RBAC
Multi-Factor AuthN
Complete Visibility
Data Protection in Transit
Data Protection at Rest
Key Management
Nothing Unnecessary
Sponsored by RSA
+
Sponsored by RSA
+ Conclusion
Start with Scope
It’s a People, Process and Information problem
So Take a People, Process and Information (PPI)
Approach
And use Tools that Support It
Using the 5 Steps Won’t Make PCI Easy
But they will make the process easier
And support continuous improvement and
efficiencies over time
19 © Copyright 2011 EMC Corporation. All rights reserved.
Next Steps & How RSA Can Help
Scope
Monitor
Assessment
Risk Mitigation
Controls
• Discover assets and data • Classify assets and data • Map to business processes
• Monitor web/email/hosts 24x7 • Monitor assets through logs
• Manage comprehensive processes • Customize and automate workflows
• Involve business and data owners • Enable communication with business
• Enforce controls based on risk • Automate controls enforcement
Archer
DLP
Security Analytics
Services
20 © Copyright 2011 EMC Corporation. All rights reserved.
Thank You