PCI-DSS: Considering The Wider Issues Of Governance

Data Breach

The Information Commissioner’s Office recently announced that the number of reported data breaches involving personal information in the UK has surpassed 1000. Overall, 307 of the reported infringements were because of stolen data or hardware and an additional 233 were as a result of lost data or hardware, so even though security practices have improved over the years these statistics still reveal a worrying approach towards data protection and compliance within organisations.

Although compliance standards such as Sarbanes Oxley, Basel II and PCI-DSS have been in place for a while, now that organisations run the risk of the ICO fining them £500,000 for a data breach, there has never been a more pressing time to ensure that a holistic approach to compliance is taken.

PCI-DSS: A ‘strength in depth’ approach

PCI-DSS is a critical component of data security compliance and was created by card brands to reduce and redistribute the risk of compromised credit card data. PCI-DSS demands numerous controls, processes and security facilities and its introduction has encouraged a ‘strength in depth’ approach to data security which includes building and maintaining a secure network, protecting cardholder data, identity and access management, maintaining a vulnerability management programme and developing an information security policy.

To ensure true compliance, PCI standards should be viewed as a continuous cycle which requires constant management. The most common misconception surrounding PCI is that successfully complying one year guarantees compliance the next year. In reality, the most challenging aspect of PCI is achieving consistency.

Merely using one vendor, one product, outsourcing card processing and not storing credit card information does not mean compliance either. Instead, the most successful programmes view PCI as a holistic cycle which needs to be continuously monitored and maintained.

As a first step in the PCI lifecycle, organisations should aim to complete a current state analysis and perform a gap analysis. This involves assessing existing identity and security management standards, comparing these against the PCI specification and highlighting areas which require improvement.

The data from the gap analysis and assessments should then be collated and analysed to develop a compliance plan that improves systems and implements measures to meet compliance; by using this information as a basis, a bespoke PCI model can be designed that addresses an organisations’ specific needs.

Once an organisation has achieved compliance and designed an information security policy that is DSS specific they should complete risk reviews and assessments on an ongoing basis. While PCI demands anti-virus measures are implemented it is still necessary to use precautionary intrusion and prevention measures to ensure that inappropriate behaviour is discovered.

Looking at log backup, scan detections, sensor behaviour, failed access and attack patterns means an organisation can categorise threats, vulnerabilities and their potential impact to develop a security improvement plan. However, external technical assessments are not enough.

Often the biggest threat that systems face is an internal attack. As a result, any risk assessment also needs to look at access control and internal segregation, auditing and compliance enforcement to ensure systems are not being abused internally.

As part of the review process organisations can carry out a mock assessment to see if systems are robust enough to meet PCI requirements. The process of PCI-DSS compliance requires merchants that have carried out card transactions to complete a vulnerability scan with an accredited security company every quarter.

These reports are fed back to the card providers to show that the merchant is maintaining a secure environment. While these measures do not actually fix any problems, it does ensure that everything mandated by the scan is in working order and highlights any action that needs to be conducted.

For organisations to be truly compliant, security governance needs to be embedded into an organisation’s culture and staff need to understand the importance of protecting data. This can be done by delivering training to staff as soon as DSS policies, procedures and processes have been defined and employees should be educated to ensure that simple procedures are in place and carried out correctly.

Training also sets clear expectations of what is accepted from staff and means users fully understand what they should, or should not, be doing from the onset. Organisations can educate staff using security awareness and training that can be delivered via workshops and presentations as an ongoing part of the PCI lifecycle process.

The value of compliance

Adhering to PCI standards proactively can actually ensure that security processes not only protect assets but add value to those assets in line with business objectives. Compliance with legislation such as PCI can provide organisations with the intelligence and strategic insight that can help organisations gain a greater return on investment in IT security assets.

So when compliance is viewed within the framework of wider corporate and security governance, organisations can see that PCI compliance provides a springboard to increase security awareness and ultimately protect key information assets.

I believe that true governance is made up of five core pillars – security, compliance, cost, enablement, and efficiency – which are all vital for a holistic implementation of security that will bring a wide array of business benefits. By focusing on these five areas, rather than on simply compliance or security alone, it allows security and IT managers to move away from a tick box approach to compliance and consider the wider implications and opportunities afforded by various legislation.

A multi-layered approach

There are many solutions available to organisations looking to reduce the risk of data breaches and encourage good governance, and usually a multi-layered solution is adopted to provide adequate compensating controls and reduce the risk of data leaks.

This allows several primary layers such as application layer firewalls and database security to be combined with additional layers including access control, data encryption and network segmentation to protect networks, allowing CIO’s and IT managers to perform a rich analysis of networks.

In order to mitigate the security risk organisations’ face, IT managers need to be able to manage, monitor and report data patterns within the system in real-time terms. This involves collecting, aggregating and correlating network data to highlight any anomalies which indicate there has been a security incident.

Once suspicious patterns have been identified, human intelligence can be applied to implement the appropriate measures and prevent the same, or a similar, security lapse from reoccurring. This data should be retained using industry-standard compression algorithms, which not only minimises the storage space needed, but protects the information the data provides; data retention is therefore essential in demonstrating the effectiveness of security controls and proving compliance with policies and regulations.

Two of the most popular measures that organisations implement to protect cardholder data are encryption and tokenisation. Encryption is the process of replacing confidential data with random numbers, hash values or other codes that can be substitutes for the sensitive data. It has been designed to effectively reduce or eliminate the sensitive data from systems and reduce the compliance scope.

Eliminating card data from most or all of the systems greatly reduces the number of areas that have to be assessed and secured, and the process helps replace data that has black market value with data that has no value.

Since the biggest risk to organisations if often internal, the PCI standard requires organisations to restrict access to cardholder data by a need-to-know basis. It also requires organisations to assign a unique ID to each user and monitor all access to network resources and cardholder data. Organisations therefore need to have an identity and access management policy in place.

Identity and access management covers role management, authorisation, user provisioning and de-provisioning, single sign-on, password self-service reset and workflow. Critically, identity and access management also provides an audit trail of who did what, what was done, when they did it and by whose authorisation it was done to reduce the risk of internal violations.

Crucially, all these measures provide organisations with a true view of their networks. If organisations have a partial or distorted view of their internal networks and IT systems it leaves them open to vulnerable security threats and means they will be unable to maximise core assets.

Organisations need vision – vision to see the true state of their IT systems, vision to plan for the future and vision to act on what is facing them at any given time. So by adhering to PCI standards and considering the wider issues of governance it allows organisations to be on the front foot when it comes to protecting their clients’ data and enhancing their business assets.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Alan Coburn is Director of Security and Risk Consulting at Dell SecureWorks, a provider of world-class information security services to help organisations of all sizes protect their IT assets, comply with regulations and reduce security costs.