SlideShare a Scribd company logo

Info Security & PCI(original)

Download as PPT, PDF
N
NCTechSymposium

The document discusses the importance of information security and PCI DSS compliance for businesses. It outlines the key elements of an effective IT security program including risk assessment, access control policies, data security policies, and response plans. It describes the PCI DSS framework and different merchant levels and self-assessment questionnaires (SAQs) required based on the number of credit card transactions processed annually. Compliant organizations experience fewer data breaches than non-compliant ones.

TechnologyBusiness
1 of 48
Downloaded 32 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Skeletal Elements of your Organization’s IT Systems Deter, Detect and Defend Against Data Breaches Information Security Program & Payment Card Industry Data Security (PCI DSS) Compliance for Your Business
Security and Compliance Not Synonymous Regulatory Compliance helps to improve Security Improved Security helps to achieve Compliance
77 Million Users 10 Million Credit Card Compromised Accounts Losses ??? Millions of Names and Email Addresses of over 2,500 Major Companies Consequences??
94 Million Compromised Accounts 83 Million Dollars in Losses 4 Million Compromised Accounts 100’s of Compromised Accounts 50,000+ Credit Card Transactions Processed Yearly 20,000+ Credit Cards Numbers
The High Cost of Data Breaches Average Cost Per Record Breached $204 Average Cost Per Breach $6.75 million Range of Total Cost Per Breach $750,000 to almost $31 million Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009
Essentials Elements of a Successful Information Technology Security Program
COBIT Standards Risk Assessment Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. Proactively identify IT related risks that require mitigation strategies, including anticipating future regulatory and external reporting expectations. Aid in the overall IT Governance Activities and support the business’s operational risk initiatives.
Sound business decisions are based on timely, relevant and concise information. Decision making is more effective because COBIT aids management in: Defining a Strategic IT Plan Defining the Information Architecture Acquiring the necessary IT hardware and software to execute an IT strategy Ensuring Continuous Service (BCP/DR) Monitoring the Performance of the IT systems Provides a foundation upon which IT related Decisions and Investments can be based COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Management Benefits
Helps identify IT control issues within a company’s IT infrastructure Corroborate their audit findings COBIT is the framework used by most companies to comply with Sarbanes-Oxley. Auditors Benefits
Assurance that the IT applications that aid in the gathering, processing, and reporting of information comply with a recognized standard Implies controls and security are in place to govern the IT processes End Users Benefits
COBIT's Four Domains Planning and Organization Acquisition and Implementation Delivery and Support Monitoring
Plan and Organize Covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives. Highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
Control Objectives for the Planning & Organization Domain PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization & Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims & Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects
Acquire and Implement Identifying IT requirements, Acquiring the Technology, and Implementing it within the company’s current business processes. Addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
Control Objectives for the Acquire & Implement Domain AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
Delivery and Support Execution of the applications within the IT system The support processes that enable the effective and efficient execution of the IT systems Support processes include security issues and training
Control Objectives for the Delivery & Support Domain DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations
Monitor and Evaulate Deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements Covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.
Control Objectives for the Monitor & Evaluate Domain ME1 Monitor and Evaluate IT Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
Further Information: Information Systems Audit and Control Association (ISACA) http://www.isaca.org
Annual Security Reporting Introduction Brief Synopsis of IT Security Yearly Activities IT Security Activities Policy/Standards Developments Security Hardware and/or Software Implementations Next Year’s IT Security Goals COBIT Internal Risk Assessment
Information Security Policy Purpose Objectives Development and Implementation Responsibility Assessment and Management of Risk Protection and Destruction of Sensitive Information Monitoring, Testing & Updating of the Information Security Program Monitoring of the Information Security Program Overseeing Service Provider Arrangements Annual Status Reporting and Policy Review
Safeguarding Customer Information Policy Policy Statement Statement of Responsibilities Computer Security Physical Security Copyrights and License Monitoring Violations
Access Control Policy User Access Management Access Control Rules Access Control Request Form File System Control Login Banner Notices
Data Classification, Retention and Disposal Policy Sensitivity Guidelines Sensitive Information Retention & Disposal Guidelines Credit Card Information Retention & Disposal Guidelines
Intrusion Response Plan Incident Severity Incident Declaration Document Recovery Steps Analyze the Intrusion Recover from the Intrusion Intrusion Response Checklist
Customer Notice Incident Declaration Response Program Recovery Steps Sample Call Staff Instructions Sample Call Staff Telephone Script Instructions Customer Call Record Form Suggested Communication to Regulators Sample Customer Notification Letter Identity Theft Bureaus & Agencies Assessment of Unauthorized Access to Sensitive Customer Information Incident Response Log Unauthorized Access to Customer Information Plan
Additional Items Password Policy Compliance Requirements Password Integrity Guidelines Password Protection Standards Employee Acknowledgment Vendor Management Program Risk Assessment & Mitigation Request for Proposal Due Diligence Implementation
Further Information & Sample Polices/Guidelines: Systems And Network Security http://www.sans.org National Institute of Standards and Technology (NIST) www.nist.gov
Payment Card Industry Data Security (PCI DSS) Compliance for Your Business
A Security Breach and Subsequent Compromise of Cardholder Data could have far-reaching Consequences for Your Business including: Regulatory Notification Requirements Loss of Reputation Loss of Customers Potential Financial Liabilities (Regulatory and Other Fines and Fees) Litigation
Compliant Organizations Experience Fewer Breaches 32% of Compliant Organizations Never Had a Breach vs. 12% of Non Compliant Organizations 69% of Compliant Organizations Reported at Least One Breach vs. 88% of Non Compliant Organizations
We all can help to Deter, Detect and Defend against ID Theft with these 5 easy steps: Take Stock – Know Where the Info Is Scale Down – Keep Only What is Needed Lock It – Protect the Info We Do Keep Pitch It – Properly Dispose of What We Don’t Plan Ahead – Create a Plan to Response to a Breach
does not manage compliance programs and does not impose any consequences for non-compliance. may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.
The Road to PCI DSS Compliance is dependent on the Merchant Level & Self Assessment Questionnaire (SAQ) Validation Types
Merchant Levels based on Credit Card Transactions Processed Level 1 – Over 6,000,000 per year Level 2 – 1,000,000 to 6,000,000 per year Level 3 – 20,000 to 1,000,000 per year Level 4 – Fewer than 20,000 per year
Self Assessment Questionnaire (SAQ) Validation Types
SAQ A Card Not Present Merchants All cardholder data functions outsourced Never applies to face to face merchants 13 Questions & Attestation
SAQ B Imprint Only Merchants No electronic cardholder data storage Standalone dialout terminal merchant with no date storage 29 Questions & Attestation
SAQ C-VT Merchants with web based virtual terminals No electronic cardholder data storage 51 Questions & Attestation
SAQ C Merchants with Payment Applications connected to Internet No electronic cardholder data storage 40 Questions & Attestation
SAQ D All Merchants not included in other SAQ descriptions All service providers defined by payment brand as eligible to complete a SAQ 288 Questions & Attestation
Maintain Information Security Policy Requirement 12 SAQ A,B,C,D Regularly Test Security Systems/Processes Requirement 11 SAQ C,D Track & Monitor Access to Network Resources & CHD Requirement 10 SAQ C,D Restrict Physical Access to CHD Requirement 9 SAQ A,B,C,D Assign Unique ID for each person w/ computer access to CHD Requirement 8 SAQ C,D Restrict CHD Access to Business Need-to-Know Requirement 7 SAQ B,C,D Develop & Maintain Secure Systems/Applications Requirement 6 SAQ C,D Use & Regularly Update Anti-Virus Software Requirement 5 SAQ C,D Encrypt Transmission of CHD across Public Networks Requirement 4 SAQ B,C,D Protect Stored CHD Requirement 3 SAQ B,C,D Change All Defaults Passwords & Security Parameters Requirement 2 SAQ C,D Install & Maintain Firewall Configuration to protect CHD Requirement 1 SAQ C,D Security Requirements for PCI DSS Compliance
Prioritized Approach to Pursue PCI DSS Compliance 1. Remove Sensitive Authentication Data and Limit Data Retention (Requirements 1,3,9) 2. Protect the Perimeter, Internal and Wireless Networks (Requirements 1,2,4,5,11,12) 3. Secure Payment Card Applications (Requirements 2,6) 4. Monitor and Control Access to Systems (Requirements 7,8,10,11) 5. Protect Stored Cardholder Data (Requirements 3,9) 6. Finalize remaining Compliance Efforts and Ensure all Controls are in Place (Requirements 1,6,10,11,12)
Prioritized Approach to Pursue PCI DSS Compliance Tool https://www.pcisecuritystandards.org/documents/Prioritized_Approach_PCI_DSS_version1_2.xls
PCI Compliance in its simplest form is; if you don’t need the cardholder data - then don’t store it, if you store it, you must protect it.
Further Information on Complete PCI DSS Specification Prioritized Approach Guidance & Tool Other Supporting Tools and Documentation http://www.pcisecuritystandards.org
Questions??

More Related Content

PPT
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
PDF
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
PPTX
IS Audit and Internal Controls
Bharath Rao
 
PPTX
Information System Audit and Control
Asad Raza
 
PPT
Information systems audit and control
Kashif Rana ACCA
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PDF
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
DOCX
IS Audits and Internal Controls
Bharath Rao
 
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
IS Audit and Internal Controls
Bharath Rao
 
Information System Audit and Control
Asad Raza
 
Information systems audit and control
Kashif Rana ACCA
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
IS Audits and Internal Controls
Bharath Rao
 

What's hot (20)

PPTX
Information System audit
Pratapchandra
 
PPT
Critical Security And Compliance Issues In Internet Banking
Thomas Donofrio
 
PPTX
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
PDF
Audit Sample Report
Randy James
 
PDF
Internal controls in an IT environment
Chris Nicole Apat-Orcullo, CPA
 
PPT
El-Paso SOX TestingTraining- June 2007
Danial Khan
 
PPTX
Auditing SOX ITGC Compliance
seanpizzy
 
PPTX
Symantec Corporate Presentation
InvestorSymantec
 
PPTX
IS Audit Checklist- by Software development company in india
iFour Consultancy
 
PPTX
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
ControlCase
 
DOCX
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
PPT
Information System Architecture and Audit Control Lecture 2
Yasir Khan
 
PDF
Internal Controls Over Information Systems
Jeffrey Paulette
 
PDF
IT Control Objectives for SOX
Mahesh Patwardhan
 
PPT
3c 2 Information Systems Audit
Rajeswaran Muthu Venkatachalam
 
DOCX
The 21 CFR Part 11 Compliance Checklist for Digital Applications
EMMAIntl
 
PPTX
Software Asset Management
icomply
 
PDF
Compliance Management | Compliance Solutions
Corporater
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
DOCX
Linda Lopez Resume 20170130 IT Security
Linda Lopez
 
Information System audit
Pratapchandra
 
Critical Security And Compliance Issues In Internet Banking
Thomas Donofrio
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Audit Sample Report
Randy James
 
Internal controls in an IT environment
Chris Nicole Apat-Orcullo, CPA
 
El-Paso SOX TestingTraining- June 2007
Danial Khan
 
Auditing SOX ITGC Compliance
seanpizzy
 
Symantec Corporate Presentation
InvestorSymantec
 
IS Audit Checklist- by Software development company in india
iFour Consultancy
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
ControlCase
 
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Information System Architecture and Audit Control Lecture 2
Yasir Khan
 
Internal Controls Over Information Systems
Jeffrey Paulette
 
IT Control Objectives for SOX
Mahesh Patwardhan
 
3c 2 Information Systems Audit
Rajeswaran Muthu Venkatachalam
 
The 21 CFR Part 11 Compliance Checklist for Digital Applications
EMMAIntl
 
Software Asset Management
icomply
 
Compliance Management | Compliance Solutions
Corporater
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
Linda Lopez Resume 20170130 IT Security
Linda Lopez
 
Ad

Similar to Info Security & PCI(original) (20)

PPT
gray_audit_presentation.ppt
KhalilIdhman
 
PDF
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
PDF
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
PPT
What Every Executive Needs To Know About IT Governance
Bill Lisse
 
PPTX
2010 06 gartner avoiding audit fatigue in nine steps 1d
Gene Kim
 
PDF
A Guide To IT Compliance Assessment And Management
Skillmine Technology Consulting
 
PPT
Msp It Goverance And Service Delivery Process
kadhar_masthan
 
PDF
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
PPTX
Marcos cobi t -e-itil-v040811
faau09
 
PPT
It Governance Methodology Cox
William Cox MBA, QPM, CSM, PMP, CPHIMS
 
PPT
An IT Governance program
John Goodpasture
 
PPTX
Information Systems Audit-Related Designations
Michael Lin
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
DOCX
WLS Services Brochure March 2013
Mike Wright
 
PPT
Automating Policy Compliance and IT Governance
Sasha Nunke
 
PPTX
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
PPT
Thierry Brunet - IT best practices & frameworks overview
Thierry Brunet
 
PDF
20 IT Auditor questions.pdf
infosec train
 
PDF
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
PPTX
Marcos gobernabilidad-sin-mapa-v040811
faau09
 
gray_audit_presentation.ppt
KhalilIdhman
 
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
What Every Executive Needs To Know About IT Governance
Bill Lisse
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
Gene Kim
 
A Guide To IT Compliance Assessment And Management
Skillmine Technology Consulting
 
Msp It Goverance And Service Delivery Process
kadhar_masthan
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
Marcos cobi t -e-itil-v040811
faau09
 
It Governance Methodology Cox
William Cox MBA, QPM, CSM, PMP, CPHIMS
 
An IT Governance program
John Goodpasture
 
Information Systems Audit-Related Designations
Michael Lin
 
PCI Certification and remediation services
Tariq Juneja
 
WLS Services Brochure March 2013
Mike Wright
 
Automating Policy Compliance and IT Governance
Sasha Nunke
 
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
Thierry Brunet - IT best practices & frameworks overview
Thierry Brunet
 
20 IT Auditor questions.pdf
infosec train
 
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Marcos gobernabilidad-sin-mapa-v040811
faau09
 
Ad

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
A Presentation on Artificial Intelligence
memembruh336
 
Approach and Philosophy of On baking technology
30anthuong17
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

Info Security & PCI(original)

  • 1. Skeletal Elements of your Organization’s IT Systems Deter, Detect and Defend Against Data Breaches Information Security Program & Payment Card Industry Data Security (PCI DSS) Compliance for Your Business
  • 2. Security and Compliance Not Synonymous Regulatory Compliance helps to improve Security Improved Security helps to achieve Compliance
  • 3. 77 Million Users 10 Million Credit Card Compromised Accounts Losses ??? Millions of Names and Email Addresses of over 2,500 Major Companies Consequences??
  • 4. 94 Million Compromised Accounts 83 Million Dollars in Losses 4 Million Compromised Accounts 100’s of Compromised Accounts 50,000+ Credit Card Transactions Processed Yearly 20,000+ Credit Cards Numbers
  • 5. The High Cost of Data Breaches Average Cost Per Record Breached $204 Average Cost Per Breach $6.75 million Range of Total Cost Per Breach $750,000 to almost $31 million Source: Ponemon Institute, Fourth Annual Cost of Data Breach Study, January 2009
  • 6. Essentials Elements of a Successful Information Technology Security Program
  • 7. COBIT Standards Risk Assessment Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. Proactively identify IT related risks that require mitigation strategies, including anticipating future regulatory and external reporting expectations. Aid in the overall IT Governance Activities and support the business’s operational risk initiatives.
  • 8. Sound business decisions are based on timely, relevant and concise information. Decision making is more effective because COBIT aids management in: Defining a Strategic IT Plan Defining the Information Architecture Acquiring the necessary IT hardware and software to execute an IT strategy Ensuring Continuous Service (BCP/DR) Monitoring the Performance of the IT systems Provides a foundation upon which IT related Decisions and Investments can be based COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Management Benefits
  • 9. Helps identify IT control issues within a company’s IT infrastructure Corroborate their audit findings COBIT is the framework used by most companies to comply with Sarbanes-Oxley. Auditors Benefits
  • 10. Assurance that the IT applications that aid in the gathering, processing, and reporting of information comply with a recognized standard Implies controls and security are in place to govern the IT processes End Users Benefits
  • 11. COBIT's Four Domains Planning and Organization Acquisition and Implementation Delivery and Support Monitoring
  • 12. Plan and Organize Covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives. Highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
  • 13. Control Objectives for the Planning & Organization Domain PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization & Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims & Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects
  • 14. Acquire and Implement Identifying IT requirements, Acquiring the Technology, and Implementing it within the company’s current business processes. Addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
  • 15. Control Objectives for the Acquire & Implement Domain AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
  • 16. Delivery and Support Execution of the applications within the IT system The support processes that enable the effective and efficient execution of the IT systems Support processes include security issues and training
  • 17. Control Objectives for the Delivery & Support Domain DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations
  • 18. Monitor and Evaulate Deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements Covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.
  • 19. Control Objectives for the Monitor & Evaluate Domain ME1 Monitor and Evaluate IT Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
  • 20. Further Information: Information Systems Audit and Control Association (ISACA) http://www.isaca.org
  • 21. Annual Security Reporting Introduction Brief Synopsis of IT Security Yearly Activities IT Security Activities Policy/Standards Developments Security Hardware and/or Software Implementations Next Year’s IT Security Goals COBIT Internal Risk Assessment
  • 22. Information Security Policy Purpose Objectives Development and Implementation Responsibility Assessment and Management of Risk Protection and Destruction of Sensitive Information Monitoring, Testing & Updating of the Information Security Program Monitoring of the Information Security Program Overseeing Service Provider Arrangements Annual Status Reporting and Policy Review
  • 23. Safeguarding Customer Information Policy Policy Statement Statement of Responsibilities Computer Security Physical Security Copyrights and License Monitoring Violations
  • 24. Access Control Policy User Access Management Access Control Rules Access Control Request Form File System Control Login Banner Notices
  • 25. Data Classification, Retention and Disposal Policy Sensitivity Guidelines Sensitive Information Retention & Disposal Guidelines Credit Card Information Retention & Disposal Guidelines
  • 26. Intrusion Response Plan Incident Severity Incident Declaration Document Recovery Steps Analyze the Intrusion Recover from the Intrusion Intrusion Response Checklist
  • 27. Customer Notice Incident Declaration Response Program Recovery Steps Sample Call Staff Instructions Sample Call Staff Telephone Script Instructions Customer Call Record Form Suggested Communication to Regulators Sample Customer Notification Letter Identity Theft Bureaus & Agencies Assessment of Unauthorized Access to Sensitive Customer Information Incident Response Log Unauthorized Access to Customer Information Plan
  • 28. Additional Items Password Policy Compliance Requirements Password Integrity Guidelines Password Protection Standards Employee Acknowledgment Vendor Management Program Risk Assessment & Mitigation Request for Proposal Due Diligence Implementation
  • 29. Further Information & Sample Polices/Guidelines: Systems And Network Security http://www.sans.org National Institute of Standards and Technology (NIST) www.nist.gov
  • 30. Payment Card Industry Data Security (PCI DSS) Compliance for Your Business
  • 31. A Security Breach and Subsequent Compromise of Cardholder Data could have far-reaching Consequences for Your Business including: Regulatory Notification Requirements Loss of Reputation Loss of Customers Potential Financial Liabilities (Regulatory and Other Fines and Fees) Litigation
  • 32. Compliant Organizations Experience Fewer Breaches 32% of Compliant Organizations Never Had a Breach vs. 12% of Non Compliant Organizations 69% of Compliant Organizations Reported at Least One Breach vs. 88% of Non Compliant Organizations
  • 33. We all can help to Deter, Detect and Defend against ID Theft with these 5 easy steps: Take Stock – Know Where the Info Is Scale Down – Keep Only What is Needed Lock It – Protect the Info We Do Keep Pitch It – Properly Dispose of What We Don’t Plan Ahead – Create a Plan to Response to a Breach
  • 34. does not manage compliance programs and does not impose any consequences for non-compliance. may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.
  • 35. The Road to PCI DSS Compliance is dependent on the Merchant Level & Self Assessment Questionnaire (SAQ) Validation Types
  • 36. Merchant Levels based on Credit Card Transactions Processed Level 1 – Over 6,000,000 per year Level 2 – 1,000,000 to 6,000,000 per year Level 3 – 20,000 to 1,000,000 per year Level 4 – Fewer than 20,000 per year
  • 37. Self Assessment Questionnaire (SAQ) Validation Types
  • 38. SAQ A Card Not Present Merchants All cardholder data functions outsourced Never applies to face to face merchants 13 Questions & Attestation
  • 39. SAQ B Imprint Only Merchants No electronic cardholder data storage Standalone dialout terminal merchant with no date storage 29 Questions & Attestation
  • 40. SAQ C-VT Merchants with web based virtual terminals No electronic cardholder data storage 51 Questions & Attestation
  • 41. SAQ C Merchants with Payment Applications connected to Internet No electronic cardholder data storage 40 Questions & Attestation
  • 42. SAQ D All Merchants not included in other SAQ descriptions All service providers defined by payment brand as eligible to complete a SAQ 288 Questions & Attestation
  • 43. Maintain Information Security Policy Requirement 12 SAQ A,B,C,D Regularly Test Security Systems/Processes Requirement 11 SAQ C,D Track & Monitor Access to Network Resources & CHD Requirement 10 SAQ C,D Restrict Physical Access to CHD Requirement 9 SAQ A,B,C,D Assign Unique ID for each person w/ computer access to CHD Requirement 8 SAQ C,D Restrict CHD Access to Business Need-to-Know Requirement 7 SAQ B,C,D Develop & Maintain Secure Systems/Applications Requirement 6 SAQ C,D Use & Regularly Update Anti-Virus Software Requirement 5 SAQ C,D Encrypt Transmission of CHD across Public Networks Requirement 4 SAQ B,C,D Protect Stored CHD Requirement 3 SAQ B,C,D Change All Defaults Passwords & Security Parameters Requirement 2 SAQ C,D Install & Maintain Firewall Configuration to protect CHD Requirement 1 SAQ C,D Security Requirements for PCI DSS Compliance
  • 44. Prioritized Approach to Pursue PCI DSS Compliance 1. Remove Sensitive Authentication Data and Limit Data Retention (Requirements 1,3,9) 2. Protect the Perimeter, Internal and Wireless Networks (Requirements 1,2,4,5,11,12) 3. Secure Payment Card Applications (Requirements 2,6) 4. Monitor and Control Access to Systems (Requirements 7,8,10,11) 5. Protect Stored Cardholder Data (Requirements 3,9) 6. Finalize remaining Compliance Efforts and Ensure all Controls are in Place (Requirements 1,6,10,11,12)
  • 45. Prioritized Approach to Pursue PCI DSS Compliance Tool https://www.pcisecuritystandards.org/documents/Prioritized_Approach_PCI_DSS_version1_2.xls
  • 46. PCI Compliance in its simplest form is; if you don’t need the cardholder data - then don’t store it, if you store it, you must protect it.
  • 47. Further Information on Complete PCI DSS Specification Prioritized Approach Guidance & Tool Other Supporting Tools and Documentation http://www.pcisecuritystandards.org