SlideShare a Scribd company logo

PCI DSS Compliance and Security: Harmony or Discord?

Download as PPT, PDF
Lumension, profile picture
Lumension

The document discusses the relationship between PCI DSS compliance and security, emphasizing that compliance alone does not equate to security. It identifies six critical elements needed for effective PCI DSS compliance and security, including agility, consistency, efficiency, transparency, accountability, and continuous security enforcement. The need for a holistic view of risk and the integration of compliance into broader security measures are highlighted as essential for protecting critical information.

Technology
Related topics:
PCI DSS Training
1 of 25
Downloaded 68 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PCI DSS Compliance and Security: Harmony or Discord?
Today’s Agenda The evolving threat and compliance landscape How to use compliance as a catalyst for developing and implementing an effective security program The six critical elements to PCI DSS compliance How to go beyond PCI DSS and secure critical information
Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite
The Evolving Threat and Compliance Landscape
The Evolving Threat Landscape 85% of attacks were not considered highly difficult Web application vulnerabilities continue to be the attack vector of choice Cybercriminals used stolen account logons in 38% of successful data breaches, accounting for 86% of the records compromised Source: Verizon, 2010 Data Breach Investigations Report
Are you focused only on what you see? “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance
Silos Lead to Greater IT Risk A reactive and siloed approach to IT GRC is a recipe for disaster and leads to . . .  Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture. Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources. Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment. Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in. Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.
Compliance & Security: Harmony or Discord? PCI DSS provides payment card data protection requirements However, compliance and security are not the same An organization can be compliant and still experience a security breach, and can also be non-compliant and maintain a secure infrastructure. What is the value of compliance? Use as a catalyst for implementing effective security measures Requires an understanding of the principles behind the requirements, not just adherence to minimum requirements. Security is more than a list of checkboxes — it involves a holistic approach and processes to protect the organization. Compliance standards such as PCI DSS provide a foundation for achieving security, but by itself it does not adequately protect the organization.
A grim view of the current state… Source: Open Compliance & Ethics Group
Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES
Components of Compliance & Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE
Sample IT Risk Assessment Process
6 Critical Elements to Achieve Economies in PCI DSS Compliance & Beyond
6 Economies of PCI DSS Compliance & Beyond
1 - Agility Ensure continuous compliance: Full ongoing discovery of the IT environment, its information and technology assets. Understand where cardholder data is stored and who has access. Automatically assess the network and devices that connect to it. Automate IT risk-assessment to provide structure around the collecting evidence for compliance controls. Enforce policy for software updates, security patches and standardized configurations. Flexibility to handle unique needs and requirements.
2 - Consistency Streamline compliance workflows and processes: Comprehensive inventory and management of IT systems that store, communicate, transmit and interact with cardholder data. Consolidated console for visibility of physical and virtual environments. IT asset management - applications, databases, servers, networks, data centers, people and processes. Continuously monitor compliance and IT risk postures and enforce mandatory baseline for systems interacting with cardholder data. Add, create, define, edit and import/export security configurations and checklists. Normalize common controls across standard and regulatory requirements into a single control.
3 - Efficiency Automate compliance and security processes: Address multiple management needs through a single compliance architecture. Maximum organizational and IT flexibility with automated enforcement, saving both time and effort by IT staff. Implement standard configuration checklists with a repository of software vulnerabilities, which provides context to properly maintain security and control of cardholder data. Automate risk-profile analysis to save time over manual risk-analysis practices.
4 - Transparency Ensure visibility of IT risk across the organization: Provide harmonization of compliance controls across a range of mandates. Understand the holistic risk of cardholder data that flows among multiple information systems, processes, and departments. Collect device, security and configuration information to provide consolidated visibility for system owners. Provide a global view of vulnerability status for all organization assets with an at-a-glance understanding of risk and system status. Document changes and demonstrate progress toward audit and compliance requirements. Be fully prepared for PCI DSS QSA audits, with relevant information ready for auditors.
5 - Accountability Ensure no stones are left unturned: Complete view of PCI DSS compliance covering specific assets, requirements, and organization systems/processes. Constant audit readiness through centralized and automated collection of vulnerability assessments. Workflow-based surveys to ensure accountability for procedural and physical controls. Stakeholder surveys to determine the business impact of risk scenarios that compromise the CIA of cardholder data. Risk-based analysis of IT posture to enable drill down on suspicious behavior for further investigation. Information system and role-based reporting and administration. Comprehensive reporting to management and authorities at a moment’s notice.
6 - Security Ensure continuous security policy enforcement: Identify controls that enhance security of cardholder data while meeting PCI DSS compliance requirements. Assess threats, vulnerabilities, patch status, security configurations, installed software and hardware inventory. Remediate software and endpoints that store, transmit, and interact with cardholder data. Automate enforcement of malware protection and endpoint security. Quickly respond to issues and visibility across the organization’s information systems environment. Continuously monitor security policies, particularly when new information, processes, and technology assets are added that interact with cardholder data.
PCI Compliance, Security & Beyond Go beyond securing credit cardholder data and enforce policies to protect all critical information:   Discover, inventory, and categorize information systems Monitor vulnerability exposure and PCI DSS compliance Remediate and maintain compliance to PCI DSS Manage security configurations across all endpoints Control removable device use and enforce data encryption Streamline overlapping technical and procedural controls across compliance obligations Maintain trusted application use on information systems Enforce compliance with evolving requirements Enable reporting and monitoring of PCI DSS compliance and your entire IT risk posture
Panel Discussion and Q&A
Conclusion
Resources and Tools Whitepapers 6 Critical Elements to Achieving Economical PCI DSS Compliance Reducing Your Cost to Achieve PCI DSS Compliance with Lumension Shift Happens: The Evolution of Application Whitelisting Other Resources EC Suite ROI Case Study Podcasts, Videos, Webcasts, eBooks On-Demand Demos Scanners Product Software Evaluations Virtual Environment Full Software Download
Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email_address] blog.lumension.com

More Related Content

PDF
Business case for information security program
William Godwin
 
PDF
Cybersecurity Consulting Services flyer
John Anderson
 
PDF
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
PDF
Security Framework for Digital Risk Managment
Securestorm
 
PDF
Cisa 2013 ch5
Aladdin Dandis
 
PDF
What it Takes to be a CISO in 2017
Doug Copley
 
PDF
Cybersecurity Program Assessments
John Anderson
 
PPTX
A guide to Sustainable Cyber Security
Ernest Staats
 
Business case for information security program
William Godwin
 
Cybersecurity Consulting Services flyer
John Anderson
 
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Security Framework for Digital Risk Managment
Securestorm
 
Cisa 2013 ch5
Aladdin Dandis
 
What it Takes to be a CISO in 2017
Doug Copley
 
Cybersecurity Program Assessments
John Anderson
 
A guide to Sustainable Cyber Security
Ernest Staats
 

What's hot (19)

PDF
Security services mind map
David Kennedy
 
PPT
Roadmap to IT Security Best Practices
Greenway Health
 
PDF
Ch3 cism 2014
Aladdin Dandis
 
PPTX
What is a cybersecurity assessment 20210813
Kinetic Potential
 
PDF
Cybersecurity Challenges in Healthcare
Doug Copley
 
PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PPTX
QSA Shares PCI 3.0 Advice & Checklist
Tripwire
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PPTX
Nist 800 53 deep dive 20210813
Kinetic Potential
 
PDF
Cisa 2013 ch0
Aladdin Dandis
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
PDF
Cisa 2013 ch4
Aladdin Dandis
 
PDF
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 
PPTX
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
PDF
The Business Case for Data Security
Imperva
 
PDF
Cisa 2013 ch3
Aladdin Dandis
 
PPTX
Developing an Information Security Roadmap
Austin Songer
 
PPTX
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
North Texas Chapter of the ISSA
 
Security services mind map
David Kennedy
 
Roadmap to IT Security Best Practices
Greenway Health
 
Ch3 cism 2014
Aladdin Dandis
 
What is a cybersecurity assessment 20210813
Kinetic Potential
 
Cybersecurity Challenges in Healthcare
Doug Copley
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Build an Information Security Strategy
Andrew Byers
 
QSA Shares PCI 3.0 Advice & Checklist
Tripwire
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Nist 800 53 deep dive 20210813
Kinetic Potential
 
Cisa 2013 ch0
Aladdin Dandis
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Cisa 2013 ch4
Aladdin Dandis
 
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
The Business Case for Data Security
Imperva
 
Cisa 2013 ch3
Aladdin Dandis
 
Developing an Information Security Roadmap
Austin Songer
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
North Texas Chapter of the ISSA
 
Ad

Viewers also liked (6)

PDF
Addressing Security Challenges of Mobility and Web 2.0 2009
Jason Edelstein
 
PDF
Information Security It's All About Compliance
Dinesh O Bareja
 
PDF
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
PPT
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
PPT
On Boarding Ppt
tomnorthrop
 
PPT
Onboarding! Powerpoint Presentation
Donna Morrison
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Jason Edelstein
 
Information Security It's All About Compliance
Dinesh O Bareja
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
On Boarding Ppt
tomnorthrop
 
Onboarding! Powerpoint Presentation
Donna Morrison
 
Ad

Similar to PCI DSS Compliance and Security: Harmony or Discord? (20)

PDF
CCA study group
IIBA UK Chapter
 
PPTX
D1 security and risk management v1.62
AlliedConSapCourses
 
PDF
Item46763
madunix
 
PDF
New technologies - Amer Haza'a
Fahmi Albaheth
 
PDF
Risk Management
ijtsrd
 
PPTX
Risk assessment
kajal kumari
 
PDF
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPT
Cyber crime with privention
Manish Dixit Ceh
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
PPT
S nandakumar
IPPAI
 
PPT
S nandakumar_banglore
IPPAI
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
RISE's Training Catalog
RISE for Information Technology Services
 
PDF
Enabling Science with Trust and Security – Guest Keynote
Globus
 
PPT
Isa Prog Need L
R_Yanus
 
PPT
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
PPT
Information Security Framework
ssuser65fa31
 
CCA study group
IIBA UK Chapter
 
D1 security and risk management v1.62
AlliedConSapCourses
 
Item46763
madunix
 
New technologies - Amer Haza'a
Fahmi Albaheth
 
Risk Management
ijtsrd
 
Risk assessment
kajal kumari
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Cyber crime with privention
Manish Dixit Ceh
 
PCI Certification and remediation services
Tariq Juneja
 
S nandakumar
IPPAI
 
S nandakumar_banglore
IPPAI
 
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Anil
 
RISE's Training Catalog
RISE for Information Technology Services
 
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Isa Prog Need L
R_Yanus
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Information Security Framework
ssuser65fa31
 

More from Lumension (20)

PPTX
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Lumension
 
PPTX
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
PPTX
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Lumension
 
PPTX
2014 BYOD and Mobile Security Survey Preliminary Results
Lumension
 
PPTX
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Lumension
 
PPTX
Careto: Unmasking a New Level in APT-ware
Lumension
 
PPTX
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Lumension
 
PPTX
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
Lumension
 
PPTX
2014 Data Protection Maturity Survey: Results and Analysis
Lumension
 
PDF
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Lumension
 
PPTX
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Lumension
 
PPTX
Adobe Hacked Again: What Does It Mean for You?
Lumension
 
PPTX
Real World Defense Strategies for Targeted Endpoint Threats
Lumension
 
PPTX
APTs: The State of Server Side Risk and Steps to Minimize Risk
Lumension
 
PPTX
2014 Ultimate Buyers Guide to Endpoint Security Solutions
Lumension
 
PPTX
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
PPTX
Java Insecurity: How to Deal with the Constant Vulnerabilities
Lumension
 
PPTX
BYOD & Mobile Security: How to Respond to the Security Risks
Lumension
 
PPTX
3 Executive Strategies to Reduce Your IT Risk
Lumension
 
PDF
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
Lumension
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Lumension
 
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Lumension
 
2014 BYOD and Mobile Security Survey Preliminary Results
Lumension
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Lumension
 
Careto: Unmasking a New Level in APT-ware
Lumension
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Lumension
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
Lumension
 
2014 Data Protection Maturity Survey: Results and Analysis
Lumension
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Lumension
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Lumension
 
Adobe Hacked Again: What Does It Mean for You?
Lumension
 
Real World Defense Strategies for Targeted Endpoint Threats
Lumension
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
Lumension
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
Lumension
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Lumension
 
BYOD & Mobile Security: How to Respond to the Security Risks
Lumension
 
3 Executive Strategies to Reduce Your IT Risk
Lumension
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
Lumension
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
A Presentation on Artificial Intelligence
memembruh336
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

PCI DSS Compliance and Security: Harmony or Discord?

  • 1. PCI DSS Compliance and Security: Harmony or Discord?
  • 2. Today’s Agenda The evolving threat and compliance landscape How to use compliance as a catalyst for developing and implementing an effective security program The six critical elements to PCI DSS compliance How to go beyond PCI DSS and secure critical information
  • 3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite
  • 4. The Evolving Threat and Compliance Landscape
  • 5. The Evolving Threat Landscape 85% of attacks were not considered highly difficult Web application vulnerabilities continue to be the attack vector of choice Cybercriminals used stolen account logons in 38% of successful data breaches, accounting for 86% of the records compromised Source: Verizon, 2010 Data Breach Investigations Report
  • 6. Are you focused only on what you see? “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance
  • 7. Silos Lead to Greater IT Risk A reactive and siloed approach to IT GRC is a recipe for disaster and leads to . . .  Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture. Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources. Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment. Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in. Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.
  • 8. Compliance & Security: Harmony or Discord? PCI DSS provides payment card data protection requirements However, compliance and security are not the same An organization can be compliant and still experience a security breach, and can also be non-compliant and maintain a secure infrastructure. What is the value of compliance? Use as a catalyst for implementing effective security measures Requires an understanding of the principles behind the requirements, not just adherence to minimum requirements. Security is more than a list of checkboxes — it involves a holistic approach and processes to protect the organization. Compliance standards such as PCI DSS provide a foundation for achieving security, but by itself it does not adequately protect the organization.
  • 9. A grim view of the current state… Source: Open Compliance & Ethics Group
  • 10. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES
  • 11. Components of Compliance & Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE
  • 12. Sample IT Risk Assessment Process
  • 13. 6 Critical Elements to Achieve Economies in PCI DSS Compliance & Beyond
  • 14. 6 Economies of PCI DSS Compliance & Beyond
  • 15. 1 - Agility Ensure continuous compliance: Full ongoing discovery of the IT environment, its information and technology assets. Understand where cardholder data is stored and who has access. Automatically assess the network and devices that connect to it. Automate IT risk-assessment to provide structure around the collecting evidence for compliance controls. Enforce policy for software updates, security patches and standardized configurations. Flexibility to handle unique needs and requirements.
  • 16. 2 - Consistency Streamline compliance workflows and processes: Comprehensive inventory and management of IT systems that store, communicate, transmit and interact with cardholder data. Consolidated console for visibility of physical and virtual environments. IT asset management - applications, databases, servers, networks, data centers, people and processes. Continuously monitor compliance and IT risk postures and enforce mandatory baseline for systems interacting with cardholder data. Add, create, define, edit and import/export security configurations and checklists. Normalize common controls across standard and regulatory requirements into a single control.
  • 17. 3 - Efficiency Automate compliance and security processes: Address multiple management needs through a single compliance architecture. Maximum organizational and IT flexibility with automated enforcement, saving both time and effort by IT staff. Implement standard configuration checklists with a repository of software vulnerabilities, which provides context to properly maintain security and control of cardholder data. Automate risk-profile analysis to save time over manual risk-analysis practices.
  • 18. 4 - Transparency Ensure visibility of IT risk across the organization: Provide harmonization of compliance controls across a range of mandates. Understand the holistic risk of cardholder data that flows among multiple information systems, processes, and departments. Collect device, security and configuration information to provide consolidated visibility for system owners. Provide a global view of vulnerability status for all organization assets with an at-a-glance understanding of risk and system status. Document changes and demonstrate progress toward audit and compliance requirements. Be fully prepared for PCI DSS QSA audits, with relevant information ready for auditors.
  • 19. 5 - Accountability Ensure no stones are left unturned: Complete view of PCI DSS compliance covering specific assets, requirements, and organization systems/processes. Constant audit readiness through centralized and automated collection of vulnerability assessments. Workflow-based surveys to ensure accountability for procedural and physical controls. Stakeholder surveys to determine the business impact of risk scenarios that compromise the CIA of cardholder data. Risk-based analysis of IT posture to enable drill down on suspicious behavior for further investigation. Information system and role-based reporting and administration. Comprehensive reporting to management and authorities at a moment’s notice.
  • 20. 6 - Security Ensure continuous security policy enforcement: Identify controls that enhance security of cardholder data while meeting PCI DSS compliance requirements. Assess threats, vulnerabilities, patch status, security configurations, installed software and hardware inventory. Remediate software and endpoints that store, transmit, and interact with cardholder data. Automate enforcement of malware protection and endpoint security. Quickly respond to issues and visibility across the organization’s information systems environment. Continuously monitor security policies, particularly when new information, processes, and technology assets are added that interact with cardholder data.
  • 21. PCI Compliance, Security & Beyond Go beyond securing credit cardholder data and enforce policies to protect all critical information:   Discover, inventory, and categorize information systems Monitor vulnerability exposure and PCI DSS compliance Remediate and maintain compliance to PCI DSS Manage security configurations across all endpoints Control removable device use and enforce data encryption Streamline overlapping technical and procedural controls across compliance obligations Maintain trusted application use on information systems Enforce compliance with evolving requirements Enable reporting and monitoring of PCI DSS compliance and your entire IT risk posture
  • 24. Resources and Tools Whitepapers 6 Critical Elements to Achieving Economical PCI DSS Compliance Reducing Your Cost to Achieve PCI DSS Compliance with Lumension Shift Happens: The Evolution of Application Whitelisting Other Resources EC Suite ROI Case Study Podcasts, Videos, Webcasts, eBooks On-Demand Demos Scanners Product Software Evaluations Virtual Environment Full Software Download
  • 25. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email_address] blog.lumension.com

Editor's Notes

  • #3: © Copyright 2008 - Lumension Security
  • #9: Six control-objective categories that form 12 requirement areas for compliance. Build and maintain a secure network Protect and encrypt cardholder data Manage and monitor threats and vulnerabilities to the environment Integrate strong access-control measures, so only authorized users can access card holder data Test and monitor the state of security Implement a comprehensive and effective information security policy PCI DSS compliance is just one of many regulations organizations face to ensure the protection of information. The end goal is to effectively manage IT risk — to see to it that there are proper security controls in place to reduce risk to an acceptable level. To achieve economies in PCI DSS compliance, to maintain security and prevent data breaches, organizations must implement an infrastructure for managing and monitoring compliance on a continuous basis. Heartland Payment Systems Malicious keylogger software planted on the company's payment processing network recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients. 1 130 million credit cards impacted 2 652 reported institutions affected 2 RBS WorldPay Hacker got into the computer systems 1.5 million cardholders affected Linked to gang that used debit cards to steal millions of dollars from ATMs
  • #10: Open Compliance & Ethics Group (www.oceg.org) 08/27/10 (c) 2007, OCEG
  • #15: Though PCI DSS is more prescriptive than other compliance requirements, an organization can use several approaches to demonstrate adherence. One approach is a manual, ad hoc and ultimately labor-intensive process that produces mountains of paper and electronic documents. This leads to a compliance posture that is often full of holes or outright “smoke and mirrors,” with little security value. A more economical approach focuses on automation and efficiency in PCI DSS compliance, which achieves greater control and security.
  • #16: Organizations need a sustainable process and infrastructure to demonstrate PCI DSS compliance that is agile enough to respond to a changing business and IT environment.
  • #17: Organizations need a consistent approach to demonstrate PCI DSS compliance and ensure that requirements are consistently applied across governed systems and information.
  • #18: PCI DSS compliance approached the wrong way can be burdensome.
  • #19: The organization, and any of its extended business relationships that interact with cardholder data, must demand transparency in reporting across systems.
  • #20: At its core, compliance is about accountability. The organization is ultimately accountable for PCI DSS compliance even across extended business relationships that use its cardholder data.
  • #21: Ultimately, security of cardholder data is what PCI DSS is about — and the peace of mind that the organization is not exposing cardholder and financial information to unwanted risk.