Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Transcription

1 Maintaining PCI-DSS compliance Daniele Bertolotti Antonio Ricci Sessione di Studio Milano, 21 Febbraio 2013

2 Agenda 1 Maintaining PCI-DSS compliance 2 Data and Environment Change Control 3 Enforce Due Diligence and Accountability 4 Automate and Simplify 5 Conclusions Maintaining PCI-DSS Compliance 2

3 Maintaining PCI-DSS compliance 3

4 PCI Data Security Standard 2.0 Build and Maintain a Secure Network 1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software 6) Develop and maintain secure systems and applications Implement Strong Access Control Measures 7) Restrict access to cardholder data by business need-to-know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data Regularly Monitor and Test Networks 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes Maintain an Information Security Policy 12) Maintain a policy that addresses information security Maintaining PCI-DSS Compliance 4

5 Highest Number of Breaches Source: 2012 Data Breach Investigations Report, Verizon Business RISK Team Maintaining PCI-DSS Compliance 5

6 Top Reasons for PCI Breaches Values represent the percentage of organizations for which each requirement was found to be in place Source: 2012 Data Breach Investigations Report, Verizon Business RISK Team Maintaining PCI-DSS Compliance 6

7 The Check List Approach PCI DSS naturally calls for a Check List Approach Audit oriented Designed on a static environment Lack of ownership and awareness Not planned for automation Disposable rather than evolutive Maintaining PCI-DSS Compliance 7

8 The Need for a Compliance Program Symantec s PCI DSS Compliance Process: Maintaining PCI-DSS Compliance 8

9 Compliance Program - Pillars Execute Data & Environment Change Controls Enforce Due Diligence and Accountability Automate and Simplify Maintaining PCI-DSS Compliance 9

10 Data & Environment Change Control 10

11 Protecting Card Holder Data Identify data Find data Understand how data are used Identify Data Owner Protect Data at Rest Protect Data in Transit Inform people about risks People Process Technology Maintaining PCI-DSS Compliance 11

12 Information evolves Incident handling must be quick and precise Business requirements change quickly and often Information must be shared with third parties Data Owner changes Protection requires flexible policies Card Holder Data are handled by several applications Maintaining PCI-DSS Compliance 12

13 Continuous Information Protection Builtin credit card and magnetic stripes data identifier Customizable detection fields Authomated and User based remediation policies Protects data at rest and data in motion Define PCI compliant policies Remediate on data loss prevention incidents Helps identify data at risk Discover where are data at risk Profile based incident view Report on data loss prevention incidents Enforce data protection actions Customizable action on data Integrate with enforcement tools (es. encrypt or archive cardholder data) Maintaining PCI-DSS Compliance 13

14 Data Loss Risk evolves Data move to new assets during their lifecycle Cloud services are part of the business process New vulnerabilities discovered every day Focused and persistent attacks Maintaining PCI-DSS Compliance 14

15 Controlling infrastructure evolution Identify new assets CMDB, Asset Inventory Discover credit card data on new assets Data Loss Prevention Protect credit card data on new assets Data Loss Prevention, Encryption Periodically check and fix PCI Requirements Vulnerabilty manager, Patch manager, Compliance tools Maintaining PCI-DSS Compliance 15

16 Scenario after PCI Audit All PCI Requirements met Users Trained on security risks Unprotected asset Attackers cannot access credit card data Trained User Untrained User Maintaining PCI-DSS Compliance 16

17 Business requirements change New user gain access to Credit Cards Protected asset Unprotected asset Attacker Trained User Untrained User Authorized Untrained User Maintaining PCI-DSS Compliance 17

18 Incidents Per Week Continuous Control Visibility 1000 Remediation 800 Notification Prevention Risk Reduction Over Time Maintaining PCI-DSS Compliance 18

19 Enforce Due Diligence and Accountability 19

20 Mandates, Standards, Best Practices Due Care Due Diligence A Due Behaviour Negligence gap Negligence gap Constantly measure and reduce the gap. Move from the idea of audit to the concept of on-going assessment. Establish owners of each of the controls and assessment activities. Maintaining PCI-DSS Compliance 20

21 Operate a PCI Compliance Program Data Protection Policy Endpoint Policy Malware Policy PCI SOX GLBA FISMA Cobit ISO NIST Create and Align Policies Define and Map PCI Controls Test and Assess PCI Controls Report on PCI Compliance Remediate PCI Deficiencies Maintaining PCI-DSS Compliance 21

22 Test & Assess A complex mix of controls to assess: Procedural Controls Technical Controls Awareness Controls we need Automation! Processes Technology People Maintaining PCI-DSS Compliance 22

23 Automate and Simplify 23

24 Automate and Simplify Security Metrics View Compliance View Risk Management View Asset Classification Data, People, Infrastructure Assessment of controls effectiveness and efficacy Monitoring of Data and Environmental Changes Maintaining PCI-DSS Compliance 24

25 Automate and Simplify Security Metrics View IT GRC Compliance View Risk Management View Asset Classification Data, People, Infrastructure Endpoint Protection Assessment of Vulnerability Configuration controls Assessment effectiveness Assessment and efficacy Real-Time Monitoring Encryption Intrusion Detection Change Control Data Loss Monitoring Prevention of Data and Environmental Business Evolution Changes Awareness Maintaining PCI-DSS Compliance 25

26 IT GRC Controls Framework Mechanics Risks Threats to the Info Sec Assets of our business that should be mitigated Mandates External requirements, policies and regulatory requirements Policies Internal objectives for securing the inform Sec assets of the organization Maintaining PCI-DSS Compliance 26

27 IT GRC Controls Framework Mechanics Risks Threats to the Info Sec Assets of our business that should be mitigated Mandates External requirements, policies and regulatory requirements Policies Internal objectives for securing the inform Sec assets of the organization Controls Framework A hierarchical database of Control Objectives and Control Statements that provide a central system for mitigating risk and achieving policy objectives and compliance with mandates Maintaining PCI-DSS Compliance 27

28 IT GRC Controls Framework Mechanics Risks Threats to the Info Sec Assets of our business that should be mitigated Mandates External requirements, policies and regulatory requirements Policies Internal objectives for securing the inform Sec assets of the organization Controls Framework A hierarchical database of Control Objectives and Control Statements that provide a central system for mitigating risk and achieving policy objectives and compliance with mandates Checks Technical configurations or settings that can be assessed against standards Vulnerabilities Threats to systems via known attack vectors usually mitigated through patching and updates Questions Procedural Assessments of peoples understanding or implementation of policies Extended Data Data from Information Security systems across the enterprise demonstrating controls efficacy Maintaining PCI-DSS Compliance 28

29 Policy Control Assessment Policies P1: Data Protection and Management Policy P2: Patch Management Policy Controls Control Statement: Media is disposed off in a safe and secure manner Control Statement: Prevent sensitive data from being stored on unsecured systems Control Statement: Ensure systems containing sensitive data are not vulnerable to known threats Control Statement: Patches testing is carried on before deployment on production Control Statement: Assess assets patching level for missing critical patches Assessment Data Questions Questionnaires: PCI DSS Questionnaire Results Extended Data Data Controls: Results from Discover Scans Vulnerabilities Vulnerability Assessments: Scan Results Checks Configurations: System is compliant with High Security Standard Configurations: Patch Level Assessment Maintaining PCI-DSS Compliance 29

30 Automate and Simplify Security Metrics View IT GRC Compliance View Risk Management View Asset Classification Data, People, Infrastructure Endpoint Protection Assessment of Vulnerability Configuration controls Assessment effectiveness Assessment and efficacy Real-Time Monitoring Encryption Intrusion Detection Change Control Data Loss Monitoring Prevention of Data and Environmental Business Evolution Changes Awareness Maintaining PCI-DSS Compliance 30

31 Compliance Insight Maintaining PCI-DSS Compliance 31

32 Conclusions 32

33 A Compliance Program Maintaining PCI-DSS Compliance 33

34 Compliance Program - Pillars Execute Data & Environment Change Controls Enforce Due Diligence and Accountability Automate and Simplify Maintaining PCI-DSS Compliance 34

35 Compliance Program Maturity Model Maintaining PCI-DSS Compliance 35

36 Compliance Program Maturity Model Level 1 Level 2 Level 3 Ad Hoc Repeatable Defined Level 4 Managed Level 5 Optimized Crisis management: Rinse and repeat: Success: Reusable evidence: Actualized IT: Characteristics Why didn t Someone tell me about this audit? Call the consultants! Test, Fail, Fix, Repeat! We know how to rock the PCI audit! Test it Once; Use for all audits. Who cares about the auditors? Our executives are asking for this. Audit Results Significant deficiencies! Potential for significant deficiencies Minor or isolated deficiencies Observations only No findings! Risks (Audit perspective) Lack of executive awareness of risks Audit failure Lack of executive awareness of risks Audit failure Audit delays Lack of visibility of risks outside of audit (& this audit) Unplanned outages Security incidents Reputation harm Security incidents Reputation harm Cost Reduction Formalize compliance program Reduce failure rate and eliminate rework Automate compliance testing to reduce time to test for each audit Integrate controls, procedures, policies across all audits to reduce redundancies Value and risk driven continuous improvement Success Factors Ownership Awareness Policies, procedures, controls Status reporting Escalation Start earlier Standardization of controls, policies, procedures, technical configurations and systems in scope for audits More standardization Vendor and customer compliance reporting Dashboards and scorecards Integrated risk management focused on business, not technology Maintaining PCI-DSS Compliance 36

37 Daniele Bertolotti Antonio Ricci Thank you! Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Maintaining PCI-DSS Compliance 38