1 Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,
2 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this is the one that applies to any company taking or processing credit card information or developing or hosting software that does.
3 Merging 5 standards into one PCI was founded by Visa, MasterCard, American Express, JCB, and Discover. Before joining forces, they each had their own security standards.
4 Who s Who: Banks Visa and MasterCard are made up of Member organisations who can be either Acquirers or Issuers (or both). Acquirers handle Merchants. Issuers issue the cards to Cardholders.
5 Who s Who: The Rest of Us Merchants: those entities who accept card transactions. Cardholders: those trying to spend their money. Service Providers: those providing any service requiring the processing, storing or transport of card information on behalf of any of the above.
6 How PCI DSS is applied Externally: by regular remote Network Security Scan by an approved vendor. Internally: Self Assessment Questionnaires ask about compliance with each of the standard s requirements. Onsite: Very large merchants must have an annual onsite review and audit.
7 PCI DSS teeth Penalties can be passed on to Merchants and Service Providers through their contracts, including monetary charges and account cancellation (kiss of death to ecommerce providers).
8 PCI DSS Merchant Levels There are several Merchant Levels. In the past small merchants doing fewer than a certain number of transactions per year had less of a compliance burden. Now, the only difference is that very large merchants must have an annual onsite audit. For us, Merchant Levels don t matter.
9 Are we a Service Provider? No. We do not offer payment processing services to third parties on our own infrastructure. We offer development and hosting services for our clients, and some of them are Merchants. (None of them are Service Providers to third parties either.)
10 Network Security Scanning Typically automated and run daily. Targets Internet-facing: routers and firewalls servers and hosts applications
11 Scan reporting Scans report to the Merchant about issues found, categorizing on severity scale of 1 to 5: 1: informational 2: recommended changes 3: high, limited remote exploit causing risk 4: critical, potential remote data exposure 5: urgent, serious remote exploits
12 Scan remediation Severity levels 3-5 must be dealt with immediately, and confirmed solved by another scan. Merchants can have their accounts frozen or contracts canceled if they don t comply.
13 Self Assessment Questionnaire Don t expect to be quick. Is fairly large and has many, many questions that are not quick to find answers for. Mainly includes Yes/No/Not Applicable choices. Our clients are responsible. We can only help by answering some for them; many involve office network, host, and physical security, etc.
14 PCI DSS requirements Review the requirements documents yourself when you re helping a client. Good to know specifics.
15 PCI DSS reqs. in broad strokes No default passwords Disable unused services Secure wireless networks Regularly apply software updates Use firewalls Use anti-virus software where available Unique account for each user
16 PCI DSS reqs. in broad strokes Log all access attemps Audit logs Require minimum password strength Configure crypto well, e.g. https Train periodically Must document flow of cardholder data
17 Cardholder Data Can store: Primary Account Number (PAN), but must be encrypted or masked to first 6 + last 4 digits Cardholder name Service code (number on the magnetic stripe that specifies the acceptance requirements and limitations for magnetic stripe read transactions) Expiration date
18 Sensitive Authentication Data Cannot store, not even encrypted or masked: Full Track Data (magnetic stripe) Card security code (CAV2/CVC2/CVV2/CID) PIN/PIN block
19 Crypographic key custodians Don t store cardholder data unless absolutely necessary, even in encrypted form. (3.5) Keys must be rotated regularly (e.g. every few years). Must designate key custodians. Restrict access to keys to the fewest number of custodians necessary. Key custodians must sign a formal agreement of understanding.
20 Data Retention and Disposal Policies Limit data storage to what is necessary for as long as necessary. Document reasons for necessary. Securely delete data when no longer needed. Quarterly review systems to ensure nothing is being stored beyond what is specified.
21 PAN encryption + masking risk (3.4) It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
22 Code Reviews Required (6.3.2) Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code-review techniques and secure coding practices. Code-review results are reviewed and approved by management prior to release.
23 HIPAA Health Insurance Portability and Accountability Medical data Covers printed, spoken, and electronic forms. CDC incorporates HIPAA security standards.
24 3 types of security safeguards administrative physical technical
26 PHI, EPHI Protected health information. Electronic PHI. Any information that can be used to identify a patient whether living or deceased that relates to the patient s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.
27 Personal Identifiers Patient names Telephone numbers Fax numbers Social Security numbers Vehicle identifiers addresses Web URLs and IP addresses
28 More Personal Identifiers Geographic subdivisions (smaller than state), including zip code! Dates, unless only the year is present!
29 Even more Personal Identifiers Names of relatives Full face photographs or images Healthcare record numbers Account numbers Biometric identifiers (fingerprints or voiceprints) Device identifiers Health plan beneficiary numbers Certificate/license numbers Any other unique number, code, or characteristic that can be linked to an individual.
30 HIPAA Enforcement Rule HHS issued the Final Rule regarding HIPAA enforcement and it took effect on March 16, The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violation.
31 HIPAA Security Breach Fine A fine of $50,000 to the Hospice of North Idaho (HONI) was made for a potential HIPAA Security Rule breach affecting fewer than 500 people. Rachel Seeger, a spokeswoman for HHS, stated, HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ephi as part of its security management process from 2005 through Jan. 17, This investigation was initiated with the theft from an employee s vehicle of an unencrypted laptop containing 441 patient records.
32 Breach Reporting Part of all security standards is reporting. Even just suspicions. Longstanding bad practices. Immediately. We keep a timestamped trail for reporting.
33 Breach reporting to... Simplified: I am End Point s Chief Privacy Officer, Chief Security Officer, and the equivalent responsible party for security in any of these standards. Report to me as a top priority. If you can t reach me right away, report to and
34 Reporting timeliness matters How quickly and responsibly we respond to breaches makes a huge difference in how the breach will be viewed and the consequences of it.
35 Public reporting See: https://www.endpoint.com/contact We offer a PGP public key and a reporting address that will go to the hosting team and anyone else who needs to know.
36 FISMA Federal Information Security Management Act of 2002 Applies to federal agencies and their contractors.
37 ISO/IEC 27001:2013 A specification for an information security management system. An international equivalent of some of the U.S. standards.
38 Compliance compatibility
39 Ongoing It s a process, not a destination.
40 Reference https://www.pcisecuritystandards.org/ org/wiki/federal_information_security_management_act_of_ com/pdf/insights_files/white_papers/information_security_white_paper. pdf
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements
Welcome to the HIPAA, Privacy & Security Training Module THIS TRAINING MODULE IS APPROVED FOR NON-COMMERCIAL USE ONLY. Copyright protected by the University of North Carolina at Chapel Hill, 2013-15 During
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies
Payment and Security Experts Implementing PCI A Guide for Network Security Engineers Updated For PCI Data Security Standard Version 1.2.1 Tom Arnold, CISSP, ISSMP, CFS, CPISM/A, PCI/QSA Partner, PSC Sponsored
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October
23c3 Security in the cardholder data processing?! Manuel Atug and Thilo W. Pannen SRC Security Research & Consulting GmbH, Bonn, Germany, email@example.com Experiences and lessons learned with the Payment
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
V 1.0 November, 2010 CYBERSECURITY The protection of data and systems in networks that connect to the Internet 10 Best Practices For The Small Healthcare Environment Your Regional Extension Center Contact
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS, and Patti Firouzan, MS, RHIA Department of Health Information
Internet2 Health Network Initiative Security Group Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs 1. Federal Security Regulations in RHCPP Partnerships Presentation
BEST PRACTICES: EVENT LOG MANAGEMENT FOR SECURITY AND COMPLIANCE INITIATIVES By Ipswitch, Inc. Network Managment Division www.whatsupgold.com July 2010 Table of Contents Executive Summary... 1 Event Log
The Department of Health and Human Services Information Systems Security Awareness Training Fiscal Year 2015 Information Systems Security Awareness Introduction Information Security Overview Information
Acknowledgment to ECSC for guidance and support in the creation of elements of this manual Introduction Rapidly developing information and communication technologies (ICT) are exciting and motivating learning