Reduce Security Compliance Costs Using Open Source
|
|
- Polly Stephanie Lewis
- 8 years ago
- Views:
Transcription
1 BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Reduce Security Compliance Costs Using Open Source Subject : This document gives the user an introduction to Information Security Compliance, Why Comply?, Compliance Costs, Open Source Definition, Why Consider Open Source?, Open Source Software useful for Security Compliance, Open Source References and Case Study, Facing Open Source Challenges and Open Source Software Selection Criteria. Author : Mostafa Ibrahim Version : 1.0 Date : July, 2010 Nb pages : 53
2 Reduce Security Compliance Costs Using Open Source Mostafa Ibrahim Security Meter CTO CISA, ISO LA, RHCE
3 AGENDA Information Security Compliance Why Comply? Compliance Costs Open Source Definition Why Consider Open Source? Open Source Software useful for Security Compliance 3
4 AGENDA Open Source References and Case Study Facing Open Source Challenges Open Source Software Selection Criteria Conclusion 4
5 AGENDA 1 Information Security Compliance 5
6 Information Security Compliance Forcing companies to put their infrastructure in order In many cases face stiff penalties if dead line are not met Prescribe Policies and Procedures that > Cover minimum standards for use of IT equipment, > Cover definitions of misuse > Cover rules for enforcing the standards that have been set. > Protect the company's IT equipment, data, and other assets. > Include security and other business policies 6
7 Standards vs Regulations Standards: Issued by national or international bodies e.g. BSI, ISO. Codes of practice (e.g. ISO 27001, ISO 9001, ISO 20000) Sanctions: none Regulations: Issued by government agencies, markets or sectoral bodies Gov. Agencies e.g. FISMA for U.S. federal government agency Markets Sectorals e.g. Basel II for Banks, HIPAA for Health Care / Insurance, PCI-DSS for Payment Card Industry, SOX for American Public Companies. Sanctions: fines, loss of ability to do business 7
8 AGENDA 2 Why Comply? 8
9 Why Comply? Helps management: You can t manage what you can t measure Enables benchmarking internally and with others Builds trust with partners and customers Enables trend analysis: Are things getting better or worse? Audits usually increases visibility on business processes and IT infrastructure Avoid losing business because of being non compliant Avoid being penalized for Noncompliance 9
10 Why Comply? TJX Scandal One of the biggest retailers dealing with more than 60 banks Considered to be the largest data breach ever. At least 94 million Visa and MasterCard accounts may have been exposed The company reported a spend of $202 million in response to the breach Wireless Security Issue in one of its remote branches Heartland Data Breach One of the largest processors of credit and debit card transactions in the U.S Estimates of more than 100 million accounts may have been exposed Planting a malware capable of sniffing out payment card data as it moved across the company's network, and then to have spirited it out of Heartland's systems in encrypted data streams. 10
11 Path to Compliance 1. Determine the scope precisely (In terms of assets and business processes) 2. Reduce scope by segmenting the network 3. Baseline your environment against the standard to identify gaps. 4. For all gaps determine remediation actions with associated effort. 5. Develop a prioritized plan to address gaps. 6. Execute ( but with management support). 11
12 AGENDA 3 Compliance Costs 12
13 Cost of Compliance U.S. public companies are spending $4.36 million each, on average, to comply with Section 404 of Sarbanes- Oxley (March 2005 survey conducted by Financial Executives International). Entities are typically spending between at $2 and $8 million each to comply with PCI-DSS. (From our experience in the region) Security Compliance is very expensive 13
14 AGENDA 4 Open Source Definition 14
15 What exactly Open Source Software? Open Source Definition Open Source is about granting users the freedom to run, copy, distribute, study, change and improve the software. OSS is any software that provided the following freedoms. The freedom to: Run the program, for any purpose (freedom 0) Study how the program works, and adapt it to your needs (freedom 1). Redistribute copies so you can help your neighbor (freedom 2) Improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). The OSS makes sure that software and their derivative works stay free through adequate license obligations. 15
16 Open Source vs. Other Types Closed Source The source is private and owned by someone. Usually you d have to pay for the source code if its even for sale. Freeware Free software. It has nothing to do with the source code being available or not. Source Available The source is available to look at, but not modify or distribute. Allows users to understand how the software is working. 16
17 AGENDA 5 Why Consider Open Source? 17
18 Why Consider Open Source? Avoid Vendor Lock In Open Source allows for many people to find and fix security or efficiency problems Ease of Customization Deep Understanding for underlying Technology Lower TCO (No License Cost) 18
19 AGENDA 6 Open Source Software useful for Security Compliance 19
20 20 Open Source Software Useful for Security Compliance Firewall Network IDS / IPS File Integrity Monitoring / HIDS Web Application Firewall Log Management Encryption (at Rest, Motion) Change Management Vulnerability Scanning Penetration Testing Business Continuity Alerting System Configuration Management Database Monitoring
21 Firewall PCI-DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data ISO 27k A Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 21
22 Open Source Firewalls Netfilter / Iptables Endian Firewall ClearOS Zeroshell 22
23 IDS / IPS PCI-DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic ISO 27k A Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 23
24 Snort Open Source IDS / IPS Snort has become the de facto standard for IPS Base Basic Analysis and Search Engine Web Interface for Snort providing a reporting, analysis capabilities to Snort Sguil intuitive GUI that provides access to realtime events, session data, and raw packet capture 24
25 HIDS / File Integrity Monitoring PCI-DSS Requirement 11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. ISO 27k A.10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and information. 25
26 Open Source HIDS / File Integrity Monitoring OSSEC Runs on almost all popular OS Linux, MacOS, Solaris, HP-UX, AIX and Windows. Has its own web interface Samhain Osiris Beltane is an intuitive Web Interface for Samhain
27 Web Application Firewall PCI-DSS Requirement 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by Installing a web-application firewall in front of public-facing web applications 27
28 Open Source Web Application Firewall ModSecurity The most widely used Web Application Firewall Over 10,000 deployment 28
29 PCI-DSS Log Management Requirement 10.2 Implement automated audit trails for all system components Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts ISO 27k A Audit logging security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. A Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access. 29
30 Open Source Log Management Solutions Syslog-NG Php-syslog-ng Web Interface for Syslog-NG Snare Collecting windows logs and send them as a syslog messages OSSIM Open Source Security Information Management. Much more than a basic log Management Solution 30
31 PCI-DSS Encryption 3.4 Render PAN, at minimum, unreadable anywhere it is stored 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. ISO 27k A.12.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. 31
32 TrueCrypt Open Source Encryption Solutions Disk Encryption Windows 7/Vista/XP, Mac OS X, and Linux OpenSwan IPSec VPN OpenVPN SSL VPN OpenSSH Sftp, SSH (Encrypted alternative for Telnet and FTP) 32
33 Change Management PCI-DSS Requirement 6.4 Follow change control procedures for all changes to system components. ISO 27k A Change control procedures. The implementation of changes shall be controlled by the use of formal change control procedures. 33
34 Open Source Change Management Solution OTRS Open source Ticket Request System ITIL-compatible change management system 34
35 Vulnerability Scan PCI-DSS Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). ISO 27k A.12.6 Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. 35
36 Open Source Vulnerability Scanner The short and wrong answer is Nessus This is valid before However they are still having a free version. OpenVAS Nessus Open Source Replacement Nmap Security Scanner 36
37 Penetration Testing PCI-DSS 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). ISO 27k A Control of technical vulnerabilities systems being used shall be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. 37
38 Metasploit Open Source PenTesting Tools The world's largest database of public, tested exploits Nikto W3af Web Application Attack and Audit Framework Backtrack Complete Linux Distribution Focused on Penetration Testing. Almost all Open Source Security Testing Tools Write your own exploit using ready made frameworks or libraries 38
39 Business Continuity BS25999 The whole standard is talking about Business Continuity ISO 27k A.14 Business continuity management 39
40 Open Source Tools for Business Continuity Linux HA High Availability Cluster Linux Virtual Server Load Balancing and High Availability Clusters for Web Servers or Web Application Servers 40
41 41 Open Source Software Useful for Security Compliance Firewall Network IDS / IPS File Integrity Monitoring / HIDS Web Application Firewall Log Management Encryption (at Rest, Motion) Change Management Vulnerability Scanning Penetration Testing Business Continuity Alerting System Configuration Management Database Monitoring
42 AGENDA 7 Open Source References and Case Study 42
43 Snort IDS/IPS Open Source References Has 300,000 Registered Users 4 million downloads DARPA, FBI, Pentagon, Other US Government Agencies are using snort Amazon Cloud Computing using snort OTRS Supports 27 languages Used by 80,000 corporate Lot of European Banks Bitdefender is using OTRS 43
44 Open Source Case Study Advanced Operations Technology Application Service Provider hosting 12 Saudi brokers Having more than 400 Servers running Open Source solutions over Linux OS 22 servers running Firewall (Iptables), IPS (Snort), VPN (OpenSwan). 11 Pairs of High Availability Cluster using (keepalived) 11 Web Load Balancer (Linux Virtual Server) Modsecurity Web Application Firewall installed on all Web Servers. OTRS is used as ticketing system and change management system OSSEC HIDS is installed on all servers and managed from a centralized console 44
45 Open Source Case Study Advanced Operations Technology Syslog-NG, Php-Syslog-NG acting as centralized log management collecting logs from all systems, network devices, applications. OpenLDAP acting as centralized directory service I-DOIT acting as a centralized CMDB for all system configurations. Nagios provides performance monitoring for all systems and network devices Trucrypt is being used to encrypt disks having confidential data stored OpenSSH for remote login and secure FTP. Using 2 factor authentication (key file and passphrase) ISCSI Enterprise Target acting as an IPSAN storage 45
46 AGENDA 8 Facing Open Source Challenges 46
47 Facing Open Source Challenges Major Challenges are lake of Professional services, Support, and Training. Facing these challenges can only be through: Hire and build a highly qualified open source team Able to dig into sourcecode when needed Able to deal with open-source communities and mailing lists Build a LAB / Testing environment and have a small R&D department (one or 2 guys) Short list the companies providing open source PS, Support, and Consulting Service. Without reaching an adequate level of competency in dealing with open source software forget about it. 47
48 AGENDA 9 Open Source Software Selection Criteria 48
49 Open Source Software Selection Criteria Reputation Ongoing effort Standards and interoperability Support (Community / Commercial) Version Documentation Skill set License 49
50 AGENDA 10 Conclusion 50
51 Conclusion Extreme claims OSS is always more secure Proprietary is always more secure Reality: Neither OSS nor proprietary always better Some specific OSS programs are more secure than their competing proprietary competitors Include OSS options when acquiring, then evaluate 51
52 Conclusion We are not open source fans We are not claiming that open source is better than closed source in all aspects We are just trying to convince you to consider open source and you will never loose. 52
53 Thank You Mostafa Ibrahim Security Meter CTO CISA, ISO LA, RHCE
PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI DSS Compliance Guide
PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationDMZ Gateways: Secret Weapons for Data Security
A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More informationOpen Source Security Tool Overview
Open Source Security Tool Overview Presented by Kitch Spicer & Douglas Couch Security Engineers for ITaP 1 Introduction Vulnerability Testing Network Security Passive Network Detection Firewalls Anti-virus/Anti-malware
More informationPCI and PA DSS Compliance Assurance with LogRhythm
WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationHow an Endace Monitoring and Recording Fabric aids corporate compliance
How an Endace Monitoring and Recording Fabric aids corporate Regulation is everywhere. It s impossible to escape and it s not going away. For some, is a burden, but for others it s a breeze. If you need
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationLinux and Open Source for (Almost) Zero Cost PCI Compliance. Rafeeq Rehman
Linux and Open Source for (Almost) Zero Cost PCI Compliance Rafeeq Rehman 2 Some Introductory Notes Payment Card Industry (PCI) standard is not a government regulacon. Who needs to comply with PCI? Twelve
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More informationCatapult PCI Compliance
Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationAchieving PCI DSS Compliance with Cinxi
www.netforensics.com NETFORENSICS SOLUTION GUIDE Achieving PCI DSS Compliance with Cinxi Compliance with PCI is complex. It forces you to deploy and monitor dozens of security controls and processes. Data
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationMeeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group
Meeting PCI-DSS v1.2.1 Compliance Requirements By Compliance Research Group Table of Contents Technical Security Controls and PCI DSS Compliance...1 Mapping PCI Requirements to Product Functionality...2
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationAdopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures
Whitesheet Navigate Your Way to Compliance The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an American federal law that requires organizations that handle personal health information
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationPCI DSS v2.0. Compliance Guide
PCI DSS v2.0 Compliance Guide May 2012 PCI DSS v2.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As
More informationPCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationNavigate Your Way to PCI DSS Compliance
Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationPCI DSS v3.0. Compliance Guide
PCI DSS v3.0 Compliance Guide December 2013 PCI DSS v3.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business.
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationWindows Azure Customer PCI Guide
Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains
More informationSecure Shell User Keys and Access Control in PCI-DSS Compliance Environments
A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments
More informationPCI within the IU Enterprise
PCI within the IU Enterprise Cheryl L. Shifflett, AAP, CTP Associate Director Treasury Operations Daniel Tony Brazzell, Security+, GCUX Lead Network Systems Engineer University Information Technology Services
More informationREDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
More informationYou Can Survive a PCI-DSS Assessment
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
More informationThree Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010
Three Critical Success Factors for PCI Assessment Seth Peter NetSPI April 21, 2010 Introduction Seth Peter NetSPI Chief Technology Officer and Founder 15 year history of application, system, and network
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationNew Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide
New Boundary Technologies The Payment Card Industry (PCI) Security Guide New Boundary Technologies PCI Security Configuration Guide October 2006 CONTENTS 1.0......Executive Summary 2.0.....The PCI Data
More informationThe Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard PCI DSS v3.0 March 2015 Contents Compliance Guide 01 02 03 04 05 06 07 08 What is PCI DSS? 1 Who Needs to be PCI Compliant and Why? 2 Compliance Validation
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationPCI DSS v3.0 Vulnerability & Penetration Testing
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationCLOUD GUARD UNIFIED ENTERPRISE
Unified Security Anywhere CLOUD SECURITY CLOUD GUARD UNIFIED ENTERPRISE CLOUD SECURITY UNIFIED CLOUD SECURITY Cloudy with a 90% Chance of Attacks How secure is your cloud computing environment? If you
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationAUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC
AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC MANAGE SECURITY AT THE SPEED OF BUSINESS AlgoSec Whitepaper Simplifying PCI-DSS Audits and Ensuring Continuous Compliance with AlgoSec
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationUsing Skybox Solutions to Achieve PCI Compliance
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationDetailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and
More informationRequirement 1: Install and maintain a firewall configuration to protect cardholder data
Mapping PCI DSS 3.0 to Instant PCI Policy Below are the requirements from the PCI Data Security Standard, version 3.0. Each requirement is followed by a bullet point that tells exactly where that requirement
More informationCal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1
Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents
More information