Myths & Realities of Data Security & Compliance: The Risk-based Data. Ulf Mattsson, CTO, Protegrity
|
|
- Dustin Wilkerson
- 8 years ago
- Views:
Transcription
1 Myths & Realities of Data Security & Compliance: The Risk-based Data Protection Solution Ulf Mattsson, CTO, Protegrity
2 Ulf Mattsson 20 years with IBM Development, Manufacturing & Services Inventor of 21 patents Co-founder of Protegrity (Data Security Management) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security American National Standards Institute (ANSI) X9 Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) Institute of Electrical and Electronics Engineers (IEEE) The World Scientific and Engineering Academy and Society for Computer Security (WSEAS) Object Management Group (OMG) CORBA Security Service
3 Description This session will review data protection methods that enable organizations to achieve the right balance between cost, performance, usability, compliance demands, and real-world security needs. This session will also guide you through a process for developing, deploying, and managing a risk-adjusted data security plan. March 2010
4
5
6 Topics Review current/evolving data security risks Explore the methods that enable organizations to achieve the right balance between cost, performance, usability, compliance demands and real-world security needs Develop a risk adjusted methodology for securing data and evaluating security solutions Review real world examples: protecting PCI, PII and MNPI (Material Non-Public Information) data throughout its entire lifecycle Other topics? Q&A Review real world examples for IBM, Microsoft & Oracle
7 Protect Sensitive Data PCI & Customer Data Credit & Loyalty cards Banking/mortgage data Customer profiles Prospect information Company Data Salary / bonus HR data Corporate secrets Financial results PII Social security number Drivers license number Private account numbers Date of birth Health Records Insurance claims Medical records Prescriptions Billing information
8 Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Security policy Auditing and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time
9 Developing a Risk-adjusted Data Protection Plan Know Your Data Find Your Data Understand Your Enemy Understand the New Options in Data Protection Deploy Defenses Crunch the Numbers
10 The Gartner 2010 CyberThreat Landscape
11 Data Security Remains Important for Most Source: Forrester, 2009
12 Know Your Data Identify High Risk Data Begin by determining the risk profile of all relevant data collected and stored Data that is resalable for a profit Value of the information to your organization Anticipated cost of its exposure Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3
13 Understand Your Enemy & Data Attacks Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data, not laptops or backups: Source: Verizon Business Data Breach Investigations Report (2008 and 2009)
14 Market Drivers for Deeper Data Security Brand damage Staying out of the headlines Damage to credibility Regulatory mandates PCI Country/Provincial/State Privacy Laws Sarbanes-Oxley HIPAA Cost of recovery and fixes - Forrester Research gives a cost range of $90-$305 per record Increasing liability and insurance
15 Information Security Breaches In the U.S., 2005 was the year of the security breach Followed by 2006, 2007, 2008 and Since 2005, over 1,000 information security breaches Choice Point - Card Systems Bank of America - Boston Globe Lexis Nexis - Veterans Administration Heartland Payment Systems - TJX Over 236 million potentially affected Over 40 U.S. jurisdictions have security breach notification laws California SB 1386 started the trend New federal breach notification law for health information Numerous federal bills
16 State Security Breach Notification Laws Generally, the duty to notify arises when unencrypted computerized personal information was acquired or accessed by an unauthorized person Personal information is an individual s name, combined with: SSN Driver s license or state ID card number Account, credit or debit card number, along with password or access code But state laws differ: Computerized v. paper data Definition of PII Notification to state agencies Notification to CRAs Timing of individual notification Harm threshold Contents of notification letter
17 Federal Breach Notification Law The HITECH Act has changed the federal breach notification landscape HHS and FTC have promulgated breach notification rules pursuant to HITECH Act requirements The HITECH Act requires HIPAA covered entities to: notify individuals whose unsecured protected health information in any format has been, or is reasonably believed to have been accessed, acquired or disclosed as a result of a breach Business associates are responsible for notifying covered entities of a breach
18 Recent FTC Enforcement Actions Federal Trade Commission (FTC) enforcement authority: Section 5 of the FTC Act Most FTC privacy enforcement actions result from security breaches Card Systems, Petco, ChoicePoint, Tower Records, DSW, Barnes & Noble.com, BJ s Wholesale Club, Guess.com Inc., CVS, Caremark, Genica Corporation Division of Privacy and Identity Protection Enforcement trends
19 Costs of Non-Compliance with PCI Costs of non-compliance can be significant Card brands fine merchant banks, and costs are passed through to merchants by contract Possible fines of $5,000 to $25,000 per month for Level 1 and 2 merchants that have not validated compliance In the event of a security breach, possible fines of up to $500,000 per incident plus associated costs
20 Avoiding Breach Notification HHS issued guidance on April 17, 2009 setting forth an exhaustive list of what technologies and methodologies will render PHI secure. HHS provided additional guidance on August 24, Technologies and Methodologies that will render PHI secure: Encryption. Destruction. Nothing else will render your PHI secure. In most recent guidance, HHS: Rejected access controls, such as firewalls, as a method for securing PHI.
21 Understand Your Enemy Probability of Attacks Higher Probability What is the Probability of Different Attacks on Data? Errors and Omissions Lost Backups, In Transit RECENT ATTACKS Application User (e.g. SQL Injection) SQL Users Network or Application/RAM Sniffer Valid User for the Server (e.g. Stack Overflow, data sets) Application Developer, Valid User for Data Source: IBM Silicon Valley Lab(2009) Administrator Higher Complexity
22 Dataset Comparison Data Type Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team
23 Targeted Threat Growth
24 Choose Your Defenses Data Entry Where is data exposed to attacks? Data System Application Database File System Storage (Disk) Backup (Tape) RECENT ATTACKS SNIFFER ATTACK SQL INJECTION MALWARE / TROJAN DATABASE ATTACK FILE ATTACK MEDIA ATTACK ATTACKERS Authorized/ Un-authorized Users Database Admin System Admin HW Service People Contractors Unprotected sensitive information: Protected sensitive information
25 Granular Reporting for Compliance & Better Security Security Admin Application / Database Server Application Monitoring of Column and User Database File System Security Admin Application / Database Server Application NO Monitoring of Column and User Database File System
26 Top 15 Threat Action Types 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team
27 Common Vulnerabilities in E-Commerce Security
28 Top 15 Threat Action Types Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team
29 Data Level Attacks on the Enterprise Data Flow MALWARE / TROJAN DBA ATTACK Endpoint Internet Serve r DMZ Load Balancing Enterprise Apps TRUSTED SEGMENT DB Server SAN, NAS, Tape TRANSACTIONS Internal Users NW Wireless Proxy FW IDS/ IPS Web Apps Proxy FW Network Devices Proxy FW Server SQL INJECTION SNIFFER ATTACK MEDIA ATTACK OS ADMIN FILE ATTACK
30 Addressing Data Protection Challenges Full mapping of sensitive data flow Where is the data Where does it need to be Identify what data is needed for processing in which applications What are the performance SLAs Understand the impact of changing/removing data Will it break legacy systems Address PCI, strategize for the larger security issue
31 Protecting the Data Flow - Example
32 Top 6 threat action types - Mitigation Encryption of data in transit Token or Point-to-point encryption (E2EE) Monitoring And blocking Abuse of resources Token, Point-to-point encryption (E2EE) or File protection Infected systems Monitoring And blocking Collect usernames and passwords Specially crafted SQL statements Web Application Firewall Known usernames and passwords Monitoring And blocking Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team
33 Example of Secure Login One Time Password
34 Positioning Different Data Protection Approaches
35 Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Reporting Policy Minimizing impact on business operations Performance v. security Minimizing impact (and costs) Changes to applications Impact on downstream systems Time
36 The Goal: Good, Cost Effective Security The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community Security plan - short term, long term, ongoing How much is good enough Security versus compliance Good Security = Compliance Compliance Good Security
37 Choose Your Defenses Different Approaches
38 Choose Your Defenses Cost Effective PCI Encryption 74% WAF 55% DLP 43% DAM 18% Source: 2009 PCI DSS Compliance Survey, Ponemon Institute
39 Choose Your Defenses Find the Balance Cost Cost of Aversion Protection of Data Total Cost Optimal Risk Expected Losses from the Risk I Active Protection I Passive Protection Risk Level
40 Evaluation Criteria Performance Impact on operations - end users, data processing windows Storage Impact on data storage requirements Security & Separation of Duties How secure Is the data at rest Impact on data access separation of duties Transparency Changes to application(s) Impact on supporting utilities and processes
41 Choose Your Defenses - Operational Impact Passive Database Protection Approaches Database Protection Approach Web Application Firewall Performance Storage Security Transparency Separation of Duties Data Loss Prevention Database Activity Monitoring Database Log Mining Best Worst Source: 2009 Protegrity Survey
42 Choose Your Defenses - Operational Impact Active Database Protection Approaches Database Protection Approach Application Protection - API Performance Storage Security Transparency Separation of Duties Column Level Encryption; FCE, AES, 3DES Column Level Replacement; Tokens Tablespace - Datafile Protection Best Worst Source: 2009 Protegrity Survey
43 Choose Your Defenses Example Encryption Collection Point of Sale E-Commerce Branch Office Information in the wild - Short lifecycle / High risk Aggregation Temporary information - Short lifecycle / High risk Operations Operating information - Typically 1 or more year lifecycle -Broad and diverse computing and database environment Data Token Analysis Decision making information - Typically multi-year lifecycle - Homogeneous environment - High volume database analysis Archive Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important
44 Choose Your Defenses New Methods Format Controlling Encryption Example of Encrypted format: Key Manager Application Databases Data Tokenization Example of Token format: Token Server Key Manager Application Databases Token
45 Newer Data Protection Options Format Controlling Encryption (FCE)
46 What Is FCE? Where did it come from? Before 2000 Different approaches, some are based on block ciphers (AES, 3DES ) Before 2005 Used to protect data in transit within enterprises What exactly is it? Secret key encryption algorithm operating in a new mode Cipher text output can be restricted to same as input code page some only supports numeric data The new modes are not approved by NIST
47 FCE Selling Points Ease of deployment -- limits the database schema changes that are required. Reduces changes to downstream systems Applicability to data in transit provides a strict/known data format that can be used for interchange Storage space does not require expanded storage Test data partial protection Outsourced environments & virtual servers
48 FCE Considerations Unproven level of security makes significant alterations to the standard AES algorithm Encryption overhead significant CPU consumption is required to execute the cipher Key management is not able to attach a key ID, making key rotation more complex - SSN Some implementations only support certain data (based on data size, type, etc.) Support for big iron systems is not portable across encodings (ASCII, EBCDIC) Transparency some applications need full clear text
49 FCE Use Cases Suitable for lower risk data Compliance to NIST standard not needed Distributed environments Protection of the data flow Added performance overhead can be accepted Key rollover not needed transient data Support available for data size, type, etc. Point to point protection if big iron mixed with Unix or Windows Possible to modify applications that need full clear text or database plug-in available
50 Applications are Sensitive to the Data Format Data Type Bin Data Binary (Hash) - Binary (Encryption) - No Applications Few Applications Alphanum (FCE, Token) - Many Applications Increased intrusiveness: - Application changes Text Data Numeric (FCE, Token) - Most Applications - Limitations in functionality - Limitations in data search - Performance issues Numeric (Clear Text) - All Applications I Original I Longer Data Field Length This is a generalized example
51 Newer Data Protection Options Data Tokenization
52 What Is Data Tokenization? Where did it come from? Found in Vatican archives dating from the 1300s In 1988 IBM introduced the Application System/400 with shadow files to preserve data length In 2005 vendors introduced tokenization of account numbers What exactly is it? It IS NOT an encryption algorithm or logarithm. It generates a random replacement value which can be used to retrieve the actual data later (via a lookup) Still requires strong encryption to protect the lookup table(s)
53 Tokenization Selling Points Provides an alternative to masking in production, test and outsourced environments Limits schema changes that are required. Reduces impact on downstream systems Can be optimized to preserve pieces of the actual data in-place smart tokens Greatly simplifies key management and key rotation tasks Centrally managed, protected reduced exposure Enables strong separation of duties Renders data out of scope for PCI
54 Tokenization Considerations Transparency not transparent to downstream systems that require the original data Performance & availability imposes significant overhead from the initial tokenization operation and from subsequent lookups Performance & availability imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves randomness and possibility of collisions Security vulnerabilities typical in in-house developed systems exposing patterns and attack surfaces
55 Tokenization Use Cases Suitable for high risk data payment card data When compliance to NIST standard needed Long life-cycle data Key rollover easy to manage Centralized environments Suitable data size, type, etc. Support for big iron mixed with Unix or Windows Possible to modify the few applications that need full clear text or database plug-in available
56 Tokenization Users Show Significantly Better Results
57
58 A Central Token Solution Token Server Customer Application Customer Application Customer Application
59 A Distributed Token Solution Token Server Customer Application Customer Application Token Token Server Server Customer Application Customer Application
60 An Integrated Token Solution Customer Application Customer Application Token Server Customer Application Customer Application Token Server
61 Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Evaluating Different Tokenization Implementations Area Criteria Central (old) Distributed Central (old) Distributed Integrated Operati onal Needs Pricing Model Data Types Security Availability Scalability Performance Per Server Per Transaction Identifiable - PII Cardholder - PCI Separation Compliance Scope Best Worst
62 A Central Token Solution vs. A Distributed Token Solution Dynamic Random Token Table Central Dynamic Token Table Customer Application Customer Application Customer Application Customer Application Static Random Static Static Token Random Random Static Table Token Token Random Table Table Token Table Distributed Static Distributed Token Tables Static Token Tables Static Random Static Static Token Random Random Static Table Token Token Random Table Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Customer Application Customer Application
63 A Distributed Token Solution An Integrated Token Solution Static Random Static Token Static Random Token Static Table Random Token Table Random Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Static Random Token Static Static Table Random Token Random Table Token Table Customer Application Customer Application Static Token Tables Integrated with Pep-Server Static Random Static Token Static Random Token Static Table Random Token Table Random Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Static Random Token Static Static Table Random Token Random Table Token Table Static Token Tables Integrated with PepServer Customer Application Customer Application
64 Choose Your Defenses Strengths & Weakness * * * Best Worst * Compliant to PCI DSS 1.2 for making PAN unreadable Source: 2009 Protegrity Survey
65 An Enterprise View of Different Protection Options Evaluation Criteria Strong Encryption Formatted Encryption Token Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with big iron (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst
66 Deploy Defenses Matching Data Protection Solutions with Risk Level Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3 Risk Level Low Risk (1-5) At Risk (6-15) High Risk (16-25) Solution Monitor Monitor, mask, access control limits, format control encryption Replacement, strong encryption
67 Data Protection Implementation Layers System Layer Performance Transparency Security Application Database File System Topology Performance Scalability Security Local Service Remote Service Best Worst
68 Crunch the Numbers Conclusion Risk-adjusted data security plans are cost effective Switching focus to a holistic view rather than security silo methodology Understanding of where data resides usually results in a project to reduce the number of places where sensitive data is stored Protect the remaining sensitive data with a comprehensive data protection solution
69 Managing encryption keys across different platforms
70 Deployment Applications RACF DB2 Files Encryption Solution ICSF Hardware Security Module Mainframe z/os DB2 UDB Informix Central Key Manager System i Hardware Security Module Oracle
71 Example - Centralized Data Protection Approach Secure Archive Secure Storage Database Protector Secure Distribution File System Protector Policy & Key Creation Policy Secure Usage Enterprise Data Security Administrator Audit Log Secure Collection Application Protector Auditing & Reporting Big Iron Protector
72 Protegrity Value Proposition Protegrity delivers, application, database, file protectors across all major enterprise platforms. Protegrity s Risk Adjusted Data Security Platform continuously secures data throughout its lifecycle. Underlying foundation for the platform includes comprehensive data security policy, key management, and audit reporting. Enables customers to achieve data security compliance (PCI, HIPAA, PEPIDA, SOX and Federal & State Privacy Laws)
73 Protegrity and PCI Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
74 Enterprise Reporting Flexibility Protegrity Data Protection Database Protector Application Protector File Protector Collect Audit Logs Audit Log Attributes ID Date Severity User Title Description Type Product Product Version Server Server IP Server Port Additional Info Access Data Store Policy Data Element Operation Count Error Code OS User SCID Vendor Row ID Session ID Request ID Vendor Type Reporting Choices Reporting Options Forensics Standard Reports Compliance Reports Custom Reports Export Logs
75 Summary Report on Daily Monitored Security Events
76 Please contact us for more information Ulf Mattsson Phone ulf.mattsson@protegrity.com
77 A Source of Information about PCI Research
Myths and Realities of Data Security and Compliance: Ulf Mattsson, CTO, Protegrity
Myths and Realities of Data Security and Compliance: The Risk-based Data Protection Solution Ulf Mattsson, CTO, Protegrity Ulf Mattsson 20 years with IBM Development, Manufacturing & Services Inventor
More informationDatabase Security Solutions in Cloud and Outsourced Environments
Database Security Solutions in Cloud and Outsourced Environments Ulf Mat t sson TCO Prot egri t y ul f. mat t sson AT prot egri t y. com Ulf Mattsson 20 years with IBM Development & Global Services Inventor
More informationData Breaches Gone Mad. Straight Away! Wednesday September 28 th, 2011
Data Breaches Gone Mad Learn how to Secure your Data Warehouse Straight Away! Wednesday September 28 th, 2011 Martin Willcox Director Product & Solutions Marketing Teradata Europe, Middle East & Africa
More informationSecuring Data Today. Ulf Mattsson CTO Protegrity ulf.mattsson [at] protegrity.com
Securing Data Today and in the Future Ulf Mattsson CTO Protegrity ulf.mattsson [at] protegrity.com Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and Tokenization
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationGet More for Less: Enhance Data Security and Cut Costs
Get More for Less: Enhance Data Security and Cut Costs Ulf Mattsson, CTO, Protegrity Corporation Dominic Dougherty, Protegrity Technical Support Agenda PCI DSS and State Legislation Different data protection
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationProtegrity Data Security Platform
Protegrity Data Security Platform The Protegrity Data Security Platform design is based on a hub and spoke deployment architecture. The Enterprise Security Administrator (ESA) enables the authorized Security
More informationData-Centric Security vs. Database-Level Security
TECHNICAL BRIEF Data-Centric Security vs. Database-Level Security Contrasting Voltage SecureData to solutions such as Oracle Advanced Security Transparent Data Encryption Introduction This document provides
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationIs the PCI Data Security Standard Enough?
Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationData-Centric security and HP NonStop-centric ecosystems. Andrew Price, XYPRO Technology Corporation Mark Bower, Voltage Security
Title Data-Centric security and HP NonStop-centric ecosystems A breakthrough strategy for neutralizing sensitive data against advanced threats and attacks Andrew Price, XYPRO Technology Corporation Mark
More informationRSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief
RSA Encryption and Key Management Suite The threat of experiencing a data breach has never been greater. According to the Identity Theft Resource Center, since the beginning of 2008, the personal information
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationAn Oracle White Paper June 2009. Oracle Database 11g: Cost-Effective Solutions for Security and Compliance
An Oracle White Paper June 2009 Oracle Database 11g: Cost-Effective Solutions for Security and Compliance Protecting Sensitive Information Information ranging from trade secrets to financial data to privacy
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationPCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security
White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationWhy Add Data Masking to Your IBM DB2 Application Environment
Why Add Data Masking to Your IBM DB2 Application Environment dataguise inc. 2010. All rights reserved. Dataguise, Inc. 2201 Walnut Ave., #260 Fremont, CA 94538 (510) 824-1036 www.dataguise.com dataguise
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSecuring Data in Oracle Database 12c
Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/ Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationSecuring Your Customer Data Simple Steps, Tips, and Resources
Securing Your Customer Data This document is intended to provide simple and quick information security steps for small to mid-size merchants that accept credit and/or debit cards as a form of payment for
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More information<Insert Picture Here> Oracle Database Security Overview
Oracle Database Security Overview Tammy Bednar Sr. Principal Product Manager tammy.bednar@oracle.com Data Security Challenges What to secure? Sensitive Data: Confidential, PII, regulatory
More informationBest Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP
Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII
More informationComprehensive Approach to Database Security
Comprehensive Approach to Database Security asota@hotmail.com NYOUG 2008 1 What will I discuss today Identify Threats, Vulnerabilities and Risk to Databases Analyze the drivers for Database Security Identify
More informationWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud - Practical advice for cloud data security Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com Ulf Mattsson, Protegrity CTO Cloud Security Alliance
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales The 1995-2014 Security Landscape Regulatory Landscape HIPAA, SOX (2002),
More informationPractical Advice for Cloud Data Protection
Practical Advice for Cloud Data Protection Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com Ulf Mattsson, Protegrity CTO Cloud Security Alliance (CSA) PCI Security Standards Council Cloud & Virtualization
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationRecent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2
Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationNerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationHow To Secure Your Store Data With Fortinet
Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationEnterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions.
Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory
More informationWhite Paper. Managing Risk to Sensitive Data with SecureSphere
Managing Risk to Sensitive Data with SecureSphere White Paper Sensitive information is typically scattered across heterogeneous systems throughout various physical locations around the globe. The rate
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationStrategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationEfficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules
Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules WHITE PAPER Thales e-security www.thalesesec.com/oracle TABLE OF CONTENT Introduction...3 Oracle Database 11g
More informationAccelerating PCI Compliance
Accelerating PCI Compliance PCI Compliance for B2B Managed Services March 8, 2016 What s the Issue? Credit Card Data Breaches are Expensive for Everyone The Wall Street Journal OpenText Confidential. 2016
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationWhite Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationPCI Compliance in Oracle E-Business Suite
PCI Compliance in Oracle E-Business Suite May 14, 2015 Mike Miller Chief Security Officer Integrigy Corporation David Kilgallon Oracle Integration Manager CardConnect Moderated by Phil Reimann, Director
More informationAuditing Data Access Without Bringing Your Database To Its Knees
Auditing Data Access Without Bringing Your Database To Its Knees Black Hat USA 2006 August 1-3 Kimber Spradlin, CISA, CISSP, CPA Sr. Manager Security Solutions Dale Brocklehurst Sr. Sales Consultant Agenda
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside-Out with Oracle Database 12c Denise Mallin, CISSP Oracle Enterprise Architect - Security The following is intended to outline our general product direction. It is intended for information
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationWhite Paper. Understanding & Deploying the PCI Data Security Standard
White Paper Understanding & Deploying the PCI Data Security Standard Executive Overview The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations
More informationHow To Protect Your Cloud From Attack
A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationProtegrity Tokenization
Securing Sensitive Data for PCI, HIPAA and Other Data Security Initiatives 2011 Edition Who should read it System architects, security experts, and other IT professionals who are looking to use tokenization
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationProtecting personally identifiable information: What data is at risk and what you can do about it
Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationEncrypting Sensitive Data in Oracle E-Business Suite
Encrypting Sensitive Data in Oracle E-Business Suite December 19, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More information