PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Size: px
Start display at page:

Download "PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES"

Transcription

1 CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

2 BENCHMARKS, STANDARDS, FRAMEWORKS AND REGULATIONS WHAT S THE DIFFERENCE? The majority of IT security guidance to industry can be placed into one of these categories: benchmarks, standards, frameworks and regulations. Most address specific security issues and offer advice based on experience, collaborated information, authorities and activities (best practices) which have proven effective. They each offer in-depth guidance on how to apply security, how to build an effective security program and how to measure security investments. COMPARING SECURITY FRAMEWORKS LEADS TO STRATEGIC INSIGHTS TO HELP ORGANIZATIONS Adjust their security programs and better address overall cybersecurity Understand and communicate the value of security and regulatory compliance investments»» Relate cybersecurity to business objectives The challenge is how to navigate the myriad source materials, identify the most salient and effective components of each document, and then use that information to build the most effective security program for the organization. Tripwire offers this comparison of the Payment Card Industry Data Security Standards (PCI DSS) and the Council on CyberSecurity s Critical Security Controls (CSC) documents to help you and your organization understand the benefits and values of each, and to help you take advantage of them within your organization. ANALYSIS: PCI DSS AND THE CSC This analysis provides an overview and comparison of the PCI DSS the security standard framework created for all merchants who accept credit cards, and the CSC framework a best practices document with prioritized cybersecurity procedures. BUSINESS IMPACT The business imperative that drives both of these frameworks is to reduce the risk to businesses from improperly designed and operated technology. They specifically address the challenge of how to instill security essentials, such as security practices of asset control, vulnerability assessment and security hardening. Regardless of being compelled (due to contractual and audit compliance with PCI) or advised through best practices (such as with the CSC), these essential tasks are frequently overlooked. THREAT ORIENTATION Both frameworks are also threat oriented, meaning they prescribe specific actions, controls and activities known to eliminate or reduce common threat vectors. However, without considering the associated risks and the overall relevance of these recommendations to your organization, these frameworks can create a false sense of security. Adopted controls should match potential threat, and risk and mitigation measures adjusted accordingly. PROACTIVE RISK MITIGATION The reason why a business should look at one or both of these frameworks is to reinforce the decision to address cybersecurity in a proactive manner. The documents outline common, if not necessarily consistent, programmatic elements. They use security language but do not assume the reader is a security expert. The advice or prescription is based on current and real world risks and the response measures that will mitigate them. While the response measures prescribe specific outcomes, they are not product- or solution-specific. However, working from these documents will give most readers some idea of the type of skills and resources they will need to address security within their specific environment. 2 Comparing Security Frameworks Series: PCI 3.0 and the CSC

3 BENCHMARK Designed for specific environments; Specific Prescriptive Controls STANDARDS Provides detailed technology implementation guidance from standards body FRAMEWORK Outlines Security Program Requirements and may include prescriptions, methods and REGULATION Typically an enforced guideline with prescribed repercussions (penalties) CIS Benchmarks 4 DISA Checklists 4 Vendor Security Guidance 4 ISA/IEC (Formerly ISA-99) 4 ISO / Common Criteria 4 ISO and NIST TOP 20 CSC 4 4 COBIT v.5 4 HIPAA 4 4 PCI 4 4 NERC CIP 4 4 SOX 4 GLBA 4 Comparing Security Frameworks Series: PCI 3.0 and the CSC 3

4 TOP 20 CRITICAL SECURITY CONTROLS CRITICAL SECURITY CONTROLS (CSC) For detailed information on sub-controls, refer to Tripwire s Sub-control Mapping brief CSC1: Inventory H/W Assets, Criticality & Location CSC2: Inventory S/W Assets, Criticality & Location CSC3: Secure Configuration Servers CSC4: Vulnerability Assessment & Remediation CSC5: Malware Protection CSC6: Application Security CSC7: Wireless Device Control CSC8: Data Recovery CSC9: Security Skills Assessment CSC10: Secure Config-Network CSC11: Limit and Control Network Ports, Protocols & Services CSC12: Control Admin Privileges CSC13: Boundary Defense CSC14: Maintain, Monitor, and Analyze Audit Logs CSC15: Need-to-Know Access CSC16: Account Monitoring & Control CSC17: Data Loss Prevention CSC18: Incident Response CSC19: Secure Network Engineering (secure coding) CSC20: Penetration Testing & Red Team Exercises NSA RANK Very High Very High Very High Very High High/Medium High High Medium Medium High/Medium High/Medium High/Medium High/Medium Medium Medium Medium Medium/Low Medium Low Low WHAT THE CSC DOES The Top 20 Critical Security Controls (previously known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) are now governed by the Council on CyberSecurity, an international, independent, expert, notfor-profit organization with a global scope and specific, public goals. The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the U.S. Secretary of Defense in an effort to efficiently direct resources toward combating the most common network vulnerabilities that resulted in the greatest number of attack vectors. With its beginnings as an annual list of threats and vulnerabilities, the CSC is the result of a broad number of federal and commercial enterprise inputs and continues to evolve as a list of security best practices. The resulting list provides a list of practical security advice that applies to most IT operations. The CSC provides a prioritized list of security practices as well as a practical approach to implementation. It also offers tips for managing these controls on an ongoing basis. While the Controls are not industry-specific, they were developed and validated by the U.S. Federal government. Their application and efficacy in the government lends them big organization and federal agency credibility. Because the CSC offers a relatively short list of controls that have been pre-prioritized, it appeals to business managers and security practioners alike. The framework provides guidance for those in the early stages of developing an information security program, and also offers guidance and advice for those with 4 Comparing Security Frameworks Series: PCI 3.0 and the CSC

5 mature ones. The framework provides quick wins for organizations looking for easy, fast ways to reduce risk, as well as in depth guidance for each control. Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment. They also provide substantial controls against the most common attack vectors, therefore most organizations prioritize the implementation of these controls. Visibility and attribution measures improve the process, architecture and technical capabilities of organizations to monitor their networks and computer systems making it possible to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers activities and gain information about the sources of an attack. Improved information security configuration and hygiene reduces the number and magnitude of security vulnerabilities and improve the operations of networked computer systems. Secure configurations make systems more difficult to compromise and dramatically reduce security risks. Advanced sub-controls that require the use of new technologies are clearly identified. These controls may be harder or more expensive to deploy. In addition, the CSC includes notational network architecture references, test tools and suggested tests that can be used to verify that the controls are in place and effective. This additional guidance can help organizations evaluate and improve their security programs. WHAT THE CSC DOESN T DO The Critical Security Controls document is a voluntary measure there is no policing, audit or fines for not implementing the advice or implementing it incorrectly. The Controls are constantly being re-assessed and change based on the advice and feedback of an advisory schedule. These changes are expected occur on a regular basis. Although the committee represents business, government and various industries, they may not cover specific business or industry needs and concerns. The Controls are not intended to cover every risk. The objective of the framework is to identify the security controls that are most effective against the most common attack vectors. Your company and/or your industry may have specific, unique risks that are not adequately addressed by the Controls. The CSC does not prescribe a method to verify and examine the risks that correlate to each control. Although the CSC includes basic explanations, each organization needs to evaluate the security risks of their specific organization, determine if the control is appropriate and sufficient and then evaluate the decision to implement the control. Finally, CSC is not an in-depth or process-oriented framework. It may require some technical effort to fit technical solutions into the specific systems at each organization. uuthe great thing about the Top 20 Critical Security Controls is it helps most any organization at any point in their maturity curve with knowing where to start what s the most important thing to do right now. u JANE HALL LUTE, CEO OF THE COUNCIL ON CYBERSECURITY, FORMER DEPUTY SECRETARY OF THE DEPARTMENT OF HOMELAND SECURITY WHAT THE PCI DSS DOES The Payment Card Industry Data Security Standard was created by an industry consortium with the goal of creating security standards for the payment card industry to guide credit card processors, merchants and banks to protect cardholder data and improve security of systems used to store, track and manage the credit card payment and authorization systems. The PCI DSS is a widely adopted security standard and has become one of the most international security standards. Because PCI DSS is enforced by the industry consortium, and failing a third party audit entails serious business consequences and can also involve fines or other penalties, the standard is unique. The PCI DSS is very straightforward: it is designed to identify and protect the systems that contain cardholder information as well as protect that data wherever it is transmitted, processed or stored. The standard ensures a minimum level of information security for any organization that processes credit cards. Comparing Security Frameworks Series: PCI 3.0 and the CSC 5

6 THE PCI DSS 3.0 Control Objectives Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 6 Comparing Security Frameworks Series: PCI 3.0 and the CSC

7 Because the PCI DSS was developed to address common security issues, other industries can use it for basic security guidance. Merchants and financial services organizations have also found that applying the standards to those systems not directly involved with processing cardholder data can dramatically reduce security risk. This has improved the IT security standing of many organizations. WHAT PCI DSS DOESN T DO Because the PCI framework is designed only to protect cardholder data, its controls are usually designed and described for these specific systems and devices that process that specific data. While the standard evolved to focus only on cardholder data as a way to limit the cost of compliance, an unintended consequence maybe that one area of the network is strongly protected but others are left open to attack. The PCI DSS was not developed to address a specific risk associated with the loss of cardholder data and the resulting fraud. However, the threat vector can and does change rapidly. Organizations with large data sets may require greater protection that the standard requires. New, more advanced controls should be carefully considered and should calibrated to the level of risk. The challenge for all security standards is to strike and appropriate balance compliance requirements and the cost of implementation. Every standard is trying to acheive the greatest possible risk reduction for the lowest possible investment. SIMILARITIES OF CSC AND PCI There are plenty of similarities between the two frameworks. From examining of the previous chart, one can see that other than missing a control specifically for coverage of physical security the Controls line up fairly consistently with the PCI DSS Requirement and Objectives areas. This is expected since the focus of both documents is fairly consistent: shoring up IT technology security solutions and practices across a network to protect assets, data or equipment. NOT OVERLY COMPLEX While some technologies are prescribed, both documents recognize that security is a process, not a single product or single skillset. This is important because it underscores a common misperception that security is only a product away (or, conversely, too complex) to understand. In reality, usually the best response to a specific threats is unique to each environment. Also, while these frameworks are designed to distill requirements and provide advice, they try to avoid an overly simplistic approach. Both PCI DSS and the CSC mention the relative complexity of specific problems and solutions and both mention the need for specific skills. Both standards attempt to provide enough guidance to be useful and enough detail to avoid being distilled into a checklist. Security practioners will likely find that the practices in both documents are cross-referential, meaning that the efforts and artifacts from one practice area typically inform other security practices. Each organization should examine both the PCI DSS and the CSC to make sure they have carefully evaluated each control and are implementing them at the level appropriate for their organization. This strategy is the basis of a well-rounded cybersecurity program. KEY TAKEAWAYS Strong alignment exists between PCI DSS 3.0 Objectives 1 and 6 and a number of the Contols: PCI 3.0 OBJECTIVE 1: BUILD AND MAINTAIN A SECURE NETWORK CSC COVERAGE: CSC 3 Secure Configurations on all Hardware and Software for all Mobile Devices, Laptops, Workstations, and Servers (this would include POS devices) CSC 10 Boundary Defense CSC 11 Limitation and Control of Network Ports, Protocols, and Services CSC 13 Secure Configurations for all Network Devices such as Firewalls, Routers, and Switches CSC 19 Secure Network Engineering PCI 3.0 OBJECTIVE 6: MAINTAIN AN INFORMATION SECURITY POLICY CSC COVERAGE: CSC 9 Security Skills Assessment & Training CSC 1 Inventory of Authorized and Unauthorized Devices CSC 2 - Inventory of Authorized and Unauthorized Software CSC 18 Incident Response & Management Comparing Security Frameworks Series: PCI 3.0 and the CSC 7

8 WHAT S DIFFERENT? The most important difference between the two documents is that the PCI DSS is compulsory for merchants, whereas the CSC is best practice. A regulation has accompanying audit guidance and typically undergoes a regular review of its prescriptions to affect change on the target community. Again, while PCI DSS is not a regulation per se, merchants must comply with the standard and regular third party audits are conducted to ensure that the controls are applied correctly and are effective. REGULATORY COMPLIANCE Organizations that must comply with a regulation often find that the management of the compliance program is a risk or constraint in itself. For instance, failure to comply may equate to fees or fines, and cost of compliance is typically taken from the security budget. ADVISORY FRAMEWORK In contrast, the CSC document has made an important stretch into providing its best practices with possible ways to implement and measure the value of any of its prescriptions. It is an important point that the CSC is actively promoting a ROI or value proposition to the reader. This will align with business managers more than an audit guideline, although they are attempting similar goals: providing the organization with a way to measure and understand if the guidance is working. Also the CSC document provides relative prioritization of the control areas. This means that an organization starting at 1 can move forward through the list in a manner that should best address the threat areas and support the security program development. This fills a need that clearly has been missing for organizations looking to regulations as a starting point for their security programs. However, many organizations do not start with CSC-1, and may instead choose something that has been seen to be more highly prioritized such as CSC-13, Boundary Defense, or with CSC-20 Penetration Tests (as part of an initial Security Assessment to form a good starting point for current security posture). Still, if organizations have a choice, completing CSC 1 4 in that order can speed the implementation of the remaining Controls. THE GAP The question of what is similar or different often does not help organizations recognize what s actually missing. In this case, both documents miss a number of important cybersecurity issues that illustrate the limitations of similar documents, and as well as other issues that any organization will want to address. RAPIDLY EVOLVING THREAT vs. AGING GUIDANCE An issue for some organizations will be the age of the guidance. In the case of PCI, the guidance is on a three year update cycle which means that it takes a number of years for certain practices, techniques and controls to be included. In addition, further time is often allowed for full audit compliance which can even further extend and accentuate the difficulty with aging guidance. An example of this is that PCI DSS 3.0 has been finalized since November 2013, and went into effect on January 1, However, PCI DSS 2.0 remains active until December 31, So if organizations are still working under PCI 2.0, they won t have to immediately change. Also, compensating controls may be often used when compliance isn t possible, but other controls may be used to acceptably mitigate per audit findings. The CSC advisory has been updated more frequently, but the council behind the Controls is voluntary and consensual, and therefore unlikely to be held to a schedule for updates. So the answer is to not rely entirely on either guide for the source of most current controls, practices or threat information. CONTINUOUS MONITORING An excellent example of an underrepresented control is the concept of continuous monitoring (CM), now also referred to in government as Continuous Diagnostics & Mitigation (CDM). CM is the logical conclusion that a monitoring control mechanism must be in place to improve awareness, react to incident and to constantly validate that the control (sensor) mechanism itself is actually working. A principle characteristic of this monitoring should be determined based on the relative risk of an incident and how long the business would be like to wait until notified. Most businesses would like this interval to be as close to real time as possible, but it is challenging for many to determine the best technology, methodology and investment to make in terms of CM. RISK MANAGEMENT Another issue is that both programs skirt around the topic of risk management (RM), a practice that incorporates the identification, prioritization and remediation of business specific risks. This is because the RM practice is challenging to perform well. Getting risk assessment wrong or prescribing a poor methodology are both risks unto themselves. However, risk determination is actually very important in order to mature and manage your security programs. Starting with best practices is an excellent baseline, but to truly address the needs of the 8 Comparing Security Frameworks Series: PCI 3.0 and the CSC

9 organization will require some level of risk analysis and assessment of organizational risk appetite. Again, advice here is that the organization should not rely on generic guidance for translating risk context. The organization must address its risk in a way that meets the needs of the business and the managers who run it. It is important to take a long-term approach to risk management as a discipline within the organization to bridge the communications gap that often accompanies cybersecurity practices. When a senior manager agrees on the level of risk and accompanying mitigations are well deployed, the organization can address the business issues of investment and return on investment. MATURITY CYCLE Another challenge is that of assessing the as-is investment in security program controls. That is, most organizations do not need to start from scratch, but actually build on current programs, perhaps only to refine an existing control to meet or exceed the security needs. This is a technical/security evaluation challenge and a management challenge and is not addressed by these advisories. It is a huge challenge to determine the relative maturity of a security program. This is compounded in part by the fact that most organizations in your business sector are unlikely to share security capability with one another. Plan for this management challenge because it will set the stage for strong governance and business management of security operations. CONCLUSION The value of both the PCI DSS and the Critical Security Controls is that they cover and reinforce the necessary practices for protecting against common threats to the business. In addition, there is a useful overlap between the two that can achieve both audit compliance as well as security. The advice? Consider the practices as a baseline for any risk-based security management program. Assure yourself that the overlap is due to the commonality of the threat and effectiveness of the practices promoted. Most organizations will either have a regulatory standard or suggested guidance for their industry (e.g. organization-specific standards and policy or industry regulations like PCI, GLBA, NERC, SOX, and HIPAA). However, many organizations realize over time that the required security compliance programs will not and cannot address all cybersecurity issues (such as new threats, risks and vulnerabilities, changing laws, aging guidelines and new technology) at their organization. Finally, remember that strong security is a business value, not just a cost. With the public examples emerging virtually every week, this has never been more easy to substantiate. Make security investments and defenses as relevant as possible to maximize the potential return, and like our overlap between these two frameworks, find the most strategic investments you can make that will achieve both your business and your security requirements. After all, they re beginning to look more and more the same every day. Comparing Security Frameworks Series: PCI 3.0 and the CSC 9

10 CONTROL FRAMEWORKS MAP: PCI DSS 3.0 AND THE CSC The following table maps the two frameworks together with a view to seeing what specific activities make the most sense for your organization as you work toward PCI DSS 3.0 compliance. OBJECTIVE BUILD AND MAINTAIN A SECURE NETWORK PROTECT CARDHOLDER DATA MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM PCI DSS REQUIREMENT 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendorsupplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly afftected by malware 6. Develop and maintain secure systems and applications CRITICAL CONTROL CRITICAL CONTROL 13: Boundary Defense CRITICAL CONTROL 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CRITICAL CONTROL 8: Data Recovery Capability CRITICAL CONTROL 7: Wirelress Device Control CRITICAL CONTROL 5: Malware Defenses CRITICAL CONTROL 4: Continuous Vulnerability Assessment and Remediation CRITICAL SECURITY CONTROLS CRITICAL CONTROL CRITICAL CONTROL CRITICAL CONTROL 10: Secure Configurations for Network Devices such as Firewalls, Routers and Switches CRITICAL CONTROL 11: Limitation and Control of Network Ports, Protocols, and Services CRITICAL CONTROL 19: Secure Network Engineering CRITICAL CONTROL 17: Data Loss Prevention CRITICAL CONTROL 6: Application Software Security CRITICAL CONTROL 10 Comparing Security Frameworks Series: PCI 3.0 and the CSC

11 OBJECTIVE IMPLEMENT STRONG ACCESS CONTROL MEASURES REGULARLY MONITOR AND TEST NETWORKS MAINTAIN AN INFORMATION SECURITY POLICY PCI DSS REQUIREMENT 7. Restrict access to cardholder data by business need-to-know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel CRITICAL CONTROL CRITICAL CONTROL 15: Controlled Access Based on the Need to Know CRITICAL CONTROL 12: Controlled Use of Administrative Privileges CRITICAL CONTROL 14: Maintenance, Monitoring, and Analysis of Audit Logs CRITICAL CONTROL 20: Penetration Tests and Red Team Exercises CRITICAL CONTROL 9: Security Skills Assesment and Training to Fill Gaps CRITICAL SECURITY CONTROLS CRITICAL CONTROL CRITICAL CONTROL CRITICAL CONTROL 16: Account Monitoring and Control CRITICAL CONTROL 1: Inventory of Authorized and Unauthorized Devices CRITICAL CONTROL 2: Inventory of Authorized and Unauthorized Software CRITICAL CONTROL CRITICAL CONTROL 18: Incident Response and Management uuillustration of sections from the PCI DSS and the CSC documents. The PCI DSS version 3.0 (November 2013) is available at pcisecuritystandards.org/security_standards/documents.php Find the CSC at Comparing Security Frameworks Series: PCI 3.0 and the CSC 11

12 u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwire s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW ON TWITTER 2014 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPPCICSC1a

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole The Future Is SECURITY THAT MAKES A DIFFERENCE Overview of the 20 Critical Controls Dr. Eric Cole Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Retail establishments have always been a favorite target of thieves and shoplifters, but today s worst criminals

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

Automating Compliance Reporting for PCI Data Security Standard version 1.1

Automating Compliance Reporting for PCI Data Security Standard version 1.1 PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,

More information

Assessing the Effectiveness of a Cybersecurity Program

Assessing the Effectiveness of a Cybersecurity Program Assessing the Effectiveness of a Cybersecurity Program Lynn D. Shiang Delta Risk LLC, A Chertoff Group Company Objectives Understand control frameworks, assessment structures and scoping of detailed reviews

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002 ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security

More information

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS

More information

Dynamic Data Center Compliance with Tripwire and Microsoft

Dynamic Data Center Compliance with Tripwire and Microsoft Dynamic Data Center Compliance with Tripwire and Microsoft white paper Configuration Control for Virtual and Physical Infrastructures For IT, gaining and maintaining compliance with one or more regulations

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Tripwire Evolution 18+ Years of Innovation 1997 Tripwire File System Monitoring from open source

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

Leveraging a Maturity Model to Achieve Proactive Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................

More information

Professional Services Overview

Professional Services Overview Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800

More information

White Paper: Consensus Audit Guidelines and Symantec RAS

White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

Information Technology Risk Management

Information Technology Risk Management Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Property of CampusGuard. Compliance With The PCI DSS

Property of CampusGuard. Compliance With The PCI DSS Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

Maximizing Configuration Management IT Security Benefits with Puppet

Maximizing Configuration Management IT Security Benefits with Puppet White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops

More information

Managing Vulnerabilities For PCI Compliance

Managing Vulnerabilities For PCI Compliance Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

PCI Compliance and the Data Security Standards. A x i a. For more information visit www.axiapayments.com/pci. Your partner in payment services

PCI Compliance and the Data Security Standards. A x i a. For more information visit www.axiapayments.com/pci. Your partner in payment services PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

PCI COMPLIANCE GUIDE For Merchants and Service Members

PCI COMPLIANCE GUIDE For Merchants and Service Members PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...

More information

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected. worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected. The 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS) by type Build

More information

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on! Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

SCAC Annual Conference. Cybersecurity Demystified

SCAC Annual Conference. Cybersecurity Demystified SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber

More information

Cisco SAFE: A Security Reference Architecture

Cisco SAFE: A Security Reference Architecture Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Teleran PCI Customer Case Study

Teleran PCI Customer Case Study Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data

More information

Fortinet Solutions for Compliance Requirements

Fortinet Solutions for Compliance Requirements s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

PCI DSS Top 10 Reports March 2011

PCI DSS Top 10 Reports March 2011 PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were

More information

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Solution for Retail: Addressing Compliance and Security Best Practices PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment

More information

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0 WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,

More information

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 5 5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 1 Anatomy of a Security Assessment With data breaches making regular headlines, it s easy to understand why information security is critical.

More information

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies

More information