Virtualization Impact on Compliance and Audit
|
|
- Dwight Douglas
- 8 years ago
- Views:
Transcription
1 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems
2 Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance PCI and Virtualization Call to Action Q&A
3 What is Virtualization? Virtualization Layer Application Server Oracle Print File Web Application Operating System Hardware Configuration Virtualization Server
4 What is Virtualization? Virtualization Technology: Hypervisor software emulates physical IT infrastructure, inside of a physical server: Virtualization Layer Virtual servers Virtual Networks Virtualization Benefits: Server consolidation one box instead of many Homogeneous Guest HW configuration Better resource utilization, efficiency Green Power / Cooling / Space Virtualization Server Easier deployment, manageability Better service quality, expense control, ROI
5 Virtualization Market Maturity How many physical servers in your data center run virtualization software? In 2009, on how many additional servers will you deploy virtualization software? Participants: Choices Selected: 598 Total Responses: 598 What percentage of your virtual machines is used for production applications in a production environment? Source: Virtualization Decisions 2009 Survey by TechTarget
6 Virtualization Production Maturity Which applications run within virtual machines? Value Count Percent % Application server % Web server % Network infrastructure services (e.g., DNS, DHCP, firewalls, Active Directory, etc.) % Databases for development % Production databases % % End user home directories/file and print % Business intelligence % Over the next year, how will your use of virtual machines in production change? Customer relationship management (CRM)/sales automation % End user desktops % Enterprise resource planning (ERP) % None % antivirus Source: Virtualization Decisions 2009 Survey by TechTarget
7 What is the Cloud? Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source NIST Draft Cloud is NOT Virtualization
8 Cloud Service Models Service Model Definition Considerations Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party. End user has no control over the underlying infrastructure. Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider Capability to use the provider s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based ). Availability Confidentiality Privacy and legal liability in the event of a security breach (as databases housing sensitive information will now be hosted offsite) Data/Application ownership Geographic Location Source:
9 Virtualization Security Risks Goal of security is to ensure the confidentiality, integrity and availability of information. Virtualization security issues include: Introduction of a new software layer Lack of policy enforcement Data theft and interception Unauthorized access Threat detection and mitigation Confidentiality Availability Integrity
10 Compliance Challenges Visibility and Transparency Challenges Change Management Network Visibility Network Segmentation Compliance Goals Separation of Duty
11 Visibility and Transparency Visibility Basis for All management and security activity Virtualization can create voids in information Transparency Basis of Compliance Audit Stakeholder Confidence Enables Cloud
12 Change Management Primary Problem Change is EASY Documentation Infrastructure Topology Audit Run Book Automation Security Authorization Audit Compliance Evidence
13 Network Visibility Virtualization Creates blind spots virtual networks Existing tools may not be sufficient Regulatory Requirements PCI DSS Pending HIPAA Changes Reconfiguration is trivial
14 Segmentation Same Traditional Reasons Classification / Data Sensitivity Regulation What s Different? Commodity Computing Shared Resource Damage is multiple of Consolidation Ratio Easy to combine data of different sensitivities
15 Separation of Duty Domain Separation Infrastructure Infrastructure Networking Storage Audit Virtual Administrator Sys Admin System Admin Security Why? Checks and Balances Compliance Security How? Apps w/rbac Domain Specific Views
16 Compliance Drivers Internal Policy Regulatory Policy PCI SOX HIPAA Reflex Systems Change Management Audit Evidence & Reporting Network Controls Infrastructure Policy & Control
17 Overview of the PCI DSS o Payment Card Industry Data Security Standard (PCI DSS) o A multifaceted security standard that is intended to help organizations that store, manage, or process payment card information to proactively protect customer account data. o Developed by the PCI Security Standards Council o Founded by AMEX, Discover, JCB, MasterCard, and Visa o Global forum for development, enhancement, storage, dissemination and implementation of security standards for cardholder account data protection o The PCI Security Standards Council s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. ** Reflex is not a Certified PCI QSA. This information is based on our industry experience and opinion
18 PCI DSS Requirements Twelve high-level compliance requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors PCI DSS v1.2 released October 2008 Contains +220 specific requirements For more info
19 Virtualization s Impact on PCI PCI DSS does not specifically address virtualization Unique challenges faced by organizations that choose to deploy virtualization technology within its PCI environment Traditional security processes and tools Not adequate for protecting and monitoring virtualized environments Focus on managing higher layers of the network No visibility inside virtualized environments Some organizations have misinterpreted PCI DSS to mean that virtualization is incompatible with PCI DSS compliance There are challenges but with the right approach, PCI compliance is in reach
20 Network Segmentation and Monitoring Requirement 1- Install and Maintain a Firewall Configuration to Protect Cardholder Data Sub requirements 1.1, 1.2, Issue: Can virtual firewalls be deployed to meet these requirements and provide appropriate segregation? Virtual switches on the same host cannot exchange packets within the VM Virtual firewalls may be configured to allow data exchange Proper configuration is critical to avoid unauthorized traffic between virtual switches Policy enforcement must be based on defined security policies
21 Network Segmentation and Monitoring (continued) Requirement 2.2 Develop configuration standards for all system components Sub requirements 2.2.1, , 2.2.3, Implement only one primary function per server. Mistaken belief that prohibits all virtualization What is intent of the requirement? Real risk is unauthorized access to CHD through a compromise of guest-tohost or guest-to-guest segmentation Intent can still be achieved through appropriate segmentation and policy monitoring and enforcement Determined on case-by-case basis by PCI QSA s
22 Patch Management and Change Control Requirement 5 Use and regularly update ant-virus software and programs. Sub requirement 5.2 Requirement 6 - Develop and maintain secure systems and applications. Sub requirements 6.1, 6.2 Extremely simple to deploy, copy, store, and move VM s All deployed VM s must conform to PCI requirements when deployed Risks Anti-virus updates and patches may not be deployed to VM s Use of snapshot and rollback" features may revert a VM to unpatched and therefore non-compliant state VM image files with CHD may not be adequately controlled Traditional network monitoring tools may not have visibility within the VM environment Best practice - continuous monitoring and periodic audits
23 Auditing and Logging Requirement Implement automated audit trails for all system components. Sub requirements , , Native software tools may not be adequate to meet the audit, configuration, management, and ongoing log monitoring of virtualized environments Don t forget to log and store hypervisor configuration settings and administration rights Auditing and logging can consume resources - CPU cycles, memory, disk space and network bandwidth Consider storing all host log files on a secure remote syslog server
24 Security Testing Requirement 11- Regularly Test Security Systems and Processes Sub requirements 11.3 and 11.4 Penetration testing Must address unique risks associated with virtual environments Traditional IDS/IPS may not be adequate for VM s Need to monitor traffic within the VM Emerging threats unique to virtual environments May require specialized detection and mitigation
25 Policy Enforcement Requirement Assign information security management responsibilities Sub requirements and Many organizations fail to implement this requirement appropriately Virtual environments may require application aware monitoring Must have appropriate context to assess potential security threats and attacks
26 Call to Action Does your enterprise use virtualization? Any regulated components virtualized? What steps have been taken specific to virtualization? Updated Process / Procedures? New Compensating Controls? Virtualization Specific Audit / Monitoring tools?
27 About Reflex ISV Focused on Virtualization First to market with Reflex Virtual Security Appliance (VSA) in 2006 Highly scalable integrated management platform (Chosen by Savvis in 2009) Management, compliance regulation and auditing for virtual infrastructure Network visibility, control, and policy management and enforcement Security through network segmentation and infrastructure policy VMware VMsafe Certified Solution Recognized award-winning leader in the virtualization ecosystem
28 Reflex Cloud Command & Control Enable Cloud Computing Command & Control Enforce Business, IT & Security Policies Data Center Public/Private Cloud Ensure Security, Compliance & Audit Requirements Improve Efficiency & Agility Increase Flexibility & Scalability
29 Enterprise Management Capabilities Change Control Revision every change of virtual infrastructure Who/What/When Remediate, Automate, Self Heal Infrastructure Security Dynamic Security Policy VMsafe Capable Management Improved Mean Time to Innocence Performance, Network Services, Alarm Management, SOD Scale Large scale environments Quickly Search, Find, and Automate Decisions (VQL)
30 Thank You! Web: Mike Wronski
Josiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationHow To Comply With The Pci Ds.S.A.S
PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of
More informationCloudCheck Compliance Certification Program
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationStrategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized
More informationHow To Protect Your Cloud From Attack
A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to
More informationPCI Overview. PCI-DSS: Payment Card Industry Data Security Standard
PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That
More informationwww.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!
Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationPreparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.
Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines
More informationSecuring Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationPCI Compliance in Oracle E-Business Suite
PCI Compliance in Oracle E-Business Suite May 14, 2015 Mike Miller Chief Security Officer Integrigy Corporation David Kilgallon Oracle Integration Manager CardConnect Moderated by Phil Reimann, Director
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationMitigating Information Security Risks of Virtualization Technologies
Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSecureGRC TM - Cloud based SaaS
- Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries
More informationArchitecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationTotal Cloud Protection
Total Cloud Protection Data Center and Cloud Security Security for Your Unique Cloud Infrastructure A Trend Micro White Paper August 2011 I. INTRODUCTION Many businesses are looking to the cloud for increased
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationTrend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard
Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire
ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire Overview This pre-implementation questionnaire is designed to provide the Boston College Internal Audit Department with a general understanding
More informationPCI Compliance for Large Computer Systems
PCI Compliance for Large Computer Systems Jeff Jilg, Ph.D. atsec information security August 3, 2010 3:00pm Session 6990 About This Presentation About PCI assessment Structure and requirements of the program
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationSecure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services
Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services Udo Schneider Trend Micro Udo_Schneider@trendmicro.de 26.03.2013
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationKeith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com
1 Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com Agenda Cloud Computing VMware and Security Network Security Use Case Securing View Deployments Questions 2 IT consumption
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationPCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.
PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationVormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard
Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationField Processing of Credit Cards: Solving Credit and Collections Issues
January 23, 2008 Field Processing of Credit Cards: Solving Credit and Collections Issues Robert Sarfi Roger Schneider RSarfi@BoreasGroup.us Roger.Schneider@smeco.coop (720) 220-6213 (301) 274-4317 Mike
More informationPCI Compliance in a Virtualized World
PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation Presenters John Clark QSA, PMP, CISA, CISSP
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationPCI DATA SECURITY STANDARD OVERVIEW
PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant,
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationWhite Paper. Understanding & Deploying the PCI Data Security Standard
White Paper Understanding & Deploying the PCI Data Security Standard Executive Overview The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationSecure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com
Secure Multi Tenancy In the Cloud Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com At-a-Glance Trends Do MORE with LESS Increased Insider Threat Increasing IT spend on cloud
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationAHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationPrivate Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist
Private Cloud Database Consolidation with Exadata Nitin Vengurlekar Technical Director/Cloud Evangelist Agenda Private Cloud vs. Public Cloud Business Drivers for Private Cloud Database Architectures for
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationPCI Data Security Standard 3.0
SECURELY ENABLING BUSINESS PCI Data Security Standard 3.0 Training Strategies That Work Presented by Doug Hall May 20, 2014 AGENDA PCI DSS 3.0 Training Strategies That Work PCI DSS 3.0 Overview PCI Training
More informationPCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants
Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?
More informationVaronis Systems & The Payment Card Industry Data Security Standard (PCI DSS)
CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...
More informationSecurity & Cloud Services IAN KAYNE
Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationYou Can Survive a PCI-DSS Assessment
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationData Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :
Data Security & PCI Compliance Securing Your Contact Center Session Name : Title Introducing Trevor Horwitz Pi Principal, i TrustNet t trevor.horwitz@trustnetinc.com John Simpson CIO, Noble Systems Corporation
More informationNavigate Your Way to PCI DSS Compliance
Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder
More informationHow To Become A Pca Compliant Organization
Compliance Management Merchant Guide 2012 Stay Clear Of Fraud Are You Concerned About Data Security Risks? Security is a duty. Companies should remember that they are being trusted by consumers with their
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationTeleran PCI Customer Case Study
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationAutomating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0
WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationThe Private Cloud Your Controlled Access Infrastructure
White Paper: Private Clouds The ongoing debate on the differences between a Public and Private Cloud are broad and often loud. The bottom line is that it s really about how the resource, or computing power,
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationOWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect
OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationPayment Card Industry Data Security Standard Explained
Payment Card Industry Data Security Standard Explained Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS in More Detail Discussion, Questions and Clarifications Overview of PCI-DSS
More information