CRITICAL PATH SOLUTIONS, LLCcpsretail.com/preso/SecureAware PCI Initial - 2010 v1.2.pdfSecureAware®...

CRITICAL PATH SOLUTIONS, LLC

Company ConfidentialCRITICAL PATH SOLUTIONS, LLC

PCI Compliance Best Practices

A Strategic Management Method for

Continuous Compliance and Continuous Data Security

SecureAware® from Lightwave Security


PCI Compliance Best Practices

Organizations are beginning to understand the level of complexity and magnitude of the effort they face implementing PCI Compliance and managing the necessary portfolio of data security controls.

For today - and for the lifecycle of the essential need for data security and the requirement for PCI Compliance. Forever.


Maintain an

Information Security

Policy

Protect Cardholder Data

Deploy File

Integrity

Monitoring

Use and Update

Anti-Virus Software

Do Not Use

Vendor Supplied

Passwords

Install and Maintain

Firewalls

Develop and Maintain

Secure Systems

Maintain a Vulnerability

Management System

Restrict Access to

Cardholder Data

Encrypt Cardholder

Data Across Open

Networks

PCI Compliance &

Data Security

Control

Measures

Assign Specific

Responsibilities

Monitor and Test

Networks

Regularly Test

Security Systems

Track and Monitor

Access to the Network and

Cardholder Data



PCI Compliance - Retail System Components – In-ScopeAll “system components” - defined as any network component, server,

or application included in, or connected to, the cardholder data environment.

Customer Touch Point Systems

POS Systems

Kiosks / Self-serve

Web Site / e-Commerce /

Web Servers / Shopping Carts

Call Centers

Store Servers / Back-Ups

POS & Payment Applications

Electronic Journals / Transaction Log Files

Card Terminal / PIN Pad

Devices / Applications / Security

Data Transmission

Payment Authorization

Switches / Gateways /

Payment Processors

Card Settlement Systems

Balancing / Reconciliation

Dispute / Chargeback

Research & Resolution

Exceptions / Overrides / Voids

Gift Card / Stored Value Balances

System Administration

IT / User Help Desk Systems

Network Management / Monitors /

Error Recovery

Production Support

Change Management

Systems & Applications Programmers

Encryption and Key Management

Storage

Disk Arrays

Tape Storage

Local Archive & Off-site

Remote Users

Telecommuters

Consultants / Contractors

Various User’s Workstation Computers

Wireless Networks / Devices

Centralized Processing

Enterprise Architecture / ERP

Interface

Back-Up & Fault Tolerant

Systems

Database Servers

Other Retail Systems

Customer Service

Order Reservations

Delivery, Shipping & Logistics

Systems

Customer Relationship

Management / Loyalty

Returns / Inventory Systems

Finance / Accounting

Business Intelligence

Fraud Prevention

Loss Prevention

Audit


Many existing program management approaches have proven ineffective.

And unsustainable for the long term.



SECUREAWARE® from LIGHTWAVE SECURITY

A Strategic Management approach to PCI ComplianceA purpose-built automated system to align IT Security and

Compliance activities with the goals of the enterprise and provide Total Oversight and Management of the PCI Compliance Process

• Establish a framework for Policy, Risk Management, Process Management, and Controls Management

• Provide the ability to measure progress toward articulatedCompliance and Data Security goals

• Streamline the effort and make Compliance:More efficient, available and transparentProduce a higher quality work productRepeatable, Sustainable, Demonstrable and Believable



SecureAware® is an IT Governance, Risk Management and Compliance (IT GRC) solution

• IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization's strategies and objectives.

COBIT 4.1

• Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.

COSO Internal Controls-Integrated Framework

• GRC can serve as the model to drive business performance and achieve regulatory compliance in an environment in which these two outcomes must be managed strategically and with agility.

KPMG - 2010


CONTINUOUS COMPLIANCE

PCI Compliance…

for the long haul.



Automates the process of organizing, managing and reporting PCI DSS compliance across an organization's entire enterprise

Payment devicesApplications Systems infrastructure Security Processes and TechnologyUsers

Maintain an

Information Security

Policy

Protect Cardholder Data

Deploy File

Integrity

Monitoring

Use and Update

Anti-Virus Software

Do Not Use

Vendor Supplied

Passwords

Install and Maintain

Firewalls

Develop and Maintain

Secure Systems

Maintain a Vulnerability

Management System

Restrict Access to

Cardholder Data

Encrypt Cardholder

Data Across Open

Networks

SecureAware

Manages Controls as Tasks

for

Assign Specific

Responsibilities

Monitor and Test

Networks

Regularly Test

Security Systems

Track and Monitor

Access to the Network and

Cardholder Data

Compliance

Analysis

Compliance

Workflow



Compliance Management

Centralized system for total oversight of PCI Compliance PCI DSS requirements spawn a portfolio of tasks related to:

Payment devices, applications, infrastructure, security processes and technology, users

Tasks are organized, assigned, tracked, monitored and documented

Dashboard view of entire compliance process status Repeatable, consistent, efficient methodology to

assure, validate, and report compliance - Continuously



Compliance Analysis

Enforce PolicyCompliance gap analysisRisk-based model Self-assessment Internal auditQSA Assessment Tool

Assessment of a secure state and compliance is continuously available and ready to be validated by your internal audit team or by your QSA.



Information Security Policy Management

Centralized, single source for creating, maintaining and communicating PCI security policies, procedures and goals

Properly documented, executive management endorsed Roles and responsibilities defined Create Policies with Expert Guidance

Based on existing corporate policy Augmented with industry best practices Create policies based on industry standards (PCI, COBIT,

ISO27001)

Import and reuse related existing documents



Security Awareness Training

Comprehensive security awareness training is a fundamental control within an effective security program.

SecureAware® provides:

Integrated e-Learning systemInformation Security Curriculum includedEasily author new or customized curriculaComplete Management ReportingCourse subscription, progress, completion statusPerformance scoringAudit trails of all awareness activities



Risk Management

Identification, assessment, and prioritization of risksDecision support for economical application of resources to

minimize, monitor, and control the probability and impact of unfortunate events

Effective method for evaluating security investmentsSimplifies complex statistical analysis

EVI p r V p r V p r V p r EVi j j ij

z

j j i l j j ij

z

j

z

i

k

( ) max ( | ), ( | ),... ( | ), *, , ,11

2111



Business Continuity Planning (BCP)

Organize & Manage Security Breach Incident Plans Procedures Roles Contacts

PCI DSS Requirement 12.9.1.


Critical Path SolutionsProfessional Services

Management Consulting

IT Security and Compliance• Architecture Design• Gap Analysis• Controls Planning & Integration• Policy Development• Training Customization• Risk Management

-Framework & Profile Design

SecureAware Delivery

System Design• Strategy Formulation• Program Plan Development

-Milestone Targets-Progress Measurement

System Deployment• Installation• Integration• Implementation

-Process Conversion-Data Transfer

• Report Development• Audit / Assessment Support



CONTINUOUS COMPLIANCETotal Oversight and Management of the

PCI Compliance Process

Consolidate all PCI management activities into a single

system for verifiable security and sustained compliance.

CRITICAL PATH SOLUTIONS, LLCcpsretail.com/preso/SecureAware PCI Initial - 2010 v1.2.pdfSecureAware®...

Documents

Transcript of CRITICAL PATH SOLUTIONS, LLCcpsretail.com/preso/SecureAware PCI Initial - 2010 v1.2.pdfSecureAware®...