CRITICAL PATH SOLUTIONS, LLCcpsretail.com/preso/SecureAware PCI Initial - 2010 v1.2.pdfSecureAware®...
Transcript of CRITICAL PATH SOLUTIONS, LLCcpsretail.com/preso/SecureAware PCI Initial - 2010 v1.2.pdfSecureAware®...
CRITICAL PATH SOLUTIONS, LLC
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
PCI Compliance Best Practices
A Strategic Management Method for
Continuous Compliance and Continuous Data Security
SecureAware® from Lightwave Security
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
PCI Compliance Best Practices
Organizations are beginning to understand the level of complexity and magnitude of the effort they face implementing PCI Compliance and managing the necessary portfolio of data security controls.
For today - and for the lifecycle of the essential need for data security and the requirement for PCI Compliance. Forever.
SecureAware® from Lightwave Security
Maintain an
Information Security
Policy
Protect Cardholder Data
Deploy File
Integrity
Monitoring
Use and Update
Anti-Virus Software
Do Not Use
Vendor Supplied
Passwords
Install and Maintain
Firewalls
Develop and Maintain
Secure Systems
Maintain a Vulnerability
Management System
Restrict Access to
Cardholder Data
Encrypt Cardholder
Data Across Open
Networks
PCI Compliance &
Data Security
Control
Measures
Assign Specific
Responsibilities
Monitor and Test
Networks
Regularly Test
Security Systems
Track and Monitor
Access to the Network and
Cardholder Data
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
PCI Compliance - Retail System Components – In-ScopeAll “system components” - defined as any network component, server,
or application included in, or connected to, the cardholder data environment.
Customer Touch Point Systems
POS Systems
Kiosks / Self-serve
Web Site / e-Commerce /
Web Servers / Shopping Carts
Call Centers
Store Servers / Back-Ups
POS & Payment Applications
Electronic Journals / Transaction Log Files
Card Terminal / PIN Pad
Devices / Applications / Security
Data Transmission
Payment Authorization
Switches / Gateways /
Payment Processors
Card Settlement Systems
Balancing / Reconciliation
Dispute / Chargeback
Research & Resolution
Exceptions / Overrides / Voids
Gift Card / Stored Value Balances
System Administration
IT / User Help Desk Systems
Network Management / Monitors /
Error Recovery
Production Support
Change Management
Systems & Applications Programmers
Encryption and Key Management
Storage
Disk Arrays
Tape Storage
Local Archive & Off-site
Remote Users
Telecommuters
Consultants / Contractors
Various User’s Workstation Computers
Wireless Networks / Devices
Centralized Processing
Enterprise Architecture / ERP
Interface
Back-Up & Fault Tolerant
Systems
Database Servers
Other Retail Systems
Customer Service
Order Reservations
Delivery, Shipping & Logistics
Systems
Customer Relationship
Management / Loyalty
Returns / Inventory Systems
Finance / Accounting
Business Intelligence
Fraud Prevention
Loss Prevention
Audit
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
Many existing program management approaches have proven ineffective.
And unsustainable for the long term.
SecureAware® from Lightwave Security
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SECUREAWARE® from LIGHTWAVE SECURITY
A Strategic Management approach to PCI ComplianceA purpose-built automated system to align IT Security and
Compliance activities with the goals of the enterprise and provide Total Oversight and Management of the PCI Compliance Process
• Establish a framework for Policy, Risk Management, Process Management, and Controls Management
• Provide the ability to measure progress toward articulatedCompliance and Data Security goals
• Streamline the effort and make Compliance:More efficient, available and transparentProduce a higher quality work productRepeatable, Sustainable, Demonstrable and Believable
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SECUREAWARE® from LIGHTWAVE SECURITY
SecureAware® is an IT Governance, Risk Management and Compliance (IT GRC) solution
• IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization's strategies and objectives.
COBIT 4.1
• Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.
COSO Internal Controls-Integrated Framework
• GRC can serve as the model to drive business performance and achieve regulatory compliance in an environment in which these two outcomes must be managed strategically and with agility.
KPMG - 2010
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SECUREAWARE® from LIGHTWAVE SECURITY
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
CONTINUOUS COMPLIANCE
PCI Compliance…
for the long haul.
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SECUREAWARE® from LIGHTWAVE SECURITY
Automates the process of organizing, managing and reporting PCI DSS compliance across an organization's entire enterprise
Payment devicesApplications Systems infrastructure Security Processes and TechnologyUsers
Maintain an
Information Security
Policy
Protect Cardholder Data
Deploy File
Integrity
Monitoring
Use and Update
Anti-Virus Software
Do Not Use
Vendor Supplied
Passwords
Install and Maintain
Firewalls
Develop and Maintain
Secure Systems
Maintain a Vulnerability
Management System
Restrict Access to
Cardholder Data
Encrypt Cardholder
Data Across Open
Networks
SecureAware
Manages Controls as Tasks
for
Assign Specific
Responsibilities
Monitor and Test
Networks
Regularly Test
Security Systems
Track and Monitor
Access to the Network and
Cardholder Data
Compliance
Analysis
Compliance
Workflow
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Compliance Management
Centralized system for total oversight of PCI Compliance PCI DSS requirements spawn a portfolio of tasks related to:
Payment devices, applications, infrastructure, security processes and technology, users
Tasks are organized, assigned, tracked, monitored and documented
Dashboard view of entire compliance process status Repeatable, consistent, efficient methodology to
assure, validate, and report compliance - Continuously
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Compliance Analysis
Enforce PolicyCompliance gap analysisRisk-based model Self-assessment Internal auditQSA Assessment Tool
Assessment of a secure state and compliance is continuously available and ready to be validated by your internal audit team or by your QSA.
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Information Security Policy Management
Centralized, single source for creating, maintaining and communicating PCI security policies, procedures and goals
Properly documented, executive management endorsed Roles and responsibilities defined Create Policies with Expert Guidance
Based on existing corporate policy Augmented with industry best practices Create policies based on industry standards (PCI, COBIT,
ISO27001)
Import and reuse related existing documents
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Security Awareness Training
Comprehensive security awareness training is a fundamental control within an effective security program.
SecureAware® provides:
Integrated e-Learning systemInformation Security Curriculum includedEasily author new or customized curriculaComplete Management ReportingCourse subscription, progress, completion statusPerformance scoringAudit trails of all awareness activities
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Risk Management
Identification, assessment, and prioritization of risksDecision support for economical application of resources to
minimize, monitor, and control the probability and impact of unfortunate events
Effective method for evaluating security investmentsSimplifies complex statistical analysis
EVI p r V p r V p r V p r EVi j j ij
z
j j i l j j ij
z
j
z
i
k
( ) max ( | ), ( | ),... ( | ), *, , ,11
2111
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
SecureAware® from Lightwave Security
Business Continuity Planning (BCP)
Organize & Manage Security Breach Incident Plans Procedures Roles Contacts
PCI DSS Requirement 12.9.1.
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
Critical Path SolutionsProfessional Services
Management Consulting
IT Security and Compliance• Architecture Design• Gap Analysis• Controls Planning & Integration• Policy Development• Training Customization• Risk Management
-Framework & Profile Design
SecureAware Delivery
System Design• Strategy Formulation• Program Plan Development
-Milestone Targets-Progress Measurement
System Deployment• Installation• Integration• Implementation
-Process Conversion-Data Transfer
• Report Development• Audit / Assessment Support
SecureAware® from Lightwave Security
Company ConfidentialCRITICAL PATH SOLUTIONS, LLC
CONTINUOUS COMPLIANCETotal Oversight and Management of the
PCI Compliance Process
Consolidate all PCI management activities into a single
system for verifiable security and sustained compliance.