Payment Card Security & IT Controls Explained

Ernst and Young’s global survey released today indicated that despite popular press and political dancing (Paulson Interim Report, Bloomberg/Schumer Report) the U.S. IS, in fact, competitive. This is despite the existence of a strongly regulated market, and one where SOX, at full strength, did not, apparently, hurt the US. market prospects. The study showed that the U.S. generated the largest number of IPOs in 2006, and raised $34.1 billion dollars.

In addition to a stellar 2006, 2007 is working up to be another blockbuster year with the first quarter opening strongly. Plus massive private-equity IPOs (Blackstone, Carlyle, etc…) can only bolster the market as a whole new type of financial industry comes online.

“The fourth quarter of 2006 was the busiest for IPO activity by U.S. companies since 1999, raising $12.4 billion in 72 IPOs,” said Maria Pinelli, Americas Strategic Growth Markets Leader at Ernst & Young LLP. “In 2007, U.S.-based company activity continues to feed into the U.S. stock markets, which also attract key international IPOs, particularly in knowledge-driven sectors like technology and healthcare. Deal sizes are larger than ever and private equity is backing many of them.”

E&Y has some great additional details regarding the study, and I encourage everyone to review the data. The importance of this information is it represents a quantifiable demonstration of the impacts from a heavily regulated financial market and the preference of companies to “go public”.

The past several months have seen massive debate regarding regulations such as SOX, and their negative impacts. These papers, while supported by well researched financial data, are not consistent with the market performance and entrance of companies into the public markets.  A simple search via Google news will present the volumes of debate regarding SOX and competitiveness in the U.S.

The takeaway - Companies are going public in the U.S. with a heavily regulated environment. The U.S. markets may be more expensive to operate within as a company, but the upside from massive amounts of equity and a more transparent operational norm appears to be better for everyone.  This conclusion has also been supported by several academic studies recently highlighted at the WSJ.

A tangent from internal controls, but highly valuable as the question of regulation and controls comes under fire.

James

As the hundreds of non-rss readers know, a few days ago I switched the theme of this site to a simpler and easier to read layout. So, if you were tired of the dark fonts and murky background please come by and let me know your feedback. I will still focus on PCI DSS, of course, but will be continuing to expand the topics covered on this site to include global IT control regulations. What does that mean? Well, any standard U.S., EU, and anywhere else will be given some room. I will attempt to not merely repeat the obvious when news breaks, but instead focus on posting intelligent perspectives on the changes around the world.

Another change to the site is the “NEWS Feed” on the right hand side of this site. Please check it out, and feel free to set those as an RSS feed too. The NEWS Feed is my filter on what is important around the globe on the above topics. I sort through literally hundreds of posts, news items, client emails, and service provider information in an attempt to clear out the noise.

It is a new year (my fiscal year clearly is not following the Dec 31 date), and the plan for this site is simple. Keep posting helpful information whenever possible, and don’t simply post to post. On a personal note, I will update the Press Release page and About soon - and look forward to everyone’s comments and suggestions.

Always,

James DeLuccia IV

The replacement of dial-up modems to digital-always-on internet connections is nearing complete saturation in the United States (to the point that AOL *gives* away their site depending if you are dial-up or broadband) on the consumer side, and the business realm. This shift to always-on has tremendous benefits in all aspects of business, but especially with organization’s that operate equipment that is critical (at least to their business if not to the general population- such as electricity generation).

This topic focuses on organizations that are subject to FERC and NERC mandates. NERC’s mission statement:

“NERC’s mission is to ensure that the bulk electric system in North America is reliable, adequate and secure. Since its formation in 1968, NERC has operated successfully as a self-regulatory organization, relying on reciprocity and the mutual self-interest of all those involved.” www.nerc.com

NERC, until recently, could not require (i.e. mandate) compliance to information security standards, as they were a volunteer organization. Although they have done a tremendous job of sharing information and furthering the stability and safety of bulk electric systems (which I thank, as my stack of gadgets would be worthless without said power), the recent Energy Act signed into law provided the necessary support. The Act among other things allows for FERC to mandate NERC requirements are adhered to across the country. FERC being the Federal version of NERC, in essence w/o getting into a large visio chart.

NERC initially issued a security standard that was referred to as 1200. This standard was recently replaced with CIPs 1-9. It is important to realize this fact, because these CIPs were all reviewed, approved, and accepted by the council and the enforcement group. CIPs = “Critical Infrastructure Protection”, and include the following topics:

CIP-002-1 Critical Cyber Asset Identification
CIP-003-1 Security Management Controls
CIP-004-1 Personnel & Training
CIP-005-1 Electronic Security Perimeter(s)
CIP-006-1 Physical Security of Critical Cyber Assets
CIP-007-1 Systems Security Management
CIP-008-1 Incident Reporting and Response Planning
CIP-009-1 Recovery Plans for Critical Cyber Assets

I excluded CIP-001-1 Sabotage Reporting, as the standard has not yet been officially adopted. There is a phase in plan for implementation, and regulatory compliance audits will happen right afterwards - overseen by FERC.

Overall the standards are not complicated, over burdensome, or unclear. These standards are very specific to the electric systems, and the risks the SCADA systems become exposed to by being interconnected to corporations and the internet. Despite recent postings at Threat Chaos, stating the opposite - the U.S. bulk electric system has (finally) adopted a security standard, has the necessary teeth to enforce them (thanks Mr. Bush), and with real penalties on line - adoption is the most profitable and appropriate response.

Recently I worked with a major bulk electric provider in the South East, and created a very nice breakdown of the controls (technical and relevant to their infrastructure / topology) that meet the specified requirements. This crosswalk allowed the client to meet their upstream and downstream counterparts requirements with a single response - totally eliminating duplicate testing and wasted efforts.  I have seen others use such a method, but was hoping some feedback on the acceptance of this practice across the electric industry / others.  If others have experience in the this space, please post away below!! Depending on interest I will post the crosswalk.

Best regards,

James DeLuccia IV