Payment Card Security & IT Controls Explained

I am a strong believer in group “live” training experiences where I am in a room with individuals who have different perspectives, challenges, and questions.  Unfortunately, the real world keeps spinning and constant training is not always possible, so the web (yes… that which gives and takes) has online training.  For those unaware there are several very good online free training seminars for PCI DSS.  In fact, the one I am highlighting is “sponsored” by MasterCard.

After free registration - the simplest I have yet to see, you are provided with a list of sessions to listen to or you can download the PDFs!  You can find nearly currently a dozen sessions here.  They cover the following topics:

• Maximize Internal Preparation for PCI DSS New!, by Mathieu Gorge – CEO Vigitrust
• Network Segmentation New!, Mark Lippman – Senior Partner, Arsenal Security Group
• Data Encryption: Understanding Encryption and PCI DSS New!, by Gerard Onorato and Jeffrey Foresman
• An Introduction to the PCI Security Standards Council, by Bob Russo – General Manager, PCI Security Standards Council
• A Detailed Look at PCI DSS Requirements, by Andrew Henwood - Director of Operations, One-SEC/Trustwave
• A look into the new Self Assessment Questionnaire, by Jennifer Mack – Vice President, MasterCard Worldwide
• A Merchant’s Journey towards PCI Compliance, by Alexander Grant, General Manager British Airways
• Understanding Account Data Compromise, by A. Bryan Sartin - Vice President Investigative Response, Verizon Business
• Preparing for a Successful PCI Assessment, Lessons from the Field, by Michael Walter – Senior Partner, Arsenal Security Group
• Reducing Your Risk: A Look Into PCI Vulnerability Scanning, by John Bartholomew – Vice President, Security Metrics
• Security and the Payments Systems, By John Verdeschi – Vice President, MasterCard Worldwide and Jeremy King – Vice President, MasterCard Worldwide
• Compliance Validation & Beyond, by Sally Ramadan - MasterCardWorldwide

I have gone through several thus far, and my comments on a few are as follows:

• Maximize Internal Preparation - Helpful.  Core Message:  Setup a diverse team with senior management, and leverage your QSA’s experience
• Understanding Account Data Compromise - Educational.  Great walk through!  Check out Michael Dahn’s excellent ongoing articles on the carder market

Check out the online webinars here.   I am sure there are many others, so please add them below in the comments to help everyone!
Best,

James DeLuccia

In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners.  The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts.  While there is no substitute for reading the full report I will highlight the following key areas - Audience, Nuggets, and Action items.

Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited.  Therefore the audience I see (beyond the obvious Fraud professionals) includes:

• Chiefs - CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
• Business Owners - VP, Directors
• Team Leaders - of small teams

Nuggets:

• 67 pages of facts sum up 959 cases of occupational fraud
• 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
• In the U.S. that is approximately $994 Billion in fraud losses
• 25% of the fraud sample were a million plus in damages
• Tips identified 46.2% of all frauds
• Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
• Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
• Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines

Action items:

• Re-prioritize internal controls to address fraud
• Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
• Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
• Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
• Establish Surprise Audits and mandatory job rotation

Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment.  Segments may be adopted today and into the future.  In addition, the ability to eliminate subjective values in risk calculations is tremendous.

Kind regards,

James DeLuccia IV

Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston.  My session on Best and Worst IT controls is on Monday!

Business ebbs and flows in most industries and unless you are demonstrating true value it is hard to respond positively when management must make hard decisions.  If technology services are not demonstrating value - i.e, they are not in alignment with what the business needs or there is waste throughout the system perhaps a healthy dose of self evaluation is in order.  To that point I want to elaborate on an INC. magazine article I contributed entitled, “Instituting Security Metrics” by Lora Shinn.

There are two lines of thought I want to explore, the first is how Security Metrics *can* enhance the value of the technology environment and the other is how they can save the business.

Enhance Value:
Security Metrics are any measure of the organization’s efforts to safeguard the assets of the corporation.  These may be sensitive information databases, actual hardware devices, the staff, or any number of categories depending on your business.  It is important to recognize that these are “a part of” a greater measurement effort within your business.  It is 100% certain that your business is currently calculating ROI, ROA, ROE, and hundreds of other metrics relating to finance, employee turnover, customer satisfaction, competitive industry scorecards, and even compensation baselines.  These existing performance, governance, and business metrics can provide the technology group with a sufficient methodology and format when preparing similar security metrics.

In order to enhance value to an organization, technologists must be able to:

1. Justify the technology deployed
2. Identify important assets within the architecture
3. Measure what the business requires of these assets.

Only at this point can action be taken.  The “action” referred to here may include decommissioning unnecessary hardware, eliminating specific redundant architectures, insourcing or outsourcing specific functions, or transforming the operations to a fully distributed platform.

The end result is a technology services group that achieves optimal balance between mission and cost thereby providing meaningful impacts to both the top and bottom line of the financial statements.

Saving the Business:
Loss of sensitive data, downtime due to forensic / virii, government and industry partner fines, loss of customers, and loss of confidence with business partners are the results of security failing.  Security metrics must consider the inputs into these risks for the business and appropriately mitigate each as necessary.  In future postings and in a recent research briefing I will elaborate on these important points.

Check out the article here, and please post your comments on how you feel security metrics should be positioned, and which are your favorite?

Best,

James DeLuccia

The cost of fraud to an organization is approximately 6% of an organizations revenues each year.  This is an astounding figure calculated by the Association of Certified Fraud Examiners using a global survey, and supported by several other international and independent authorities.  A great means of reducing the damage of known and unknown damages to an organization is through the establishment of a preventive health-check system.
The establishment of clear accountability, responsibility, upper management support, and clear awareness of areas of high risk are fundamental to every organization.  In IT Compliance and Controls this is discussed in detail under Principle 1 - Tone at the Top and Principle 3 - Human Resources.  A great supplemental to the book’s In Practice guidances - the ACFE has available an excellent Prevention Check List for business leaders.
The document is very simple and has immediate benefits.  There are careful guidelines recommended when conducting such efforts that should be embraced.  The need for such checklists exists separate from PCI and such regulations, as this is present around the world - consider SocGen (Reports 1-3 detail the fraud!) and WorldCom.

Check out the checklist here today, bring your general council on board, and determine how you can increase your revenues by 6% today.

Best,

James DeLuccia

A special thanks to the ACFE for making this freely available without registration.

Structuring and maintaining a risk management process that is integrated can be daunting, and despite the tremendous amount of documentation surrounding the topic most organizations are still in the early years of maturity.  A common challenge that organizations face is the identification of roles.  The assignment of roles depends greatly on the structure and culture of your business, and therefore any method you adopt must respect these unique attributes.  While developing a structure for a client I came across ENISA’s efforts and found them to be quite practical.

Classic roles for integrating risk management with operations must include:

• Senior Management/Board of Directors
  • This role is accountable for inventing Risk Management in the organization, defining the basic participating roles, creating and communicating risk awareness, as well as deciding on the degree of risk tolerance of the organization. The Senior Management will not be directly responsible for any of the Risk Management processes (since it does not execute them) and hence does not appear as a role in any of the swimlanes in the model.
• Risk Manager
  • The Risk Manager is chiefly responsible for the definition, structuring, implementation, and coordination of Risk Management in the organization. The Risk Manager can be an individual or a group, which may be hierarchically organized (local, global Risk Manager).
• Risk Owner
  • The Risk Owner is usually an officer in a business unit/functional unit. The Risk Owner is responsible for dealing with risks in his business unit. The maintask of this role is to implement Risk Management processes according to the guidelines defined by the Senior Management and the Risk Manager. Often the role is assigned to the same person as the role Domain Expert (especially in smaller organizations), due to a flat organizational hierarchy.
• Internal Audit
  • Internal Audit is responsible for monitoring the Risk Management processes. Events are being tracked and the processes are being evaluated towards the background of the previously created Risk Management plans.
• Domain Expert
  • The role Domain Expert is responsible for assisting the management of risks by delivering input from a specific domain perspective (consulting role). His special knowledge about a particular domain in the organisation serves as a basis for identifying and treating the specific risks in that area. Additionally, the role participates in the process of monitoring the risks. The Domain Expert may be an internal or external (consultant) person. Due to his role specification he will not be responsible for any of the Risk Management processes and hence not appear as a role in any of the swimlanes in the model. Often the Domain Expert role is assigned to the same person as the Risk Owner role (especially in smaller organisations), due to a flat organisational hierarchy.

The ENISA RM/RA Framework is presented using the outputted HTML files from ADOit.  This allows users to navigate but not edit the contents.  Check out ENISA’s site to see the output.  Organizations should consider the steps that must be taken in order to properly construct such a visualization - Identifying the processes, determining the flow of information between the activities, and finally relating data to activities.  This simple process will rapidly mature your organization’s understanding of cross dependencies and criticality, while providing a method of communication.

Best,

James DeLuccia