Entries tagged as ‘PCI DSS’
Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses. A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place. While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.
- First off – consider what is the point of an/the audit? This answer may result in one of two prime responses:
- The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
- The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.
Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost. Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post. Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test. The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience. Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.
To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed. It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.
Best Practice Advice:
Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program. Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.
Thoughts and contributions?
James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM
Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.
Categories: Compliance
Tagged: audit, best practices, Compliance, database, ffiec, it compliance and controls, IT Controls, onsite audit, pci, PCI DSS, regulatory, Security, sox, tizor, twitter
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Institute of Internal Auditors · audit · fraud · information security
Tagged: best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
RSA 2009 is finished; the vendors have packed up; the speakers have shuffled out of the lounge, and what remains is a compendium of excellent thoughts captured in real-time on blogs and Twitter alike. For Twitter search for #RSA or #RSAC and for blogs, well hit Google or simply start here. Business wise – the conference had lighter attendance (anecedotaly) and the vendors were on the edge of Cloud | Security | Recession-Antidotes. Session wise – they were better this year then last year – the Department of Justice presentations on Data Breach investigations and the Hoff on Cloudisms were quite good and worth the travels.
Last year I spoke on the Synergies of Regulations, a core tenet of my book, and this year I pushed deeper with BEYOND PCI DSS. The session abstract for this year was:
“The payment card industry standard for data security world centers blindly around PCI DSS, but that is not the only duty of companies and persons. Explore the worst and most often boggled sections of PCI DSS. Beyond PCI, discuss with peers the labyrinth of existing publications and control guidance / requirements published by government, state, and international authorities that we must address.”
PCI DSS is a very troubling issue based on the attendees to this session. The session was full with a range of persons from vendors (10% of room) to businesses complying with PCI DSS (70%), and the remainder being made up between a VC and a few indepedents. A great bonus of RSA is that they make video recordings available online; however, my session was not part of that digital wonder, so I will try to recap a few of the strongest points below:
- “Compliance (PCI) provides a metric to determine security – without the compliant requirements the business of security becomes stale” – Top Industry Manufacturer
- The perception of business / security / governance / auditors is skewed towards PCI DSS (Somali pirates) and the business SLA and other regulations (Great Report Released last week) are being placed in a back seat. PCI part of the Program towards delivering operational integrity through IT infrastructure, systems, and computing processes.
- Intensely vet the AUDITOR and less the firm. The firm conducting the audit must have Fidelity, but selecting the A-Team is a predominant indicator of having a strong control environment.
- “Convince your QSA” – When going through the audit you shouldn’t be arm wrestling over controls, but these points of “negotiation” should be done through an existing, mature, and accurate Risk Assessment Program. Caution should be focused here to not materially affect your ethics or that of your company – convice should be a mutually agreed upon state, and not a “do this or we fire you” situation. Audits are supposed to validate compliance and / or provide a set of lenses highlighting how to enhance operations.
All quotes are in fact quotes from EVP / CIOs who attended session – comments are my own…
Thank you to everyone who attended and for each that did not receive a book during the giveaway, you may find additional copies at Amazon.
Kind regads,
James DeLuccia
Categories: Compliance
Tagged: Compliance, conference, data breaches, PCI DSS, rsa, rsac
Consistently and dangerously the number of computer systems in the world infected with malicious software is growing in both the quantity and the employment chosen by those that control these software packages. This alone is making the public internet an extremely dangerous and unstable environment to conduct business. These infected systems threaten both consumers and businesses.
Consumers are the majority of infected systems, so the common – system errors, pop-up nuisances, identity theft, crashed applications, and generally slow network/processor complaints have some root in these malware applications. The infected systems threaten the integrity and confidence in the digital environment.
Businesses are the major targets of these malware infected systems. The computing power is utilized to conduct coordinated attacks, act as gateways, harbor illegal transactions, and generally obfuscate the origination of the attacker. The greater these malware hosts grow in the number, the harder it is for operators of businesses to effectively shut down these attacks. Gone is the day of blocking Ukraine, Russia, and other such non-customer regions. These systems threaten the integrity of business operations and can bring about insecure and out of compliant environments.
The utility of these vast networks of computers is only just being realized through the use of the tools in GhostNet, and the distributed denial of service attacks recently conducted. In addition, these systems allow for framing an individual, business, or even country by sourcing all the attacking “guilty” systems from a specific country – such as China.
Businesses must work to secure their own operations, and greater efforts must be taken to solve the consumer malware problem. We need a “Check-engine Light” simple solution for consumer’s infected with malware.
The graphic/screenshot for this post is from an Agent interface pulled down from a major commerce site last week. Deadly and Simple.
Kind regards,
James DeLuccia IV
Join me and the world at RSA 2009, where I will be speaking on Credit Card Security
Categories: Compliance
Tagged: best practices, botnet, china, ghostnet, it compliance and controls, PCI DSS, Security
)
