Entries tagged as ‘PCI DSS’
As mentioned in prior posts, Cloud security and addressing the risks that exist (the new risks and the new tools to address these risks) is fundamental to ensuring a successful and beneficial use of the Cloud provider environments. The RSA London conference held several strong documents highly to help approach the best practices for cloud security. The two most commonly referenced were:
A nice article (October 2009 “Amazon EC2 attack prompts customer support changes“) posted on TechTarget highlights the Denial of Service Attack against a hosted website on AWS EC2. Check out the article here. Overall the results from this attack were very promising for instilling confidence in Amazon AWS, but also highlights the duties and next steps in evolving beyond simply “starting instances” on the Cloud. A few of the key points that jumped from the screen, and should be carefully considered include:
- “The problem was that no one could see the complete picture…” AWS took 18 hour to respond to attack – primarily the result that the backend AWS environment (internal IP traffic) was just fine, but the outside public facing IP was bogged down.
- AWS responded immediately to fix the issue – demonstrating their dedication to ensuring a great operating environment
The target organization acknowledged that “they weren’t taking full advantage of AWS’s unique characteristics.” to reduce the impact of this type of attack. Indeed it is the availability of new enterprising environments and access to a broad set of resources that makes the Cloud such a rich platform.
- There are ways and means of improving the operational integrity of solutions leveraging the Cloud but it requires, Peter DeSantis VP of AWS EC2 states that “customers take proactive measures, such as distributing instances for redundancy and safety. He said that there were distinct advantages in a cloud computing environment that many weren’t aware of or haven’t learned about…We are underplaying tools that are at people’s disposal…”
- A great set of lessons are further elaborated in the article. An additional observation – no other customer operating environments were reportedly impacted, which speaks very positively for Amazon’s architecture and current deployment.
Other thoughts and concerns?
Best,
James DeLuccia IV
Categories: Compliance
Tagged: 2009, best practices, cloud computing, Compliance, denial of service attacks, it compliance and controls, IT Controls, PCI DSS, regulation, rsa, Security, virtualization
In a recent article for the Payment Card Industry magazine – Secure Payments, I introduced the conceptual idea of Information Technology Governance as a bicycle wheel with the organization being made up of the spokes (representing all initiatives – contractual; regulated; competition necessitated), and the rounded wheel depicting the operating strategy of the business fully integrated and inter-dependent. Check out the article here online (starting on page 24), or join the SPSP and receive complimentary free copies in the mail. I distinguish the challenges of organization’s focusing on single regulations as a means to orchestrating their security and compliance programs. The concept of creating a custom control framework is articulated and broken down in IT Compliance and Controls that I published last year with John Wiley and Sons (for those looking for greater discussion and practical advice).
Why is that wrong – to extend upon the articles points: The information technology operations of the business are unique to every business, as unique as that of the culture of the business. While the parts that make up the information technology (routers, switches, clouds, software, etc…) the combination and implementation make up the competitive advantage of the business. So, if following one regulation is not appropriate for all businesses, is it appropriate for those within that particular industry? Simply answered, no.
The organization, in the instance of PCI DSS, is susceptible to many different risks. These risks relate to geography, staffing, operational decisions, and external factors to the business. Each standard is conceived under the premise that under a single environment XYZ are the risks and appropriate mitigating responses. This premise falls apart when additional concerns, assets, and risks are introduced.
IT Strategy and Governance must constitute a merging of business aptitude with technology capability. This shall be a topic that we will revisit with greater specifics and tools to achieve this objective. Thoughts / Concerns?
Kind regards,
James DeLuccia IV
Categories: Compliance
Tagged: best practices, Compliance, fisma, grid computing, it compliance and controls, IT Controls, pci, PCI DSS, regulation, Security, virtualization
Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses. A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place. While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.
- First off – consider what is the point of an/the audit? This answer may result in one of two prime responses:
- The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
- The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.
Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost. Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post. Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test. The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience. Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.
To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed. It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.
Best Practice Advice:
Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program. Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.
Thoughts and contributions?
James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM
Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.
Categories: Compliance
Tagged: audit, best practices, Compliance, database, ffiec, it compliance and controls, IT Controls, onsite audit, pci, PCI DSS, regulatory, Security, sox, tizor, twitter
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Institute of Internal Auditors · audit · fraud · information security
Tagged: best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
)
