The recently published, Simplify Cybersecurity With PCI, by Heidi Shey and John Kindervag is an interesting and valuable read. The premise is that the government regulations (any really) are generally obtuse and ideal focused without prescriptive how-to descriptions. While the payment card industry standard (PCI DSS v2.0 in this case) is direct on what and how technology controls should be deployed. The authors present a synergy that exists that can help an organization establish a security program.
I would definitely recommend businesses struggling to establish a security program to review the concept. I would challenge those involved in establishing security programs and enhancing such programs to focus on their core business strategies and focus on an iterative cycle, and not simply a controls exercise. Ultimately I agree there are synergies as described by the authors, and I feel the mappings is quite insightful, but I would pair this with the cyclical nature of an ISMS to round out the edges and make it a more pragmatic and ultimately effective program.
One note also, is that the authors intend that the PCI DSS standard is appropriate for mapping, but I would caution readers and all who utilize PCI DSS. The standard is specifically articulated for a set of risks and typically bounded by scope of the card data environment. When utilizing these standards it is important to eliminate and or address these pre conditional weaknesses first, prior to establishing a proper security, and ultimately compliance program.
Other thoughts? I have personally done many mappings (most recent 134 global regulations and guidances) and can appreciate the value of such alignments, but also with each standard carries assumptions that must be managed at the program level.
Posted in IT Controls, PCI DSS
Tagged 2012, best practices, Compliance, crossmap, cybersecurity, fisma, forrester, it compliance and controls, IT Controls, james deluccia, jdeluccia, nist, pci, PCI DSS, Security
Why should an organization address and comply at least with industry supported practices? A question of compliance versus driving business value, and one often raised in the Payment Card space is important to understand and convey at every level of an organization. The importance is building an organization’s security and compliance program in a manner that cohesively manages the demands of client requirements, government cares, and general competitiveness. In an era where competitiveness includes thwarting attackers focused on poisoning your supply chains with misinformation or directly seeking to “acquire” the Intellectual Property that makes the business competitive. The executive and board of directors within an organization are acutely seeking demonstration of focus and effectiveness.
So what are the risks to an organization not managing the risks of an industry standard?
To answer that below I will speak directly to PCI (to eliminate the obnoxious “it depends” statements) and about a Fortune 500 company that has other intellectual property.
Ultimate risk to an organization out of compliance with PCI is well documented (on the Card Brand sites themselves and breach news sites), but stems from a violation of contractual agreements with the business’ banks and ultimately the card brands. This contractual obligation (and violation) can be determined without a breach. The violation (profiled in a public court case out West) can be identified when a QSA / Forensics team from the Card Brands / or any of their team members conduct an assessment of compliance to the organization. The court case referenced is of a restaurant that had been suspected of a Common Point of Fraud; proven to not have been breached, but in violation of PCI DSS based on forensics report issued to Bank & Card Brands). So, the risk and associated damages can result from a breach (classic) or simply by confirmation that the business violated the contract established with the Card Brands.
The highlight here is being compliant means addressing the threat vectors to the business and the assets requiring protection. Failure to achieve those results from either path can result in a number of business and financial negative events. These, in part, are described below:
- Financial punitive fines by the Card Brands ($500k is a number published by the Card Brands)
- Per account # breached associated costs & fines – this number is a hard figure to lock down .. $100-$170 per card in some cases
- Higher interchange fees per card transaction for the entire legal entity – this is very costly and most damaging
- FTC and public government actions, that may include recurring privacy audits (such as 20 years of third party audits)
- Automatic level 1 status for the company (which requires annual onsite attestation)
- If you look at TJX and the other public breaches they have published hose expenses around $130M+
- Civil / class action lawsuits likely
There are also reputation and periphery risks to the business:
- The company possesses additional data protected and considered sensitive by industry and governments around the world, PCI Data is one element but it is likely that these systems share networks, applications, and permissions. The breach of one could inadvertently result in the breach of the other (PII)
- Not at least complying / deploying operational security controls broadly considered baseline practice would be damaging in an era when security of data and confidence is so important
The highlight here is that the risk is not addressed by the issuance of a ROC by a QSA or having run assessments, but that the security and risk programs are operational and effective. These ROC and assessments are simply attestations of a program that is mature and functioning. Compliance is not deemed by a ROC nor does it provide safe-harbor in the common sense of the term. A long standing statement by the PCI SSC is that “no compliant organization has had a breach” <– including TJX, Heartland Payments, and Global Payments all breached with current ROCs signed by TrustWave.
The success of the PCI program is the ultimate reduction of risk and adequate security controls of the organization. The risks addressed through a cohesive integration with the operational elements of the business are the critical success factors.
James DeLuccia IV
Posted in Compliance
Tagged 2012, audit, Compliance, cybersecurity, data breaches, forensics, it compliance and controls, IT Controls, james deluccia, jdeluccia, pci, PCI DSS, Security, visa
A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place. Each organization is different – the risks and the needs to mitigate. A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances. Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc … Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.
The mistake is achieving compliance to compliance requirements alone. There is a gap in the business’ OWN needs. Over the past year I have spoken on this topic publicly at conferences and my book has a huge focus on aligning and establishing business requirements cohesively.
To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years. These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc… In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties. Not to be the basis of the enterprise program, but a singular consideration.
The capability of the organization to address market competitive requirements is based upon the proper balance. Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities. 15% of the program to meeting these ‘license to operate’.
The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation. There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.
Posted in Compliance
Tagged 2012, audit, Compliance, CxO, cybersecurity, fisma, hipaa, hitech, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, nist, pci, PCI DSS, regulation, Security, sox
The trust and complexity of such relationships between key Apps, users, and our data is a challenge for individuals and businesses. A recent study was done of 500,000 FaceBook Apps (bear in mind this is ONE platform for Apps dedicated to it, so extrapolation and assumptions are needed, cautiously, for other platforms), and found interesting facts.
The study was done by Secure.me who sells reputation services, so a grain of salt needs to be taken, but as the research shows (even with a grain of salt) there are enough considerations to impact most information security, compliance programs, and risk treatment plans.
A snippet of the findings include:
- About six out of ten of the apps (63%) can post on to timeline (honestly, do you even know what others in the platform are seeing regarding your own data/timeline/posts/and associations?)
- More than two thirds of the apps (69%) know stored email address
- Nearly every third app (30%) knows the account’s birthday
- 5 out of 100 apps (5%) access your photos and videos, going beyond the profile picture
- Every tenth app (10%) is informed about hobbies and interests
- 10% of the apps have access to your geo information including check-ins, hometown or current city
- 1 out of 5 apps (21%) can access personal data of your “friends” including friends’ birthdays, education and work history
Check out their post here on the details.
The action here for businesses is to review their social media strategy as it is integrated within the enterprise security & risk programs and the privacy elements of the business. Note, the social media considerations listed above are partial inputs into this broader program that considers such risks. It would be nice to have dedicated teams for each type of program (social media, cloud, etc…), but in most mature organizations the framework and practices exist and simply should be augmented. This study is a nice input providing awareness to singular risks.
I have been doing research on this very problem within the smartphone app space. To identify similar trust threats and privacy concerns. Much to be done…if others know of existing research, kindly share!
James DeLuccia IV
Posted in Compliance
Tagged 2012, apps, cloud computing, Compliance, cybersecurity, facebook, it compliance and controls, IT Controls, james deluccia, jdeluccia, PCI DSS, privacy, Security
Perhaps old news given the NSA chief made the below comments in 2011 presenting to Congress asking for support of the projects (basically a budget justification meeting). What is interesting is how he frames the current state weaknesses versus the benefits of the future state of leveraging Cloud architectures. He is also referring to several key programs that are deployed and seeing active participation.
As this relates to information security professionals, control safeguards, and ultimately PCI DSS is for the eye of the beholder. A striking point is to fundamentally challenge your risk assumptions and the benefits of moving to the cloud. A key consideration here is the concept of redeploying, rearchitecting, and I would say restart managing access and security anew. Cloud provides an inflection point to businesses, and governments to start fresh to meet the current threats.
As I have often have CxO discussions, the framing of these technology changes provides a mechanism to reach a stability and integrity of technology supported operations (hard to find one that is not). Consider the NSA Chief points below and perhaps consider that he is speaking of highly sensitive data that has human life risks directly associated. That type of data is highest sensitivity, and if such can be secured in a collaborative, cloud, integrated, and mobile enabled environment – why not other data elements and industries.
This is in line with the OCR NIST HIPAA guidance and recent clarification (June 2012) regarding how Cloud environments are subject to the BA agreement and security elements. Clouds are permitted, but the expected controls must exist along with the proper risk management factors.
NSA Chief: “The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use — each of which has to be individually secured for just one of our three major architectures — up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter,” he testified before a House subcommittee in March 2011.
via NSA chief endorses the cloud for classified military cyber program – Cybersecurity – Nextgov.com.
James DeLuccia IV
Posted in Compliance
Tagged 2012, cloud computing, Compliance, cybersecurity, grid computing, it compliance and controls, IT Controls, james deluccia, jdeluccia, pci, PCI DSS, Security