a new approach to managing pci compliance
TRANSCRIPT
A New Approach to Managing PCI Compliance Leveraging the Power of Assessments and other Efficiencies to Reduce Costs By: Rick Belisle, COO Clear Skies Security, LLC Howard Glavin, VP Professional Services, RiskWatch January2009
2
Summary In the past, security controls were typically one of the first areas a businesswould consider cutting back when budgets were tight. In today’s businessenvironment, regulatory demands such as Payment Card Industry (PCI)compliance,aswellasotherregulationscallingforprotectionofprivacyrelatedinformationmakesinvestmentinsecurityanon‐goingbudgetrequirement.Thiswhitepaperwilldiscussanewprocess forachievingPCIcompliance. Thisprocess provides companies the opportunity to leverage the results from thetechnical and risk management assessments, to better and more efficientlymanagethecomplianceeffortandtoachievemaximumReturnon Investment(ROI).
Summary Issues
Understanding Risk
Many companies view the technical testing during these complianceassessments as another “check box” that needs to bemarked off. In reality,theseassessmentsarevitaltounderstandingtheoverallrisksthatmightimpactthebusiness.This“checkbox”mentalitygenerally leads to increasedcosts forcompliance andwill not achieve the results required to protect the data; andcouldpossibly expose thebusiness tounreasonable risk. The technical testingshouldbeviewedasadditionalinsightintoyourbusinesssecurityrisks,andnotjustasanecessaryevilforcompliance.Failingtousetheassessmentresultsforanything but a compliance check‐box significantly reduces its value to theorganization.
Reduce Scope
Compliance assessments are challenging enough to achievewithout having torevamptheoperationsoftheentirecompany.ByfullyunderstandinghowPCIdataisusedthroughoutthebusiness,thecompliancescopecanbereducedtominimize the impact to overall business operations. This scope reduction canonlybeachievedbythoroughlyunderstandinghowthedataisusedandwhereit isneeded. Understandingandcontrollingdataflowwillallowyouto isolatethe PCI data to a very small portion of the environment. This results in areductioninbothtimeandcosttomeetthecompliancerequirements.
Remove Complexity
Themorecomplexitythatcanberemovedfromdailyprocesses,thesimplerthesolution is to meet regulatory controls, and the sooner compliance can beachieved.Fromafinancialperspective,thesesimpleprocessimprovementswillallowcompliancetobeachievedatafractionofthecost.
3
Background When budgets are tight, everyone looks for ways to reduce operating costs.Typically these cost reductions are ranked first by those items that generateprofit, and then those items that are nice to have but may not contributedirectly to the bottom line. Depending on the organization’s perspective,compliance can be placed in either of these buckets. These cost reductiondecisions, however, need to be analyzed from both an immediate financialperspectiveaswellasfromanoverallcomplianceperspective.ThePCISecurityStandardsCouncil(SSC)hasstressedthat90%ormoreoflossestoday occur fromwithin a company either through applicationweaknesses orthroughtheactionsof trustedthirdparties thathavepermissiontoaccess thedataaspartoftheirservice.Mostcompaniesassumeincorrectlythatthelossesoccurtoexternalsourceshackingintothesystemsandstealingdata.Topreventboth internal and external losses, a companymust have a balanced approachleveraginginternalandexternaltechnicalassessmentstoensuretheexposuresareidentifiedearlyon,alongwithaprocesstosafeguardcriticaldatatoprotectagainstthosewhohaveapprovedaccess.Thegoalofthiswhitepaper istosummarizesomekey issuesthatwillhelpanyorganization achieve or maintain PCI compliance in the most direct fashionpossibletominimizeoveralloperatingcosts,reducecompliancecost,andmostimportantly,reducerisktothebusiness.
4
Understanding the Issues PCI compliance can be a daunting task withrequirementsfrequentlyfilledwithmanygreyareasleft to the interpretation of the company, theassessors, and the regulators. The best way toachievecompliancewithoutexpendingunnecessaryeffort and cost is to ensure you understand theunderlyingintentofthecompliancecriteria.Armedwith this knowledge you can make informeddecisions on how your company can best achievethe compliance requirements. Most organizationstry to start by reviewing the compliancerequirements and determine how their currentprocesses meet these requirements. To furtheradd complexity to this approach they look at eachrequirement as a standalone activity and worktoward meeting each implicitly. Ourrecommendation, however, is to start with a fullunderstanding of where the compliance data isstored, and how it is used by all areas of thebusiness. Understandingthecompliancestandardsalongwith the knowledgeofwhere thedata is, orwhere data could be, will greatly simplify theprocess.
Understanding Data Flows
Most organizations automatically assume they“know”where their compliancedata is stored andhow it isprocessed. Todo thisproperly though,afull logical andphysical data flowanalysismustbeconducted.Thisisnotanetworkdiagramnorisitanapplication flow chart. A physical and logical dataflow depicts exactly how the business uses thenetwork,applications,databases,andanyoutputofthese systems innormaloperations. It also showshowasinglepieceofdata traverses throughthesecomponentsandwhereitfinallyresides,alongwithwhere it could residedue toerrorsor flaws in theapplications,databases,andnetworks inthatpath.Thisdataflowcoversdata inall formsandformatsincludingbutnotlimitedto: Magneticmedia Papermedia Logs Reports Errorrecordingsanddatadumps
To achieve this data flow, it is recommended thatyou conduct a facilitated meeting by an unbiasedthird party that is familiar with this activity. Themeetingfacilitatorwillhelpensurethatallpotentialareas for data processing use and storage arecoveredinappropriatedetailandthebusinessunitsmake no incorrect assumptions. This meeting isrecommended to have at least the followingstakeholdersattend: Eachverticalbusinessunit Compliance PhysicalSecurity Network/Infrastructure Operations ThirdPartyServiceProviders(managingdata
processingsystemsornetworks) Applicationdevelopmentandmaintenance Databasesdevelopmentandmaintenance Legal Finance ITSecurity
Thegoalofthismeetingistodocumentalltheareaswhere regulated data could be located as part ofnormal business operations. This informationshould then be depicted as a logical data flowdiagram,which canbeusedasa reference for theremainderofthedecisionssurroundingcompliance.
Aphysicalandlogicaldataflowdepictsexactlyhowasingle
pieceofdatatraversesthroughthenetworks,applications,anddatabasestoshowwhereit
finallyresides,alongwithwhereitcouldresideduetoerrorsor
flawsintheprocess.
5
Understanding the Assessment Process
Armedwith thedata flowdiagram, thenext step isagap‐assessment,or InitialReportonCompliance(IRoC)forPCI.Aspartoftheoverallassessmentprocess,technicaltestingalsoneedstobeconductedandwillminimallyinclude:1)annualinternalandexternalPenetrationTesting;2)ApplicationAssessmentsofInternetfacing or public facing applications; and 3) scanning of the Internet facing IPaddresses and internal network where the data is known to reside or couldreside.When conducting these assessments it is imperative to ensure that all of thetechnicaltestingactivityhasaconstantfeedbackloopintotheentirecomplianceprocess. All too often we see the assessment work conducted in an isolatedfashion by the technical security teams and the only information the businesssidewantstoknowisthatthetestisdoneandissueswereremediated.Thisviewtowards the assessment process does not take advantage of the value thattechnical testing results may have to business managers and needs to bereconsideredifsuccessfulcomplianceistobeachievedinthemostcostefficientmanner. The data derived from these assessments will be critical tounderstandingriskandreducingthescopeofthecomplianceeffort.
A New Approach to Compliance Bytakingaslightlydifferentapproachtoyourcomplianceprocess,itispossibletoachievecomplianceandgenerateareturnontheinvestmentmadeinbecomingcompliant.Thefollowingthreestepswillhelpanybusinessachievecomplianceinthemostcosteffectiveway:
1. Understandyourbusinessrisks‐leveragingthepowerofassessments2. Reducethescopeforcomplianceactivitieswhereverpossible3. Removecomplexityfromyourbusinessprocesses
Understanding Your Risk
Understandingriskandriskmanagementisnotadifficultconcepttograsp,butitisdifficulttoachieveifitisonlydrivenbyindividualbusinessunits.Riskcoversallareasofthebusinessandthereforeneedstobeownedbythebusiness,notthetechnology or compliance departments. When organizations try to assignownershipofrisktothesedepartmentsittypicallyfaltersbecausetheyinevitablyend up creating a series of invalid assumptions because they are not the trueowners of the underlying business processes. Rather, each step of riskmeasurement must have a firm base in the business and must be appliedconsistently across the company. This is going to require input from seniormanagement, middle management, line managers, finance, and the generalworkerpopulationtodevelopaninitialriskprofile.Historically, risk has been defined as “Threat x Vulnerability = Risk”. This ispartially correct but it is not sufficiently detailed to allow for the correct
6
measurementof risk. To fullydefine risk youneedtoconsiderandmeasure(ataminimum):
1. Vulnerabilities2. Frequencyofexploit3. Easeofexploit4. Typesofthreats5. Valueoftheasset(s)6. Fullvaluationofthebusiness7. Complexityoftheassets8. Complexityofthebusinessprocess9. Mitigationprocess10. AcceptableRisk11. Impactofmeetingcompliance12. Potentialissuesfornoncompliance
Fromthenon‐technicalperspective,unlessyouareanexpert in risk calculation and riskmanagement,this process is best left to the use of a tool likeRiskWatch PCI for the calculation of risk. Use ofautomated tools like this allowyou to concentrateon the solutions to reduce risk thatwillmove youtowards meeting your compliance goal, andgenerateincreasedprofitabilityofthebusinessasaresult.ThiscomplianceactivitycanandwillleadtoaROIifthisprocessisdoneproperly.
Leveraging the Power of Assessments
Frompurely a technical perspective, the top three(3) aspects above should be derived from goodsecurity assessments. The main goal of theseassessments is to identify vulnerabilities that arepresent throughout the environment, which couldbe used to gain access to PCI related systems ordata. Thescopeof theseassessments is thereforenot limited to just PCI systems, and the resultingfindingsneedtobeutilizedascriticaldatapointsintheremainderofthisprocess.One of the many ways to reduce the cost of thecompliance effort is to try to leverage existingenterprise security assessments to meet yourcompliance needs. As mentioned above, theseassessments are not limited to PCI systems, andthereisnoreasontocompletesecurityassessmentsjust for compliance purposes. Rather theseassessmentsshouldbeperformedagainstthelargerenterprise systems as part of a regular riskassessmentprocess.Thiswillhelpreducerisksonaregular basis, and more importantly ensure all ofthe systems are already compliant when thenecessary annual compliance testing is required.One of the biggest issueswe seewhen customerstie their assessments to the PCI testing process isthat most of them will have systems that fail thetechnical assessment the first time through. Thiscreatesa situationwhereotherbusinessprocessesareputonholdtohavethesystemsremediatedsothey can be re‐tested. This process increases thecostof theentirecomplianceprocess,andreducesthe efficiencies that a regular assessment processwouldprovidetheorganization.Inadditiontoidentifyingthevulnerabilities,agoodassessor should also help identify the ease ofexploitation of each vulnerability identified. Thisriskfactorwillexaminethelikelihoodofasuccessfulattack based on availability of exploit code,criticality of data exposed, as well as othercompensatingcontrolsonthenetwork. Giventhatthe rest of this process relies heavily on the datagathered from these assessments, it is critical towork with security assessment companies that donot rely solely on automated tools, but are alsocapableofproviding thedetailsnecessary toassist
Oneofthemanywaystoreducethecostofthe
complianceeffortistotrytoleverageexistingenterprisesecurity
assessmentstomeetyourcomplianceneeds.
7
youwithmeasuringyourtruerisk.Again,thisshouldnotbeviewedasatechnicalexerciseto“checkthebox”,butratherasanessentialcontrolpointthatisvitaltogetting the data necessary tomake informed business decisions thatwill driveyour compliance goals. If done properly, the data collected during theassessmentprocesswillprovideyouwiththedatapointsneededtoreducescopeandcomplexityofthecomplianceprocess.
Reduce Scope for Compliance
Toreducescopeyoumustfirstunderstandwhatneedstobeprotectedandwhatprotectionmechanismsarecurrentlylacking,whichcannowbederivedfromtheriskmeasurementsyouconductedinthepreviousstep.ForcomplianceareaslikePCI,controllingscopeisthekeytorapidsuccess,whichalsoresultsinareductionincostandhenceahigherROI.Using thedata flowandriskanalysis information,youcannowreducesomeofyourscopebydeterminingwhichpiecesofprotecteddatacanbeconvertedtoageneric reference identifier. A generic reference identifier is simply a uniquemapping of one piece of data to another, essentially obfuscating the originalprotecteddata.Byusingthisgenericreferenceidentifierinplaceoftheprotecteddata,youcancontinuemanyofthenormalbusinessoperationsyoumaybeusingwithouthavingtoconductextensivecompliancetestingaslongastheprocessofhow tomap the identifierback to theprotecteddata is protectedat the samelevelastheoriginaldata.Forexample,ifoneareaoffinanceneedstorunreportsthat aggregate credit card numbers, rather than using the actual credit cardsnumbers,thereportscanberunusingthereferenceidentifierinitsplace.Iftheactual credit card numbers were used then the PCI assessment scope wouldinclude all of those finance systems that utilize that report, but if just thereferenceidentifierisusedthenthosesystemscanberemovedfromthescopeofthePCIassessment.ThisprocessisdetailedfullyinthePCIDSSstandard,whichstatesthatcreditcarddatacanbeprotectedbymaskingthatdata(seesection3andinparticularrequirement3.3).Thenextstepto further reducethecompliancescope is toconfinecriticaldataprocessingtoasmallareaoftheorganization,separatedfromtherestofnormaloperations. If anyother areasof thebusinessneedaccess to the critical data,then the generic reference as stated above can be used in its place withoutdisclosing the protected credit card data. In areas like PCI this will reduce oreliminate the need for application rewriting and database redevelopment. Forexample, ifanonlineretailercanbothphysicallyand logically isolatewherethecreditcardinformationisstoredandisprocessedfromtherestofthecompany’sassets,thePCIscopecanbelimitedtojustthesystemsthatprocessesandstorethecreditcardinformation.Withoutthatseparationandcompartmentalization,alloftheassetswillbeincludedinthecompliancescopethusgreatlyincreasingthe amount of testing time required, the potential remediation effort, and thecostrequiredtogetthosesystemsincompliance.
8
Remove Complexity
Reducing the scope is oneway tohelp remove complexity, but complexity comes inmanyforms andmakes your ability tomeet the requirementsmore difficult. Removing furthercomplexityfrombusinessoperationsiskeytoachievingyourcompliancegoals.Thefirststepistoleveragethecreateddataflowdiagramtoquestionthebusinessrationaleateachstepoftheanalysisprocess.Sometypicalareastoexaminecloselyare: Daisychainedapplications thatperformnumerouscalculationswhereyouonlyneed
onecalculation Retaining extra database data instead of eliminating everything except for only the
datayoutrulyneed Usingapplicationsthatarenolongersupportedbythevendor Continuingtouseoldbusinessprocessesthatnolongerhavebusinessjustification Addingprocessforthesakeofprocessthatdoesnotenhanceorsimplifythebusiness
The best approach to reducing complexity is to ask “WHY?” to each business process,application, and database entry. If the answer does not show significant benefit to thebusinessthentheprocessneedstobereviewedtoseehowitcanberemovedorattheleastfurther simplified. Given that 90% of the PCI DSS requirements are based on havingwelldocumentedandenforcedprocessesinplace,removingthecomplexityfromnormalbusinessoperationsreduces the levelofeffort requiredtoassessallof theseprocesses. And,moreimportantly,assuresthatcomplianceissoughtonlyforthoseprocessesthatreallyrequireit.
Conclusions Compliance is a business issue and must be managed by the business with the technicalteamsactingasserviceprovidertothebusinessunits.Byfocusingonthesesimpleconcepts,companies will have a higher success rate in achieving their compliance goals withoutunnecessary costs. The business, however, must learn to leverage the true value thetechnical side brings through the assessment process. Not only do the issues need to beremediated,butthevalueoftheinformationgleanedfromthesetests,ifusedproperly,willhelp identify areas of risk to thebusiness and potential areas ofcompliancescopeconcerns.Once this process is completed andtheconceptsanddecisionsaremadetoachievecompliancewithPCI, it isvery easy to replicate out to anyother regulatory requirement toinclude HIPAA and other privacyregulations surrounding PersonallyIdentifiableInformation(PII).
9
About Clear Skies Security, LLC ClearSkies isa security consultingorganization specializingin real world threat analysis through comprehensivesecurity assessment services, specifically PenetrationTesting and Application Assessments. Clear Skies focusessolely on services allowing our consultants to remainconcentratedonprovidingthebestvendorneutraladvicetoremediate the risks identified during the assessmentprocess.OurprimarygoalistobecometheTrustedSecurityAdvisorforourclients.Thisallowsustoworkcooperativelyto ensure the highest level of protection for the businessand to provide some assurance in knowing that the truerisksarebeingidentified.Clear Skies was founded by a team of elite securityprofessionals,eachbringing10+yearsofexperience in thesecurity industry, all with a specialty in securityassessments. Our mission is to be a trusted name in thesecurity industry, known for our technical knowledge,integrity, and business ethics. We do this by focusing oncustomerserviceandensuringqualityineverythingwedo.In the end, our goal is to ensure that our Intel l igenceour Intel l igence
SecuresyourIntel l igence.SecuresyourIntel l igence.
About RiskWatch The RiskWatch tools credibly guide the users through aprocess to qualify its security situation concerning threats,assets, potential loss, vulnerabilities, and safeguards perGartner.Thecompanyhasdesignedoveradozenspecializedrisk assessment software programs that are used bythousandsofclientsallovertheworld‐invirtuallyeverytypeof security assessment, gap analysis, and complianceassessment. RiskWatch clients include financial institutions,hospitalsandhealthcareorganizations,insurancecompanies,infrastructure elements such as electrical producers, andboth federal and state agencies. From multi‐nationalcorporations,tosmallbanks,RiskWatchsoftwareisthemostwidely used security risk assessment software in theworld.RiskWatch software was developed with Federal guidelinesandavarietyofUSfederalagencies,suchasVeteranAffairs,the Department of Justice, the US Department of Defense,and theNational SecurityAgency.All of theseorganizationshave used RiskWatch applications for information securityriskassessmentandphysicalsecurityassessments.RiskWatchis used by State governments in all 50 states, andinternationally in Belgium, Canada, Dubai, England, Italy,Malta,Sweden,SaudiArabia,Turkey,Romania,SouthAfrica,Japan,ThailandandSwitzerland.
12460CrabappleRoadSuite202‐253
Alpharetta,GA30004(516)612‐2060
2553HousleyRoadSuite100
Annapolis,MD21401(888)448‐3002
www.riskwatch.com