CASE STUDYFINANCE

BUSINESS NEED » Become PCI compliant in time for a looming deadline.

» Maintain brand reputation and customer confidence by achieving timely compliance.

» Implement a single solution in a complex, hetereogenous IT environment.

SOLUTIONTripwire® Enterprise offers out-of-the-box configuration assessment and enhanced file integrity monitoring that addresses a wide range of regulatory requirements, and provides change and configuration control to support compli-ance, security and operations.

RESULTS » Full compliance achieved by the deadline. Full pass achieved from PCI final audit.

» Bank was compliant ahead of com-petitors in the region, gaining this key differentiator in a challenging market.

» Now benefitting from continual com-pliance, such as being ensured that systems and processes are always up to date.

BANK ALJAZIRA BEATS RIVAL BANKS TO PCI COMPLIANCE USING TRIPWIRE

BANK ALJAZIRA BEATS RIVAL BANKS TO PCI COMPLIANCE USING TRIPWIRE Bank Aljazira (BAJ) is one of the leading Shari’ah-compliant financial institutions in the Kingdom of Saudi Arabia. The fast-growing financial group provides individuals, businesses and institutions with innovative financial services that are client driven and service oriented.

The bank also prides itself on its robust security controls. Its web site promises customers that it is one of the most secure banks they could deal with. So, when the introduction of the international Payment Card Industry Data Security Standard (PCI DSS) was announced, BAJ took its responsibilities very seriously.

PCI DSS is one of the most prescriptive data protection standards ever devel-oped. It addresses the ever-increasing threats to customer cardholder data by requiring security controls for the cardholder data environment. To ‘pass’ (the alternative being to ‘fail’), organizations must fulfill 214 separate requirements; only with a full pass can the financial organization be certified as PCI compliant.

“The goal of the standard is to protect customers’ data so that it cannot be leaked, or be used maliciously or unlaw-fully,” explains Mohammed Ammar Bayrakdar, IT project manager and core team member in the PCI program at

BAJ. “This means we have to monitor an extensive range of systems and file types that are subject to non-continuous change, to ensure they have not been maliciously altered or compromised.”

MULTIPLE PLATFORMS, ONE INTEGRATED SOLUTIONAs this was beyond the scope of the bank’s existing IT capabilities, Bayrakdar and his team began to research the market for a PCI-compliant monitoring solution that would enable BAJ to meet the impending deadline of September 2010.

This was an onerous challenge, given that the bank processes over 200,000 credit card-related transactions each day, affecting data held and processed in a broad range of IT systems, in a mul-titude of operating environments, from Windows to Unix. IBM recommended Tripwire, a leading global provider of integrated IT security and compliance automation solutions, as a credible supplier that could help the bank meet its compliance needs. BAJ’s qualified

security assessor (QSA), an auditor approved by Saudi Arabia’s Monetary Agency (SAMA), also confirmed that using Tripwire Enterprise would enable full compliance with the new standard. This gave the bank full confidence in deploying the toolset.

“We researched the market thoroughly before making our selection,” confirms Muhannad Zghoul, BAJ’s IT security manager and core team member on the PCI program. “This included a review of a Gartner report which ranked Tripwire as one of the top three providers of PCI DSS solutions. When we did a com-parison with other products on price, Tripwire also offered us the best value for money.”

Importantly, Tripwire had a local partner, I(TS)², whose in-depth knowledge not only of Tripwire Enterprise, but also of the range of platforms BAJ needed to monitor, was impressive, Zghoul says. “The dedicated subject expert that I(TS)² allocated to us was very cooperative and pro-active, not only expediting the imple-mentation of the project, but also spotting anything that might cause a problem or delay. By flagging this promptly, he ensured that any issues were resolved quickly and that we would be ready well within the compliance deadline.

EARLY DELIVERYConcerned that the bank should be ahead of the pack, the IT team had begun researching PCI compliance in January 2010. Once it had selected Tripwire and I(TS)² for the job, implementation began in April, taking just 16 days. In conjunc-tion with I(TS)², Tripwire also provided comprehensive training for the bank’s internal IT team, to ensure they could use the monitoring tools effectively to spot patterns and anomalies in card-related transaction data.

IBM recommended Tripwire, a leading global provider of integrated IT security and compliance automation solutions, as a credible supplier that could help the bank meet its compliance needs. BAJ’s qualified security assessor (QSA), an auditor approved by Saudi Arabia’s Monetary Agency (SAMA), also confirmed that using Tripwire Enterprise would enable full compliance with the new standard. This gave the bank full confidence in deploying the toolset.

By the original deadline of September 2010, the bank was fully compliant, gain-ing a full pass in its official PCI final audit.

“The alternative would have been heavy fines from SAMA,” Bayrakdar notes. More significantly, failure to comply in time for the deadline could have meant loss of face in a competitive and unforgiving market, negatively affecting the brand and compromising customer confidence. By achieving compliance ahead of others in the region the bank was able to actively promote how secure its processes were and use this as a key differentiator in a challenging market.

As it was, so few banks had man-aged to achieve PCI compliance by the September 2010 deadline, that the authorities subsequently pushed back the deadline to June 2011. Rather than

see this as a blow, however, BAJ turned this situation to its advantage, empha-sizing its robust, compliant processes to the wider financial services industry and to customers, as further evidence of the bank’s leading position on security.

CONTINUOUS COMPLIANCEImportantly, Tripwire Enterprise, backed up by I(TS)²’s continued support, is designed to ensure continuous compli-ance. “It is not a one-off solution, a tick in a box,” Bayrakdar concludes. “Robust, ongoing security relies on being vigilant on an ongoing basis, as a natural extension of everyday activities. Tripwire Enterprise ensures that we continue to remain compliant, and that our systems and processes are always up to date.”

.:. “We researched the market thoroughly before making our selection; This included a review of a Gartner report which ranked Tripwire as one of the top three providers of PCI DSS solutions. When we did a comparison with other products on price, Tripwire also offered us the best value for the money.” .:.

MUHANNAD ZGHOUL, IT SECURITY MANAGER BANK ALJAZIRA

©2011 Tripwire, Inc. Tripwire, VIA and ChangeIQ are trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.CSBAJ1n 201107

.:. Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. .:.LEARN MORE AT WWW.TRIPWIRE.COM AND @TRIPWIREINC ON TWITTER.

.:. Bank Aljazira is recognized as one of the leading Shari’ah-compliant fast-growing financial institutions in Saudi Arabia, client-driven and service-oriented Saudi Financial Group which provides individuals, businesses and institutions with innovative Shari’ah-compliant financial services through professional and dedicated staff. .:.