Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma
|
|
- Branden McDonald
- 6 years ago
- Views:
Transcription
1 Volume 2, April 2011 Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 21 April Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma In today s era, every organization across the globe, regardless of its size or industry, faces security issues pertaining to new and evolving threats, vulnerabilities, risks or regulatory/compliance landscapes. As such, there arises a need for organizations to make stringent efforts to ensure that their security and enterprise risk management (ERM) programs address multiple compliance requirements. This article contains the results of a mapping of Payment Card Industry Data Security Standard (PCI DSS) v2.0 controls with COBIT 4.1. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This mapping provides guidance to organizations seeking PCI compliance by identifying and highlighting the COBIT areas that should be considered for each requirement within PCI DSS. It also highlights how the processes in COBIT can support PCI DSS compliance activity. As a result, the mapping can be used as a reference for formulating an integrated and customized control framework for an organization. Since COBIT covers the broad spectrum of IT control processes and PCI DSS is strictly focused on protecting cardholder data, any user of COBIT must first determine the relevance and applicability of IT processes and subprocesses within the COBIT framework. COBIT, a framework for the governance of enterprise IT (GEIT), has a broader scope and is applicable to all organizations, whereas PCI DSS v2.0 focuses more on the area of protecting cardholder data and is applicable to all organizations that hold, process or exchange cardholder information. PCI DSS controls are mandatory for organizations that collect credit card data, whereas COBIT has general controls that can be leveraged based on an organization s requirements. The implicit benefits of mapping PCI DSS v2.0 with COBIT include: A unique set of controls Organizations planning to implement PCI DSS can easily manage, measure and provide evidence of satisfying multiple compliance and governance requirements through a single unique set of controls. Adherence to multiple standards Organizations can adhere to multiple industry standards for securing credit card data by adopting the unique set of controls and can increase operational efficiency. Increased performance Each PCI DSS control and requirement is mapped extensively with COBIT controls after assessing the in-depth objective of the control, which results in increasing the performance efficiency of the security program. PCI DSS compliance made easy While compliance with PCI DSS is mandatory for organizations that process financial transactions through payment cards, its scope is limited to protecting cardholder data. However COBIT is like an integrator for best practices and an umbrella framework for IT governance designed to apply across a variety of organizations, and it is universally recognized. For certain enterprises, PCI compliance is mandatory, and COBIT is used as a guideline. Figure 1 provides a mapping of PCI DSS v2.0 to COBIT 4.1. Please note that multiple PCI DSS requirements can map to a single control in COBIT 4.1, as seen in requirements 11 and 12.
2 Figure 1 Mapping PCI DSS v2.0 to COBIT PCI DSS v2.0 Control s Install and maintain a firewall to protect cardholder data. Do not use vendor-supplied defaults for system passwords or other security parameters. AI2.5 Configuration and implementation of acquired application software AI3.2 Infrastructure resource protection and availability DS5.10 Network security DS13.3 IT infrastructure monitoring PO2.3 Data classification scheme DS4.9 Offsite backup storage DS5.8 Cryptographic key management DS11.2 Storage and retention arrangements 3 Protect stored cardholder data. DS11.4 Disposal DS11.6 Security requirements for data management 4 5 Encrypt transmission of cardholders data across open public networks. Use and regularly update antivirus software on all systems commonly affected by malware. DS5.1 Management of IT security DS5.8 Cryptographic key management DS5.10 Network security DS11.6 Security requirements for data management DS5.9 Malicious software prevention, detection and correction PO8.3 Development and acquisition standards PO9.3 Event identification Volume 2, April 2011 Page 2
3 Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) PCI DSS v2.0 Control s Develop and maintain secure systems and applications. Restrict access by business to cardholders data to need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholders data. Track and monitor all access to network resource and cardholder data. PO9.4 Risk assessment AI3.3 Infrastructure maintenance AI3.4 Feasibility test environment AI6.1 Change standards and procedures AI6.2 Impact assessment, prioritization and authorization AI7.3 Implementation plan AI7.4 Test environment AI7.6 Testing of changes AI7.8 Promotion to production DS5.9 Malicious software prevention, detection and correction DS5.3 Identity management DS5.4 User account management PO2.3 Data classification scheme PO7.8 Job change and termination DS5.3 Identity management DS5.4 User account management PO4.8 Responsibility for risk, security and compliance DS4.9 Offsite backup storage DS5.4 User account management DS11.2 Storage and retention arrangements DS11.3 Media library management system DS11.4 Disposal Volume 2, April 2011 Page 3
4 Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) PCI DSS v2.0 Control s DS11.6 Security requirements for data management 11 Regularly track security systems and processes. DS12.2 Physical security measures DS12.3 Physical access DS13.3 IT infrastructure monitoring PO9.3 Event identification DS5.6 Security incident definition ME1.2 Definition and collection of monitoring data ME1.3 Monitoring method ME1.4 Performance assessment ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.3 Control exceptions ME2.4 Control self-assessment ME2.7 Remedial actions PC5 Policy, plans and procedures PO2.3 Data classification scheme PO4.3 IT steering committee PO4.4 Organizational placement of the IT function 12 Maintain an information security policy. PO4.6 Establishment of roles and responsibilities PO4.8 Responsibility for risk, security and compliance PO4.9 Data and system ownership PO6.1 IT policy and control environment Volume 2, April 2011 Page 4
5 Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) PCI DSS v2.0 Control s PO6.3 IT policies management PO6.4 Policy, standard and procedures rollout PO6.5 Communication of IT objectives and direction PO7.1 Personnel recruitment and retention PO7.3 Staffing of roles PO7.4 Personnel training PO7.6 Personnel clearance procedures PO9 Assess and manage IT risks. DS5.1 Management of IT security DS5.2 IT security plan DS5.3 Identity management ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.4 Control self-assessment Conclusion Information security will always remain a challenge for every organization dealing with customer information. Complying with PCI DSS v2.0 along with COBIT 4.1 controls, the organization can work efficiently with IT compliance and IT governance. PCI DSS v2.0 focuses on the compliance area, and COBIT 4.1 provides the overall governance. PCI DSS v2.0 gives a detailed description of a number of important IT controls that can be applied to achieve compliance for the organization dealing with payment card transactions and storing customer information. COBIT provides managers, auditors and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of IT and in developing appropriate IT governance and control in an organization. Pritam Bankar, CISA, CISM, is a senior consultant with Infosys Technologies Limited and has more than seven years of experience in information security, IT/information systems (IS) audits, compliance and regulations (e.g., the US Sarbanes-Oxley Act, PCI DSS, SAS 70), and IT governance and strategy. Bankar is part of an IT controls and compliance practice and leads PCI DSS service offerings for Infosys. Sharad Verma is a senior associate consultant with Infosys Technologies Ltd. and has several years of diversified experience across various domains such as IT and business operations. Verma is certified in COBIT 4.1 and has worked in capability development for PCI DSS and designed a PCI DSS framework for Infosys. He has expertise in the security domain and experience in implementing ISO Volume 2, April 2011 Page 5
6 COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors content ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at Framework Committee Patrick Stachtchenko, CISA, CGEIT, CA, France, chair Steven A. Babb, CGEIT, UK Sushil Chatterji, CGEIT, Singapore Sergio Fleginsky, CISA, Uruguay John W. Lainhart IV, CISA, CISM, CGEIT, USA Mario C. Micallef, CGEIT, CPAA, FIA, Malta Derek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UK Robert G. Parker, CISA, CA, CMC, FCA, Canada Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, Australia Robert E. Stroud, CGEIT, USA Rolf M. von Roessing, CISA, CISM, CGEIT, Germany Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at 2011 ISACA. All rights reserved. Volume 2, April 2011 Page 6
Modeling Architecture for COBIT
Volume 3, July 2011 Modeling Architecture for COBIT By Reinhold Thurner, Ph.D. Models and frameworks are used as a means to describe the structure and properties of processes and to provide guidelines
More informationCOBIT Maturity Assessment and Continual e-health Governance Improvement at NHS Fife By Elena Beratarbide, CISA, Pablo Borges and Donald Wilson
Volume 4, October 2012 Come join the discussion! Elena Beratarbide will respond to questions in the discussion area of the COBIT (4.1 and earlier) Use It Effectively topic beginning 22 October 2012. COBIT
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationSQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD The Payment Card Industry Data Security Standard (PCI DSS), currently at version 3.2,
More informationCOBIT for IT Risk Management in a Bank A Case Study By Jitendra Barve, CISA, FCA
In This Issue: Volume 3, July 2010 COBIT for IT Risk Management in a Bank A Case Study, by Jitendra Barve, CISA, FCA Laugh & Learn: Using COBIT to Improve the Software Development Life Cycle, by Corjan
More informationOverview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card
More informationPCI DSS COMPLIANCE 101
PCI DSS COMPLIANCE 101 Pavel Kaminsky PCI QSA, CISSP, CISA, CEH, Head of Operations at Seven Security Group Information Security Professional, Auditor, Pentester SEVEN SECURITY GROUP PCI QSA Сompany Own
More informationPCI DSS 3.2 AWARENESS NOVEMBER 2017
PCI DSS 3.2 AWARENESS NOVEMBER 2017 1 AGENDA PCI STANDARD OVERVIEW PAYMENT ENVIRONMENT 2ACTORS PCI ROLES AND RESPONSIBILITIES MERCHANTS COMPLIANCE PROGRAM PCI DSS 3.2 REQUIREMENTS 2 PCI STANDARD OVERVIEW
More informationMerchant Guide to PCI DSS
0800 085 3867 www.cardpayaa.com Merchant Guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 Card Pay from the AA Simple PCI DSS - 3 step
More informationCOBIT 5: Enabling Information Progress Report By Steven De Haes, Ph.D.
Volume 4, October 2012 In This Issue: COBIT 5: Enabling Information Progress Report Integrating COBIT 4.1 Into the Internal Audit Function COBIT 5 for Risk Progress Report COBIT Maturity Assessment and
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationReport of the Nominating Committee
Volume 7, 31 March 2011 In This Issue: Report of the Nominating Committee Slate of 2011-2012 Board of Directors New COBIT Case Study: Grupo Bancolombia New COBIT Process Assessment Model: The Market Need
More informationTHE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :
THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY 18 2017: INFORMATION SYSTEM AUDIT AND SECURITY MANAGEMENT ( 2 DAYS) MAY 15 AND 16 o INFORMATION
More informationUSING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationPCI DSS and the VNC SDK
RealVNC Limited 2016. 1 What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated by many major credit card companies, including Visa, MasterCard, American Express,
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 In This Issue: Mapping COBIT 5 With IT Governance, Risk and Compliance at Ecopetrol COBIT 5 Helps Find Value in the Cloud 6 Tips for Implementing IT Governance With COBIT 5 Are COSO
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationPCI DSS and VNC Connect
VNC Connect security whitepaper PCI DSS and VNC Connect Version 1.2 VNC Connect security whitepaper Contents What is PCI DSS?... 3 How does VNC Connect enable PCI compliance?... 4 Build and maintain a
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationNavigating the PCI DSS Challenge. 29 April 2011
Navigating the PCI DSS Challenge 29 April 2011 Agenda 1. Overview of Threat and Compliance Landscape 2. Introduction to the PCI Security Standards 3. Payment Brand Compliance Programs 4. PCI DSS Scope
More informationVal-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.
Val-EdTM Valiant Technologies Education & Training Services Workshop for CISM aspirants All Trademarks and Copyrights recognized Page 1 of 8 Welcome to Valiant Technologies. We are a specialty consulting
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationThe Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels
The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 1 PCI DSS: What? PCI DSS = Payment Card Industry Data Security Standard Payment card
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More information2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA
Effective Data Security Measures on Payment Cards through PCI DSS 2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA Learning Bites Comprehend the foundations, requirements,
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationbuilding for my Future 2013 Certification
I am building for my Future 2013 Certification Let ISACA help you open new doors of opportunity With more complex IT challenges arising, enterprises demand qualified professionals with proven knowledge
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationPCI COMPLIANCE IS NO LONGER OPTIONAL
PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationEffective COBIT Learning Solutions Information package Corporate customers
Effective COBIT Learning Solutions Information package Corporate customers Thank you f o r y o u r interest Thank you for showing interest in COBIT learning solutions from ITpreneurs. This document provides
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationCOMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1
COMPLIANCE BRIEF: HOW VARONIS HELPS WITH OVERVIEW The Payment Card Industry Data Security Standard (PCI-DSS) 3.1 is a set of regulations that govern how firms that process credit card and other similar
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION FROM RESULTS Technology CONTENTS Overview.... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Merchants Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission This
More informationPredstavenie štandardu ISO/IEC 27005
PERFORMANCE & TECHNOLOGY - IT ADVISORY Predstavenie štandardu ISO/IEC 27005 ISMS Risk Management 16.02.2011 ADVISORY KPMG details KPMG is a global network of professional services firms providing audit,
More informationSite Data Protection (SDP) Program Update
Advanced Payments October 9, 2006 Site Data Protection (SDP) Program Update Agenda Security Landscape PCI Security Standards Council SDP Program October 9, 2006 SDP Program Update 2 Security Landscape
More informationPCI compliance the what and the why Executing through excellence
PCI compliance the what and the why Executing through excellence Tejinder Basi, Partner Tarlok Birdi, Senior Manager May 27, 2009 Agenda 1. Introduction 2. Background 3. What problem are we trying to solve?
More informationPCI Compliance: It's Required, and It's Good for Your Business
PCI Compliance: It's Required, and It's Good for Your Business INTRODUCTION As a merchant who accepts payment cards, you know better than anyone that the war against data fraud is ongoing and escalating.
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationin PCI Regulated Environments
in PCI Regulated Environments JULY, 2018 PCI COMPLIANCE If your business accepts payments via credit, debit, or pre-paid cards, you are required to comply with the security requirements of the Payment
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationGUIDE TO STAYING OUT OF PCI SCOPE
GUIDE TO STAYING OUT OF PCI SCOPE FIND ANSWERS TO... - What does PCI Compliance Mean? - How to Follow Sensitive Data Guidelines - What Does In Scope Mean? - How Can Noncompliance Damage a Business? - How
More informationITIL Intermediate Continual Service Improvement (CSI) Certification Boot Camp - Brochure
ITIL Intermediate Continual Service Improvement (CSI) Certification Boot Camp - Brochure Gain Knowledge to Align IT Services to Business Needs US Course Name : CISSP Version : INVL_CISSP_BR_02_089_1.2
More informationCity of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR
City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR Examples of Government data breaches in 2016, listing number
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationUCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016
Internal Audit Report Credit Cards PCI Compliance July 1, 2016 Performed by: Jessie Masek, Associate Director Antonio Manas-Melendez, Principal Auditor Laurie Liao, Staff Auditor Approved by: Robert Tarsia,
More informationChoosing the Right Solution for Strategic Deployment of Encryption
Choosing the Right Solution for Strategic Deployment of Email Encryption White Paper: Enterprise Email Encryption Email Protection Buyer s Guide Choosing the Right Solution for Strategic Deployment of
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationIS Audit and Assurance Guideline 2001 Audit Charter
IS Audit and Assurance Guideline 2001 Audit Charter The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationOPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence
OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence General Information About This Document This document is intended as a quick reference guide to provide you with information concerning
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationPCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security
White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationeguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments
eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More informationData Classification, Security, and Privacy
Data Classification, Security, and Privacy Jennifer Bayuk Securities Industry and Financial Markets Association Internal Audit Division October, 2007 Overview of Information Classification Logical Relationship
More informationCISA Training.
CISA Training www.austech.edu.au WHAT IS CISA TRAINING? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationInternational Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance
More informationInformation technology Security techniques Code of practice for personally identifiable information protection
INTERNATIONAL STANDARD ISO/IEC 29151 First edition 2017-08 Information technology Security techniques Code of practice for personally identifiable information protection Technologies de l'information Techniques
More informationDesigning Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)
Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS) January 2009 1 January 2009 Polycom White Paper: Complying with PCI-DSS Page 2 1.
More informationITIL Intermediate Service Design (SD) Certification Boot Camp - Brochure
ITIL Intermediate Service Design (SD) Certification Boot Camp - Brochure Get a Management-level overview of Service Design to advance in your Career Course Name : ITIL SD Version : INVL_ITILSD_BR_02_033_1.2
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationWhat is ISO/IEC 27001?
An Introduction to the International Information Security Management Standard By President INTERPROM July 2017 Copyright 2017 by InterProm USA. All Rights Reserved www.interpromusa.com Contents INTRODUCTION...
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationAuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives
AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives As companies extend their online
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationIS Audit and Assurance Guideline 2002 Organisational Independence
IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationThe Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018
The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018 Jamey Loupe Senior Manager, Risk Advisory Services Jessica Allen Director, Technology & Business Transformation
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationPayment Card Industry Data Security Standards Version 1.1, September 2006
Payment Card Industry Data Security Standards Version 1.1, September 2006 Carl Grayson Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS v1.1 in More Detail Discussion, Questions and
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationPCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier
Welcome! PCI DSS Addressing Cyber-Security Threats ETCAA June 2017 - Gabriel Leperlier Short Bio Current Position Head of Continental Europe Advisory Services at Verizon. Managing 30+ GRC/PCI/Pentest Consultants
More informationThis document is a preview generated by EVS
INTERNATIONAL STANDARD ISO/IEC 29151 First edition 2017-08 Information technology Security techniques Code of practice for personally identifiable information protection Technologies de l'information Techniques
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationCertified in Risk and Information Systems ControlTM Certification Training - Brochure
Certified in Risk and Information Systems ControlTM Certification Training - Brochure Manage IT risks to control Information Systems effectively Course Name : CRISC Certification Training Version : INVL_CRISC_BR_1.0
More informationClearing the Path to PCI DSS Version 2.0 Compliance
White Paper Secure Configuration Manager Sentinel Change Guardian Clearing the Path to PCI DSS Version 2.0 Compliance Table of Contents Streamlining Processes for Protecting Cardholder Data... 1 PCI DSS
More informationCISM QAE ITEM DEVELOPMENT GUIDE
CISM QAE ITEM DEVELOPMENT GUIDE ISACA 2015. All Rights Reserved. 2 TABLE OF CONTENTS PURPOSE OF THE CISM QAE ITEM DEVELOPMENT GUIDE... 3 PURPOSE OF THE CISM QAE... 3 CISM EXAM STRUCTURE... 3 WRITING QUALITY
More information