Compliance-driven Security Requirements Warzaw 12 Oct Bengt Berg, M.Sc, CISM, CISSP, QSA,...

Transcription

1 Compliance-driven Security Requirements Warzaw 12 Oct 2010 Bengt Berg, M.Sc, CISM, CISSP, QSA,... Head of Compliance Management Services Cybercom Sweden East AB 10/14/10 1

2 So... Who s Talking? Who is Bengt Berg? What is Cybercom? 1800 employees, 11 countries, 28 offices Turnover 60 M / M /2009 Cybercom Secure: 80 full-time consultants Compliance Management and PCI DSS IAM Forensics Development of secure software components...and some other areas of expertise 10/14/10 2

3 External Compliance Requirements PCI DSS, Payment Card Industry Data Security Standard, ISO/EIC 27001:2006 Sarbanes-Oxley Act FDA/Part11 ISO CE certification Public Sector Procurement Laws Basel3 10/14/10 3

4 How PCI DSS has Transformed the Payment Security Area 10/14/10 4

5 PCI DSS Brands Bank QSA ASV PSP PFI PA-QSA Merchant PTS Service provider Solution vendor 10/14/10 5

6 But What are These Requirements? Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requires solutions for change Requirement 3: Access Protect stored cardholder data Requirement 4: Encrypt Documentation and identity management transmission of of cardholder systems, firewalls, across open,... public networks Users, Physical Staging... roles, security of logs systems, databases, routers,... Requirement 5: Use Surveillance System IDS/IPS and regularly hardening 7/24 cameras Encryption of update stored anti-virus cardholder software data,... Requirement 6: Develop Visitor... Centralized and maintain secure systems and applications Never Wireless badges EVER store analyzer logging Requirement 7: Restrict some data... Encryption File access to of cardholder cardholder data by business sent over need-toknow Key ASV management... Yearly integrity Scans risk monitoring (int/ext) assessments quarterly public Anti-virus networks requirements :Requirement 8 Assign... a Penetration Security Some unique policies ID to policies each test must person yearly exist with computer access Centralized Secure development logs for AV methods solutions Requirement 9: Restrict physical Security access organization to cardholder data Change OWASP management Top10 ( for access requests Requirement 10: Track and Incident monitor response all access to plans network resources and cardholder data Need Test data, to know and test systems, requirements Requirement 11: Regularly Policies, test procedures, security systems instructions and processes Requirement 12: Maintain a policy that addresses information security 10/14/10 6

7 Initial Backlashes Conflict of interests Banks initially uncoordinated Caused great problems Situation fixed by PAN Nordic Self assessments (In Norway: self betrayal ) Almost always too nice First PA-DSS self-assessment: 45 minutes. Lesson learned: Patience... Endurance... 10/14/10 7

8 Response From Product Suppliers and Consultancy Companies 10/14/10 8

9 What Results Have Been Achieved? Retailers now have a very high level of security Leveraging the investments into other business areas Using the IDS for the whole company Incident management methods covers the whole company Investments in IS/IT Security /14/10 9

10 What Results Have Been Achieved? Not possible to sell insecure software to retailers anymore 10/14/10 10

11 What Results Have Been Achieved? Software developers know about security nowadays 10/14/10 11

12 What Results Have Been Achieved? Increased security amongst outsourcing companies And they make good business out of it! Brands QSA Bank ASV PSP Merchant Service provider Solution vendor 10/14/10 12

13 Emerging Methods for Managing External Compliance Requirements 10/14/10 13

14 Emerging methods A few trends growing more solid every day: 1. Portal solutions for compliance management 2. Extreme use of issue management solutions 3. Using wikis for policies and other documentation.. 4. Trend-oriented tests of compliance status 10/14/10 14

15 Portal Solutions for Compliance Management Cybercom, Acrea, ARIS, and numerous others Binders in a bookshelf isn t enough 10/14/10 15

16 Use of Issue Management Systems CISO Report Incident Incident response team Closed Incidents 27 workflows neccessary to implement ISO /14/10 16

17 Use of Issue Management Systems 10/14/10 17

18 All Documentation in Wiki format All documents easily accessible (read) Policy documents Instructions Edit only by document owner Easy to allow free for all in draft mode Built-in discussion forum! Let people help each other... Built-in functionality for version control 10/14/10 18

19 All Documentation in Wiki format 10/14/10 19

20 Trend-oriented tests 10/14/10 20

21 Conclusions What are the effects of external compliance requirements? New compliance-oriented business models Will always benefit the outsourcing providers The leader gets a competitive advantage Rational methods decrease investment Success depends on the governance framework Nobody wants to be a problem for their customer 10/14/10 21