Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Similar documents
Modeling Architecture for COBIT

COBIT Maturity Assessment and Continual e-health Governance Improvement at NHS Fife By Elena Beratarbide, CISA, Pablo Borges and Donald Wilson

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

COBIT for IT Risk Management in a Bank A Case Study By Jitendra Barve, CISA, FCA

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

PCI DSS COMPLIANCE 101

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Merchant Guide to PCI DSS

COBIT 5: Enabling Information Progress Report By Steven De Haes, Ph.D.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Report of the Nominating Committee

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

PCI DSS and the VNC SDK

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Position Description IT Auditor

PCI DSS and VNC Connect

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Navigating the PCI DSS Challenge. 29 April 2011

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

COURSE BROCHURE CISA TRAINING

Altius IT Policy Collection Compliance and Standards Matrix

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Altius IT Policy Collection Compliance and Standards Matrix

COBIT 5 With COSO 2013

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Information Technology General Control Review

building for my Future 2013 Certification

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

PCI COMPLIANCE IS NO LONGER OPTIONAL

The Honest Advantage

Credit Card Data Compromise: Incident Response Plan

IT Attestation in the Cloud Era

Cybersecurity & Privacy Enhancements

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Effective COBIT Learning Solutions Information package Corporate customers

Payment Card Industry (PCI) Data Security Standard

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

PCI DSS COMPLIANCE DATA

Payment Card Industry (PCI) Data Security Standard

Predstavenie štandardu ISO/IEC 27005

Site Data Protection (SDP) Program Update

PCI compliance the what and the why Executing through excellence

PCI Compliance: It's Required, and It's Good for Your Business

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Data Security Standard

in PCI Regulated Environments

Table of Contents. PCI Information Security Policy

GUIDE TO STAYING OUT OF PCI SCOPE

ITIL Intermediate Continual Service Improvement (CSI) Certification Boot Camp - Brochure

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Total Security Management PCI DSS Compliance Guide

Information Security Policy

Will you be PCI DSS Compliant by September 2010?

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

Choosing the Right Solution for Strategic Deployment of Encryption

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

IS Audit and Assurance Guideline 2001 Audit Charter

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Cybersecurity The Evolving Landscape

Exam Requirements v4.1

Information Security Controls Policy

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

EU General Data Protection Regulation (GDPR) Achieving compliance

Data Classification, Security, and Privacy

CISA Training.

QuickBooks Online Security White Paper July 2017

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Information technology Security techniques Code of practice for personally identifiable information protection

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

ITIL Intermediate Service Design (SD) Certification Boot Camp - Brochure

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Introduction To IS Auditing

What is ISO/IEC 27001?

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CCISO Blueprint v1. EC-Council

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

IS Audit and Assurance Guideline 2002 Organisational Independence

The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018

WORKSHARE SECURITY OVERVIEW

Payment Card Industry Data Security Standards Version 1.1, September 2006

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

This document is a preview generated by EVS

Payment Card Industry (PCI) Data Security Standard

Certified in Risk and Information Systems ControlTM Certification Training - Brochure

Clearing the Path to PCI DSS Version 2.0 Compliance

CISM QAE ITEM DEVELOPMENT GUIDE

Transcription:

Volume 2, April 2011 Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 21 April 2011. Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma In today s era, every organization across the globe, regardless of its size or industry, faces security issues pertaining to new and evolving threats, vulnerabilities, risks or regulatory/compliance landscapes. As such, there arises a need for organizations to make stringent efforts to ensure that their security and enterprise risk management (ERM) programs address multiple compliance requirements. This article contains the results of a mapping of Payment Card Industry Data Security Standard (PCI DSS) v2.0 controls with COBIT 4.1. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This mapping provides guidance to organizations seeking PCI compliance by identifying and highlighting the COBIT areas that should be considered for each requirement within PCI DSS. It also highlights how the processes in COBIT can support PCI DSS compliance activity. As a result, the mapping can be used as a reference for formulating an integrated and customized control framework for an organization. Since COBIT covers the broad spectrum of IT control processes and PCI DSS is strictly focused on protecting cardholder data, any user of COBIT must first determine the relevance and applicability of IT processes and subprocesses within the COBIT framework. COBIT, a framework for the governance of enterprise IT (GEIT), has a broader scope and is applicable to all organizations, whereas PCI DSS v2.0 focuses more on the area of protecting cardholder data and is applicable to all organizations that hold, process or exchange cardholder information. PCI DSS controls are mandatory for organizations that collect credit card data, whereas COBIT has general controls that can be leveraged based on an organization s requirements. The implicit benefits of mapping PCI DSS v2.0 with COBIT include: A unique set of controls Organizations planning to implement PCI DSS can easily manage, measure and provide evidence of satisfying multiple compliance and governance requirements through a single unique set of controls. Adherence to multiple standards Organizations can adhere to multiple industry standards for securing credit card data by adopting the unique set of controls and can increase operational efficiency. Increased performance Each PCI DSS control and requirement is mapped extensively with COBIT controls after assessing the in-depth objective of the control, which results in increasing the performance efficiency of the security program. PCI DSS compliance made easy While compliance with PCI DSS is mandatory for organizations that process financial transactions through payment cards, its scope is limited to protecting cardholder data. However COBIT is like an integrator for best practices and an umbrella framework for IT governance designed to apply across a variety of organizations, and it is universally recognized. For certain enterprises, PCI compliance is mandatory, and COBIT is used as a guideline. Figure 1 provides a mapping of PCI DSS v2.0 to COBIT 4.1. Please note that multiple PCI DSS requirements can map to a single control in COBIT 4.1, as seen in requirements 11 and 12.

Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 1 2 PCI DSS v2.0 Control s Install and maintain a firewall to protect cardholder data. Do not use vendor-supplied defaults for system passwords or other security parameters. AI2.5 Configuration and implementation of acquired application software AI3.2 Infrastructure resource protection and availability DS5.10 Network security DS13.3 IT infrastructure monitoring PO2.3 Data classification scheme DS4.9 Offsite backup storage DS5.8 Cryptographic key management DS11.2 Storage and retention arrangements 3 Protect stored cardholder data. DS11.4 Disposal DS11.6 Security requirements for data management 4 5 Encrypt transmission of cardholders data across open public networks. Use and regularly update antivirus software on all systems commonly affected by malware. DS5.1 Management of IT security DS5.8 Cryptographic key management DS5.10 Network security DS11.6 Security requirements for data management DS5.9 Malicious software prevention, detection and correction PO8.3 Development and acquisition standards PO9.3 Event identification Volume 2, April 2011 Page 2

Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) 6 7 8 9 10 PCI DSS v2.0 Control s Develop and maintain secure systems and applications. Restrict access by business to cardholders data to need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholders data. Track and monitor all access to network resource and cardholder data. PO9.4 Risk assessment AI3.3 Infrastructure maintenance AI3.4 Feasibility test environment AI6.1 Change standards and procedures AI6.2 Impact assessment, prioritization and authorization AI7.3 Implementation plan AI7.4 Test environment AI7.6 Testing of changes AI7.8 Promotion to production DS5.9 Malicious software prevention, detection and correction DS5.3 Identity management DS5.4 User account management PO2.3 Data classification scheme PO7.8 Job change and termination DS5.3 Identity management DS5.4 User account management PO4.8 Responsibility for risk, security and compliance DS4.9 Offsite backup storage DS5.4 User account management DS11.2 Storage and retention arrangements DS11.3 Media library management system DS11.4 Disposal Volume 2, April 2011 Page 3

Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) PCI DSS v2.0 Control s DS11.6 Security requirements for data management 11 Regularly track security systems and processes. DS12.2 Physical security measures DS12.3 Physical access DS13.3 IT infrastructure monitoring PO9.3 Event identification DS5.6 Security incident definition ME1.2 Definition and collection of monitoring data ME1.3 Monitoring method ME1.4 Performance assessment ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.3 Control exceptions ME2.4 Control self-assessment ME2.7 Remedial actions PC5 Policy, plans and procedures PO2.3 Data classification scheme PO4.3 IT steering committee PO4.4 Organizational placement of the IT function 12 Maintain an information security policy. PO4.6 Establishment of roles and responsibilities PO4.8 Responsibility for risk, security and compliance PO4.9 Data and system ownership PO6.1 IT policy and control environment Volume 2, April 2011 Page 4

Figure 1 Mapping PCI DSS v2.0 to COBIT 4.1 (continued) PCI DSS v2.0 Control s PO6.3 IT policies management PO6.4 Policy, standard and procedures rollout PO6.5 Communication of IT objectives and direction PO7.1 Personnel recruitment and retention PO7.3 Staffing of roles PO7.4 Personnel training PO7.6 Personnel clearance procedures PO9 Assess and manage IT risks. DS5.1 Management of IT security DS5.2 IT security plan DS5.3 Identity management ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.4 Control self-assessment Conclusion Information security will always remain a challenge for every organization dealing with customer information. Complying with PCI DSS v2.0 along with COBIT 4.1 controls, the organization can work efficiently with IT compliance and IT governance. PCI DSS v2.0 focuses on the compliance area, and COBIT 4.1 provides the overall governance. PCI DSS v2.0 gives a detailed description of a number of important IT controls that can be applied to achieve compliance for the organization dealing with payment card transactions and storing customer information. COBIT provides managers, auditors and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of IT and in developing appropriate IT governance and control in an organization. Pritam Bankar, CISA, CISM, is a senior consultant with Infosys Technologies Limited and has more than seven years of experience in information security, IT/information systems (IS) audits, compliance and regulations (e.g., the US Sarbanes-Oxley Act, PCI DSS, SAS 70), and IT governance and strategy. Bankar is part of an IT controls and compliance practice and leads PCI DSS service offerings for Infosys. Sharad Verma is a senior associate consultant with Infosys Technologies Ltd. and has several years of diversified experience across various domains such as IT and business operations. Verma is certified in COBIT 4.1 and has worked in capability development for PCI DSS and designed a PCI DSS framework for Infosys. He has expertise in the security domain and experience in implementing ISO 27001. Volume 2, April 2011 Page 5

COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors content. 2011 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at jfullerton@isaca.org. Framework Committee Patrick Stachtchenko, CISA, CGEIT, CA, France, chair Steven A. Babb, CGEIT, UK Sushil Chatterji, CGEIT, Singapore Sergio Fleginsky, CISA, Uruguay John W. Lainhart IV, CISA, CISM, CGEIT, USA Mario C. Micallef, CGEIT, CPAA, FIA, Malta Derek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UK Robert G. Parker, CISA, CA, CMC, FCA, Canada Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, Australia Robert E. Stroud, CGEIT, USA Rolf M. von Roessing, CISA, CISM, CGEIT, Germany Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at jhajigeorgiou@isaca.org. 2011 ISACA. All rights reserved. Volume 2, April 2011 Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback