ISE Canada Executive Forum and Awards September 19, 2013 "Establishing a Cost Effective PCI DSS Compliance Program by Having a Can Do Attitude Della Shea Chief Privacy & Information Risk Officer Symcor Inc.
Symcor in a Nutshell Nominee Showcase Presentation Created in 1996 as a joint venture between RBC, TD and BMO to consolidate back office operations to reduce operating costs and capture new revenue One of the largest business process outsourcing companies in Canada, providing cheque processing, remittance and statement production services 4000 employees collectively: process more than 197 million payments; process approx. two billion checks; produce more than 700 million statements; produce more than two billion print pages; manage 8600 lockbox accounts 2
Presentation Overview The Business Challenge The PCI DSS Compliance Journey PCI DSS Compliance Model Building a Coalition for Change Translating Strategy into Actions 3
The Business Challenge Achieving and maintaining PCI DSS compliance is a critical priority for Symcor but previous attempts to become compliant were not successful: Lots of legacy systems inherited from M&A activities Lack of cross-linkages between separate LOBs; each having their own strategy Many silos and confusion over roles and accountability Competing priorities requiring the same resources Aggressive timelines Mounting pressure to achieve compliance Exuberant business case to become compliant 4
The PCI DSS Compliance Journey Compliance is a business issue Strategy, business case, project management Technology must link to business processes Providing evidence of compliance is key 5
Guiding Principles for the Program Failure is not an option Commitment to the overall timeline Sensitive to Client s needs and deliverables Scope containment, but scalable for future 6
PCI Compliance Office Model Assess & Remediate Monitor, Alert, Control & Report Communicate& Educate Demonstrate & Provide Evidence
Assess & Remediate Assess -- identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Complete PCI Data Security Standards Self Assessment /QSA Assessment Compliance Gap analysis Remediate -- fix vulnerabilities Demonstrate & Provide Evidence Internal Audits Quarterly Scans Annual Assessment Report on Risk & Compliance External Audit Confirm Quarterly Scans Completed Annual QSA and On-Site Assessment Report on Compliance Monitor, Alert, Control & Report Communicate& Educate Governance Program Align to PCI DSS 3 year cycle Policy & Procedure Review Risk and Compliance Review Roles & Responsibilities Review RFP, Due Diligence, Contract Review Change & Scope Management Review Communicate & Educate PCI Awareness Program Create a Common PCI Culture PCI Data Security Standards Training Internal Security Assessor (ISA) Training Maintain Common Repository & Tools Review Improve Controls / Automate Processes Report - Compile and submit required remediation validation records (if applicable), and submit compliance reports 8
Building a Coalition for Change 9
Building a Coalition for Change Who are the stakeholders? What changes are needed? Where are we going and why? How can we translate our ideas into actions? 10
The Stakeholders Nominee Showcase Presentation Executive Steering Committee Executive Operating Committee Audit Committee QSA-c Governance Expert Chief Privacy & PCI DSS Compliance Officer Program Manager PCI Expert (QSA) - Clients - Client Relations - Operations - Legal - Human Resources - Corporate Security - Info Security - Audit & Risk - Privacy - Finance Project Manager Remittance Upgrade Project Manager ISS T&T Project Manager Governance Project Manager PCI Infrastructure Project Manager PCI Tools Remittance Upgrade Project Team ISS T&T Project Team Governance Project Team PCI Infrastructure Project Team PCI Tools Project Team 11
Changes that Were Needed Thorough assessment of current state Remediation activities (multiple projects) Establishing a compliance culture Ownership and accountability for controls 12
Where We Decided to Go and Why De-scoping Data minimization Network Segmentation Dedicated Governance Framework Governance is the glue that holds everything together 13
Translating Strategy into Actions A B C D E F G PCI DSS Requirement Test Procedure Priority In Place? Stage of Implementation Links to Evidence Action Plan PCI Consultants can help with interpretation of controls and methods prescribed for testing PCI Security Standards Council prescribes a course of action that factors in dependencies Governance has tracked progress to date and created a record keeping structure for storing evidence This document is owned by the Requirements Lead and captures all of the effort and resourcing that needs to be scheduled A B C D F E G 14
Project Results Nominee Showcase Presentation Critical system processes and procedures that linked technology to compliance priorities were made possible by operationalizing Enterprise Information Security and related policies including: Complex implementation of security tools and processes within 12 months including incident response, threat level classification, vulnerability management, File Integrity Monitoring (Tripwire), Security Information and Event Management (LogRhythm), encryption solutions (Vormetric), wireless scanning and penetration testing services Daily log analysis for anomalies and threats within the core compliant environments Incident response threat level classification on identified threats within the compliant environments Implementation of a proactive comprehensive vulnerability management program to identify any new threats before they can be available for exploitation within the compliant environments. Established a Governance framework to support security and data protection compliance programs Re-engineered business and change management processes to align with security compliance initiatives Successfully attained four externally evaluated Reports on Compliance within the past two years 15
Lessons Learned Nominee Showcase Presentation Establish and minimize scope Recognize that Security is a journey and not a destination Be pragmatic and strategic: reuse and repurpose investments everywhere possible Have Fun and Celebrate Success!!! Establish a culture of compliance 16