ISE Canada Executive Forum and Awards

Similar documents
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISE North America Leadership Summit and Awards

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Data Sheet The PCI DSS

PCI compliance the what and the why Executing through excellence

Certified Information Security Manager (CISM) Course Overview

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Welcome ControlCase Conference. Kishor Vaswani, CEO

Department of Management Services REQUEST FOR INFORMATION

Daxko s PCI DSS Responsibilities

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

locuz.com SOC Services

Manchester Metropolitan University Information Security Strategy

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

PCI DSS v3. Justin

01.0 Policy Responsibilities and Oversight

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

University of Sunderland Business Assurance PCI Security Policy

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Objectives of the Security Policy Project for the University of Cyprus

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

REPORT 2015/149 INTERNAL AUDIT DIVISION

EU General Data Protection Regulation (GDPR) Achieving compliance

Background FAST FACTS

PCI Compliance Simplified A Case of Airport Parking System PCI Readiness

ISACA Arizona May 2016 Chapter Meeting

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

The Convergence of Security and Compliance

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

What every IT professional needs to know about penetration tests

White Paper. How to Write an MSSP RFP

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

in PCI Regulated Environments

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

PCI Compliance: It's Required, and It's Good for Your Business

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

CCISO Blueprint v1. EC-Council

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Comodo HackerGuardian PCI Approved Scanning Vendor

Consolidation Committee Final Report

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Oracle Buys Automated Applications Controls Leader LogicalApps

Gujarat Forensic Sciences University

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Will you be PCI DSS Compliant by September 2010?

Is Your Payment Card Data Secure Enough?

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Navigating the PCI DSS Challenge. 29 April 2011

Information Technology General Control Review

PCI DSS Compliance and the Cloud

to Enhance Your Cyber Security Needs

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

SIEMLESS THREAT DETECTION FOR AWS

PCI DSS COMPLIANCE 101

How to Write an MSSP RFP. White Paper

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

IBM Security Services Overview

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

PCI DSS 3.2 AWARENESS NOVEMBER 2017

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

A company built on security

Dell helps you simplify IT

Canada Life Cyber Security Statement 2018

Site Data Protection (SDP) Program Update

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Background FAST FACTS

The Common Controls Framework BY ADOBE

Using GRC for PCI DSS Compliance

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

European Union Agency for Network and Information Security

ITG. Information Security Management System Manual

Penetration testing.

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Cybersecurity Auditing in an Unsecure World

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Google Cloud & the General Data Protection Regulation (GDPR)

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Transcription:

ISE Canada Executive Forum and Awards September 19, 2013 "Establishing a Cost Effective PCI DSS Compliance Program by Having a Can Do Attitude Della Shea Chief Privacy & Information Risk Officer Symcor Inc.

Symcor in a Nutshell Nominee Showcase Presentation Created in 1996 as a joint venture between RBC, TD and BMO to consolidate back office operations to reduce operating costs and capture new revenue One of the largest business process outsourcing companies in Canada, providing cheque processing, remittance and statement production services 4000 employees collectively: process more than 197 million payments; process approx. two billion checks; produce more than 700 million statements; produce more than two billion print pages; manage 8600 lockbox accounts 2

Presentation Overview The Business Challenge The PCI DSS Compliance Journey PCI DSS Compliance Model Building a Coalition for Change Translating Strategy into Actions 3

The Business Challenge Achieving and maintaining PCI DSS compliance is a critical priority for Symcor but previous attempts to become compliant were not successful: Lots of legacy systems inherited from M&A activities Lack of cross-linkages between separate LOBs; each having their own strategy Many silos and confusion over roles and accountability Competing priorities requiring the same resources Aggressive timelines Mounting pressure to achieve compliance Exuberant business case to become compliant 4

The PCI DSS Compliance Journey Compliance is a business issue Strategy, business case, project management Technology must link to business processes Providing evidence of compliance is key 5

Guiding Principles for the Program Failure is not an option Commitment to the overall timeline Sensitive to Client s needs and deliverables Scope containment, but scalable for future 6

PCI Compliance Office Model Assess & Remediate Monitor, Alert, Control & Report Communicate& Educate Demonstrate & Provide Evidence

Assess & Remediate Assess -- identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Complete PCI Data Security Standards Self Assessment /QSA Assessment Compliance Gap analysis Remediate -- fix vulnerabilities Demonstrate & Provide Evidence Internal Audits Quarterly Scans Annual Assessment Report on Risk & Compliance External Audit Confirm Quarterly Scans Completed Annual QSA and On-Site Assessment Report on Compliance Monitor, Alert, Control & Report Communicate& Educate Governance Program Align to PCI DSS 3 year cycle Policy & Procedure Review Risk and Compliance Review Roles & Responsibilities Review RFP, Due Diligence, Contract Review Change & Scope Management Review Communicate & Educate PCI Awareness Program Create a Common PCI Culture PCI Data Security Standards Training Internal Security Assessor (ISA) Training Maintain Common Repository & Tools Review Improve Controls / Automate Processes Report - Compile and submit required remediation validation records (if applicable), and submit compliance reports 8

Building a Coalition for Change 9

Building a Coalition for Change Who are the stakeholders? What changes are needed? Where are we going and why? How can we translate our ideas into actions? 10

The Stakeholders Nominee Showcase Presentation Executive Steering Committee Executive Operating Committee Audit Committee QSA-c Governance Expert Chief Privacy & PCI DSS Compliance Officer Program Manager PCI Expert (QSA) - Clients - Client Relations - Operations - Legal - Human Resources - Corporate Security - Info Security - Audit & Risk - Privacy - Finance Project Manager Remittance Upgrade Project Manager ISS T&T Project Manager Governance Project Manager PCI Infrastructure Project Manager PCI Tools Remittance Upgrade Project Team ISS T&T Project Team Governance Project Team PCI Infrastructure Project Team PCI Tools Project Team 11

Changes that Were Needed Thorough assessment of current state Remediation activities (multiple projects) Establishing a compliance culture Ownership and accountability for controls 12

Where We Decided to Go and Why De-scoping Data minimization Network Segmentation Dedicated Governance Framework Governance is the glue that holds everything together 13

Translating Strategy into Actions A B C D E F G PCI DSS Requirement Test Procedure Priority In Place? Stage of Implementation Links to Evidence Action Plan PCI Consultants can help with interpretation of controls and methods prescribed for testing PCI Security Standards Council prescribes a course of action that factors in dependencies Governance has tracked progress to date and created a record keeping structure for storing evidence This document is owned by the Requirements Lead and captures all of the effort and resourcing that needs to be scheduled A B C D F E G 14

Project Results Nominee Showcase Presentation Critical system processes and procedures that linked technology to compliance priorities were made possible by operationalizing Enterprise Information Security and related policies including: Complex implementation of security tools and processes within 12 months including incident response, threat level classification, vulnerability management, File Integrity Monitoring (Tripwire), Security Information and Event Management (LogRhythm), encryption solutions (Vormetric), wireless scanning and penetration testing services Daily log analysis for anomalies and threats within the core compliant environments Incident response threat level classification on identified threats within the compliant environments Implementation of a proactive comprehensive vulnerability management program to identify any new threats before they can be available for exploitation within the compliant environments. Established a Governance framework to support security and data protection compliance programs Re-engineered business and change management processes to align with security compliance initiatives Successfully attained four externally evaluated Reports on Compliance within the past two years 15

Lessons Learned Nominee Showcase Presentation Establish and minimize scope Recognize that Security is a journey and not a destination Be pragmatic and strategic: reuse and repurpose investments everywhere possible Have Fun and Celebrate Success!!! Establish a culture of compliance 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback