download issue 24 here - Help Net Security

More documents

Recommendations

Info

To achieve this, retailers must shift their view of security and compliance from a checklist mentality for passing an audit to a state of continuous IT security. Permanent and uncompromising process discipline must be instituted on the data security domain to achieve consistent, effective protection for the sensitive and confidential customer information collected and stored. While this may sound like a daunting task—especially for smaller retail merchants—using an automated IT Governance, Risk and Compliance (IT GRC) solution provides the type of information and the security framework needed for achieving and sustaining a high level of continuous compliance—and security. The GRC model "GRC" refers to a class of automated systems that help organizations integrate and control the management of complex regulatory mandates and operational risk in alignment with appropriate high level company governance. GRC is a strategic approach to the universal concept of compliance. It can help retailers meet PCI compliance requirements as well as providing a controls management framework to protect other types of customer-confidential information. PERMANENT AND UNCOMPROMISING PROCESS DISCIPLINE MUST BE INSTITUTED ON THE DATA SECURITY DOMAIN TO ACHIEVE CONSISTENT, EFFECTIVE PROTECTION FOR THE SENSITIVE AND CONFIDENTIAL CUSTOMER INFORMATION COLLECTED AND STORED. The information security policy While many retailers approach PCI DSS compliance as a technology problem, itʼs just as much a people problem. Simply installing the best firewall and encryption technologies is just the first part of the solution. Following IT security best practices and establishing a written security policy is the next step, but if employees arenʼt following those policies the organization remains vulnerable. According to Deloitteʼs “The 6th Annual Global Security Survey,” “people are the problem.” The report states that, “Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%).” The Computing Technology Industry Association, Inc. (CompTIA) echoes that assessment in its "Committing to Security: A CompTIA Analysis of IT Security and the Workforce," survey stating that, “Human error, not technology, is the most significant cause of IT security breaches.” To reduce security risk cause by human error, a retailer must have a process for distributing its IT security policy and ensuring that each employee has read and understands the policy and acknowledges their responsibility in protecting the organizationʼs information and data. GRC systems have Security Awareness modules make it easy for retailers to educate employees on general IT security practices and internal IT security policies. The Awareness module also tracks who takes each course and records test scores. Business continuity planning The impact of a data breach can be devastating. IT GRC systems include a Business Continuity Planning (BCP) component that provides retailers with a single source repository for the guidance, information and plans necessary to respond to a data breach incident. Continuous PCI compliance for small merchants Smaller merchants are an appealing target for cybercriminals because they often do not have the expertise to properly secure card holder data. A GRC tool delivered as “Software as a Service” (SaaS), hosted at a remote location and delivered over the Internet, makes it affordable and adaptable for any size merchant. www.insecuremag.com 78
Technological complexities achieving PCI compliance The GRC model provides a centralized automated compliance workflow management and tracking system to handle the enormous number of tasks that need to be performed, coordinated and analyzed to achieve PCI DSS compliance and pass audits. Without automated management, control and oversight of the total process of PCI compliance becomes highly inefficient and costly. The many moving parts of PCI DSS compliance PCI DSS compliance is an ongoing management challenge caused by changes in business processes and technology, vendorsupplied and third-party processor systems, and security threats. In addition, the PCI standard evolves on a regular basis. Automated IT GRC tools enable retailers to respond to change by improving the planning cycle and by organizing the relationships among policies, people, technology controls and risk information. Cross-organizational coordination A GRC systemʼs compliance workflow capability allows retailers to delegate specific security assignments to different employees across the organization, and to define specific completion dates or specific intervals for repetitive tasks for each technology control or business process to meet the PCI DSS requirement to assign tasks and accountability. Total PCI compliance oversight IT GRC solutions provide total oversight of the entire PCI compliance process, including technology-based components. It is an automated workflow optimized to manage and monitors event and feedback information from multiple components with an at-a-glance summary, and assess and report on these controls in every form needed, from installation to the results produced. Automated IT GRC tools can help retailers achieve a new level of security by creating a framework for continuous data security improvement and PCI DSS compliance while reducing the costs of compliance. Joseph Dell is president of Lightwave Security (www.lightwvesecurity.com), an Atlanta-based GRC solution provider and exclusive North American distributor for SecureAware. He can be reached at jdell@lightwavesecurity.com. www.insecuremag.com 79
Page 5 and 6:
25 million new malware strains in o
Page 7 and 8:
Google hacked, plans to leave China
Page 9 and 10:
Hacker attacks on healthcare organi
Page 11 and 12:
Even though most standard stacks us
Page 13:
Server support still missing Unfort
Page 16 and 17:
What are these new approaches? Let
Page 18 and 19:
The need for new security controls
Page 21 and 22:
How many times have you, as a secur
Page 23 and 24:
1Password interface Although this i
Page 25 and 26:
The option “Never prompt for mast
Page 27 and 28: The master password on the iPhone a
Page 29 and 30: Identifying those applications is n
Page 31: The single tool trap Scanning tools
Page 34 and 35: Cloud Security and Privacy By Tim M
Page 36: Spam and phishing scams will follow
Page 39 and 40: This infection method only works if
Page 41 and 42: Hook-createprocess.dll is a DLL tha
Page 43: Here are some of the Twitter feeds
Page 46 and 47: organizations the tools they need t
Page 48: This is not unlike other business o
Page 52 and 53: acronyms without researching their
Page 54 and 55: process of calculation the answer.
Page 57 and 58: In any environment, large or small,
Page 59 and 60: Remoted (running on the server) rec
Page 61 and 62: alpha group alpha events 10000 Ch
Page 63: RSA Conference 2010 (www.bit.ly/rsa
Page 66: And most of the time, they fail bec
Page 69 and 70: We are also working with SANS on de
Page 71 and 72: There are three components involved
Page 73 and 74: " • Support for health checks by
Page 76 and 77: Sectool (www.net-security.org/softw
show all

download issue 24 here - Help Net Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?