Be prepared

Version 3.0 of Payment Card Industry’s data security standard (PCI DSS) comes into effect Jan. 1, 2015. Most organizations should be prepared by now. But they also have to be ready to maintain compliance — and not just with a once-a-year assessment. We’ve borrowed from the PCI best practices guide to offer these tips on how to stay on top. For details read the guide. But remember, compliance alone won’t prevent intrusions. All images from Shutterstock.com

Man on a starting line

Maintain perspective

Too often organizations get wrapped up in the compliance process and fail to establish effective long-term processes for maintaining the security of cardholder information. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities — not simply attaining a favourable  Report on Compliance (ROC).

Glasses making distant landscape sharp

Name a co-ordinator

A qualified compliance manager should be assigned overall responsibility for co-ordination of resources and be given adequate funding and the proper authority to effectively organize and allocate such resources. Responsible getting management support and for engaging key personnel for security functions and collecting evidence to show ongoing PCI controls are effective.

hands of a music conductor

Emphasize security and risk

In some organizations PCI DSS compliance may not be enough to mitigate all risks. Focus on building a culture of security and protecting the organization’s information assets and IT infrastructure. Compliance is a consequence. Version 3.0 of the standard calls for organizations to “implement a risk assessment process that is performed at least annually and upon significant changes to the environment.”

lock on blue background

Hone risk assessments

A tool to help to prioritize security efforts, when conducted regularly they allow organizations to keep up-to-date with business changes and provide mechanisms to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies. They also provide valuable information to help organizations determine whether additional controls are needed.

INSIDE SLIDE Risk assessment graphic SHUTTERSTOCK

Continuously monitor security controls

Document the implementation, effectiveness, adequacy, and status of all of security controls. How often depends on things like how frequently a control is likely to change, whether it’s on a high impact system. Sampling may be necessary for data collection, but make sure the sample captures variations. Samples of system components should include every type and combination in use. Automated control monitoring tools can work.

Hands on keyboard showing computing code

Act fast

It is imperative that organizations have processes for quickly responding to security control failures. These processes should include restoration to normal operations as quickly as possible, then identifying causes of control failures. Failures in security controls can provide attackers opportunities to launch other attacks within the environment. Once control has been restored it may be necessary to increase monitoring frequency.

Keyboard with 'take action' button

 

Develop metrics to measure success

When metrics are analyzed properly, they may provide mechanisms for determining whether sufficient controls are in place and whether they are operating effectively. You want to measure implementation measures (ie: percentage of IT systems with proper password policies), effectiveness/efficiency measures ( percentage of known vulnerabilities that have been patched), and impact measures (return on security investments).

Clipboard with grahics and metrics

Adjust the program to address changes

As business objectives and technologies change – including mergers/acquisitions and loss of key IT security personnel — new attack vectors are introduced. So it’s increasingly important for organizations to have sound change-management practices to keep up with the changing threat landscape. Establish manual or automated triggers to alert key personnel to such changes so they can analyze any associated risks.

Hand adjusting control on machine

Stay committed

Maintaining a state of continuous compliance requires focused effort and co-ordination. Organizations that focus primarily on annual validation may find it difficult to build in the people, processes, and technology necessary to support sustained compliance. Executive sponsorship is critical if organizations want to be successful in implementing ongoing PCI DSS compliance programs.

Close up of person's eye


 

 

 

Previous articleCIO Innovation Summit in pictures
Next articleTop 9 security threats to prepare for in 2015
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here