Version 3.0 of Payment Card Industry’s data security standard (PCI DSS) comes into effect Jan. 1, 2015. Most organizations should be prepared by now. But they also have to be ready to maintain compliance — and not just with a once-a-year assessment. We’ve borrowed from the PCI best practices guide to offer these tips on how to stay on top. For details read the guide. But remember, compliance alone won’t prevent intrusions. All images from Shutterstock.com
Too often organizations get wrapped up in the compliance process and fail to establish effective long-term processes for maintaining the security of cardholder information. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities — not simply attaining a favourable Report on Compliance (ROC).
Name a co-ordinator
A qualified compliance manager should be assigned overall responsibility for co-ordination of resources and be given adequate funding and the proper authority to effectively organize and allocate such resources. Responsible getting management support and for engaging key personnel for security functions and collecting evidence to show ongoing PCI controls are effective.
Emphasize security and risk
In some organizations PCI DSS compliance may not be enough to mitigate all risks. Focus on building a culture of security and protecting the organization’s information assets and IT infrastructure. Compliance is a consequence. Version 3.0 of the standard calls for organizations to “implement a risk assessment process that is performed at least annually and upon significant changes to the environment.”
Hone risk assessments
A tool to help to prioritize security efforts, when conducted regularly they allow organizations to keep up-to-date with business changes and provide mechanisms to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies. They also provide valuable information to help organizations determine whether additional controls are needed.
Continuously monitor security controls
Document the implementation, effectiveness, adequacy, and status of all of security controls. How often depends on things like how frequently a control is likely to change, whether it’s on a high impact system. Sampling may be necessary for data collection, but make sure the sample captures variations. Samples of system components should include every type and combination in use. Automated control monitoring tools can work.
It is imperative that organizations have processes for quickly responding to security control failures. These processes should include restoration to normal operations as quickly as possible, then identifying causes of control failures. Failures in security controls can provide attackers opportunities to launch other attacks within the environment. Once control has been restored it may be necessary to increase monitoring frequency.
Develop metrics to measure success
When metrics are analyzed properly, they may provide mechanisms for determining whether sufficient controls are in place and whether they are operating effectively. You want to measure implementation measures (ie: percentage of IT systems with proper password policies), effectiveness/efficiency measures ( percentage of known vulnerabilities that have been patched), and impact measures (return on security investments).
Adjust the program to address changes
As business objectives and technologies change – including mergers/acquisitions and loss of key IT security personnel — new attack vectors are introduced. So it’s increasingly important for organizations to have sound change-management practices to keep up with the changing threat landscape. Establish manual or automated triggers to alert key personnel to such changes so they can analyze any associated risks.
Maintaining a state of continuous compliance requires focused effort and co-ordination. Organizations that focus primarily on annual validation may find it difficult to build in the people, processes, and technology necessary to support sustained compliance. Executive sponsorship is critical if organizations want to be successful in implementing ongoing PCI DSS compliance programs.