In the past, audit checks were compartmentalized and IT staff were enforcers. It can’t be that way anymore. Make sure you are using the proper tools to easily pass the technical audit so you can focus on improving your overall security posture. Users need to be educated about the proper use of hardware, software, and understand security. When an auditor comes on site, they aren’t just looking to check a box, they are validating policies and procedures. They will go to users and ask questions like, “are you aware” or “how do you”. Because of the recent breaches, they understand it’s not just IT, but all employees who must understand security policy and procedures. There needs to be companywide education and support for security. As a CISO that’s your primary goal.

1. Pass the technical audit and secure your
environment
Protect your data from the pain and cost of data breaches
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

2. Housekeeping
» Everyone is on mute, use your GoToMeeting® console to chat or ask questions
» Feel free to ask questions throughout the webcast, however all questions will be
held until the live Q&A session at the end of the webcast
» We are recording this webcast and will send a link to view the archive via email once
the on demand is available
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

3. Introductions
Meet Today’s Presenter
• Rob Johnson, LEM Product Specialist, SolarWinds
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

4. Agenda
 Audit Prep - A Corporate Wide Policy
 Audit Prep - The Technical Audit
 How Can SolarWinds Help
 Benefits & Summary
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

5. Important Dates
 1st Jan 2014 - PCI DSS v3 became effective
 31st Dec 2014 - PCI v2 expires
 Great articles on Compliance Preparation
 http://searchsecurity.techtarget.com/tip/IT-compliance-planning-How-to-maintain-IT-compliance-documentation
 http://searchsecurity.techtarget.com/tip/How-to-use-compliance-automation-to-reduce-compliance-risk
 http://searchsecurity.techtarget.com/tip/How-descoping-measures-can-help-reduce-regulatory-compliance-burden
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

6. Why is Compliance Important?
Business Disruption - Negligence of security best practices leading to security
breach, can incur huge losses in company profits.
Loss of Brand Image - Security breaches with trusted retailers, consumer backlash is
harsh and can result in tremendous damage to brand and stockholder equity.
Polls show that nearly half, i.e. 45% of card holders reluctant to return to regular stores
that experienced a recent data breach, this holiday season. - CreditCards.com
Fines & Penalties - Violators may also experience severe losses due to assessment of
fixed and variable penalties, obligation to pay investigation and forensic costs and
liability from defending against lawsuits.
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

7. Audit Prep – A Company Wide Policy
 Cross department communication is critical to audit success
• Involve all department heads in the entire audit process.
• Ensure each department has a clear understanding of their requirements.
• Assign a dollar value to audit failure.
 Educate your company on security and audit policies and procedures
• Everyone is affected by failed audits
• Auditors will randomly verify so ensure all employees clearly understand security policies and procedures.
• On-going employee education is critical to audit success and a better security posture.
 Document EVERYTHING!
• Up-to-date Documentation is absolutely critical to audit success. You may be asked for documentation before the
auditors even come on site. Everything from access lists, network diagrams and configuration files to business and
risk assessment plans may be required.
• Policies and procedures should be clear and easy to follow. Ask the question, “If I am unable to respond can
anyone follow the written procedures?”
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

8. Audit Prep - The Technical Audit
 Perform a self assessment based on previous audit or upcoming audit requirements
• Test your IT staff and users on existing policies and procedures.
• Research and discover any new requirements
 Determine the advanced information that may be required.
• Network diagrams, inventory, process diagrams, incident response procedures
• Designate and prepare key IT personnel that will communicate with auditors
 Scope and De-Scope the network
• At a high level, isolates systems that store, process, or transmit sensitive data from those that do not.
• Implement network segmentation if possible
• Isolate data that falls under compliance to specific systems and control access to those systems
• Internal network partitioning can be accomplished using firewalls and routers
• The network segments can be easily presented via compliance reports
• Reduces the scope of an audit - less effort, documentation, time, resources and money will logically be required to complete the audit process.
 Use Purpose Built Tools
• Improve availability of mission critical IT infrastructure by reducing downtime due to human errors
• Set up real-time alerts for any device configuration change
• Introduce accountability and audit ability with role based access control
• Improve admin productivity by eliminating manual compliance checks
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

9. Technical Audit Prep - Network Segmentation
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
RETAIL STORE
POINT-OF-SALE
NETWORK
Prevent unauthorized internal or
external access to the data stored in
the network segment.
BACK-OFFICE NETWORK
DATACENTER
SERVICE
PROVIDER
ACQUIRING BANK
BRANCH NETWORK
AUDIT
SCOPE
Without segmentation the
entire network is a scope
for audit.
Segmentation simplifies
maintenance and reduces
audit costs.

10. Technical Audit Prep - Network Security Basics
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Mitigate fundamental security
weaknesses with perimeter network
defenses and basic security practices
» Use Secure Protocols – SSH/SNMPv3
» Log Access Control Lists (ACL’s)
» Review Defaults & Disable Services
» Archive Audit Logs and Configs
» Separate management services from
production to reduce security risk

11. Technical Audit Prep - Business-as-usual
It is important to incorporate these practices in day-to-day IT operations and not a fire drill in view of
an imminent certification audit.
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

12. Technical Audit - Use Purpose-built Tools
 Using purpose built tools can significantly improve audit preparation by:
 Centralizing information – One time information requests, incident response, forensics and
reporting are significantly improved when data is aggregated into a single location.
 Improving availability of mission critical IT infrastructure and reducing downtime due to human
errors
 Providing real-time alerts and scheduled audit specific reports
 Providing accountability and audit ability access control
 Automating incident response through templates and educating staff.
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

13. Technical Demonstration
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

14. Benefits & Summary
 Mitigate security weaknesses and compliance through consistency and education
 Improve audit preparation efficiency using purpose built tools
 Implement, educate and enforce basic network security
 Ensure compliance and security become part of the corporate culture
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

15. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Questions?

16. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Thank You!
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds
Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may
be registered or pending registration in other countries. All other SolarWinds trademarks, service
marks, and logos may be common law marks, registered or pending registration in the United
States or in other countries. All other trademarks mentioned herein are used for identification
purposes only and may be or are trademarks or registered trademarks of their respective
companies.