More Related Content
Similar to PCI DSS Business as Usual (BAU) (20)
More from ControlCase (16)
PCI DSS Business as Usual (BAU)
- 1. © 2019 ControlCase All Rights Reserved
PCI DSS Business as Usual
Webinar
Your IT Compliance Partner –
Go Beyond the Checklist
- 2. © 2019 ControlCase All Rights Reserved
Our Agenda 2
4
2
3
Your IT Compliance
Partner –
Go beyond the
checklist
ControlCase Introduction
About PCI DSS
PCI DSS Business as Usual by
Requirement Number
Key Implementation Tips
Continuous Compliance5
1
- 4. © 2019 ControlCase All Rights Reserved
ControlCase Snapshot 4
Certification and ContinuousCompliance Services
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and
maintaining IT compliance
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
• Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden
to a trusted compliance partner
1000+
Clients
250+
Security Experts
10,000+
IT Security Certifications
- 5. © 2019 ControlCase All Rights Reserved
Solution 5
Certification and Continuous Compliance Services
Automation
-DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
“I’ve worked on both sides of
auditing. I have not seen any
other firm deliver the same
product and service with the
same value. No other firm
provides that continuous
improvement and the level of
detail and responsiveness.”
Security and Compliance
Manager, Data Center
- 6. © 2019 ControlCase All Rights Reserved
Certification Services 6
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
- 8. © 2019 ControlCase All Rights Reserved
What is PCI DSS
8
8
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting
payment card account data
• Established by leading payment card brands
• Maintained by the PCI Security Standards Council (PCI SSC)
- 9. © 2019 ControlCase All Rights Reserved
PCI DSS Requirements 9
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management
program
5. Use and regularly update anti-virus software on all systems commonly affected
by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security
- 10. © 2019 ControlCase All Rights Reserved
PCI DSS Business as Usual by Requirement Number3
- 11. © 2019 ControlCase All Rights Reserved
PCI Council Guidance on BAU 11
Monitoring of
security controls
• Firewalls
• IDS/IPS
• File Integrity Monitoring (FIM)
• Anti Virus
Ensuring failures
in security
controls are
detected and
responded
• Restoring the security control
• Identifying the root cause
• Identifying any security issues because of
the failure
• Mitigation
• Resume monitoring of security control
• Segregation of duties between detective and
preventive controls
- 12. © 2019 ControlCase All Rights Reserved
PCI Council Guidance on BAU 12
Review changes to
environment
• Addition of new systems
• Changes or organizational structure
• Impact of change to PCI DSS scope
• Requirement applicable to new scope
• Implement any additional security controls
because of change
• New hardware and software (and older ones)
continue to be supported and do not impact
compliance
Periodic reviews
• Configuration
• Physical security
• Patches and Anti Virus
• Audit logs
• Access rights
- 13. © 2019 ControlCase All Rights Reserved
Requirement 1: Firewalls 13
People
- PCI project manager to
escalate non-compliance
- Segregation of duties
between operations
performing change and
compliance personnel
reviewing change
Process
- PCI impact analysis as part
of firewall change
management process
Technology
- Automated/Periodic ruleset
reviews
- Weekly port scans from
CDE to Internet to verify no
outbound connections
- 14. © 2019 ControlCase All Rights Reserved
Requirement 2: Configuration Scans 14
People
- PCI project manager to
escalate non-compliance
Process
- Periodic update to
configuration standards
- New infrastructure
onboarding process to
include PCI configuration
standards check
Technology
- Automated/Periodic
configuration scans
- Reminders to update
configuration standards quarterly
- Technology to flag new assets
that have not formally undergone
PCI configuration standards
check
- 15. © 2019 ControlCase All Rights Reserved
Requirement 3: Protect Stored Cardholder Data 15
People
- PCI project manager to
escalate non-compliance to
highest levels within
organization
Process
- Periodic false positive
management
- Search for cardholder data
during roll out tests/quality
assurance
Technology
- Automated/Periodic
cardholder data scans
- Alerts in case of new
cardholder data found
- 16. © 2019 ControlCase All Rights Reserved
Requirement 4: Protect Cardholder Data In Transmission 16
People
- Training to ensure
personnel do not email/chat
clear text card data
- Personnel allocated to
review outbound data at
random
Process
- Periodic review of modes of
transmission i.e. wireless,
chat, email etc.
Technology
- Automated technology to
monitor transmission of
card data through perimeter
(e.g. email, chat monitoring)
- 17. © 2019 ControlCase All Rights Reserved
Requirement 5: Antivirus and Malware 17
People
- PCI project manager to
escalate non-compliance
Process
- Process to ensure all
assets are protected by
antivirus
- Process to implement
antivirus and anti-malware
on all new systems being
deployed
Technology
- Technology to detect any
systems that do not have
anti virus/anti malware
installed
- 18. © 2019 ControlCase All Rights Reserved
Requirement 6: Secure Applications 18
People
- Segregation of
development and security
duties
- Periodic training of
developers to security
standards such as OWASP
Process
- Continuous scanning of
applications
- Scanning of applications as
part of SDLC
- Code review as part of
SDLC
- Review of QA/test cases on
a periodic basis to ensure
all of them have a security
checkpoint and approval
Technology
- Application scanning
software
- Code review software
- Identification of instances
where changes have
occurred to applications
- Application firewalls
- 19. © 2019 ControlCase All Rights Reserved
Requirement 7 & 8: Access Control and User IDs 19
People
- Segregation of personnel
provisioning IDs and review
of user access
Process
- Periodic review of user
access
- Attestation of user access
- Onboarding procedures
- Termination procedures
Technology
- Role based access control
- Single sign on
- Use of LDAP/AD/TACACS
for password management
- 20. © 2019 ControlCase All Rights Reserved
Requirement 9: Physical Security 20
People
- Designation of a person at
every site as a site
coordinator
Process
- Periodic walkthroughs and
random audits of physical
security
- Weekly review of CCTV
and badge logs
- Periodic review of scope
Technology
- Alarms to report
malfunction of devices such
as cameras and badge
access readers
- 21. © 2019 ControlCase All Rights Reserved
Requirement 10: Logging and Monitoring 21
People
- Personnel to actively
monitor logs 24/7/365
Process
- Periodic review of asset
inventory
- Periodic review of scope
- Process to ensure logs from all
assets are feeding the SIEM
solution
- Restoration of logs from 12
months back every week/month
Technology
- Security and Event
Management (SIEM)
- Technology to identify new
assets not covered within
SIEM
- 22. © 2019 ControlCase All Rights Reserved
Requirement 11: Vulnerability Management 22
People
- Segregation of personnel
responsible for scanning vs
remediation of anomalies
- PCI project manager to
escalate non-compliance
Process
- Ongoing review of target
assets vs asset inventory
for appropriateness/change
- Periodic testing of IDS/IPS
effectiveness through
random penetration
tests/vulnerability scans
Technology
- Automated scanning
technology
- Technology to manage
false positives and
compensating controls
- Asset management
repository
- File Integrity Monitoring
(FIM) technology
- 23. © 2019 ControlCase All Rights Reserved
Requirement 12: Policies and Procedures 23
People
- Coordination between
procurement and
compliance personnel
Process
- PCI DSS requirements tied
to procurement process
- PCI anomalies to be
tracked within vendor/third
party management solution
Technology
- Vendor management/Third
party management solution
- 25. © 2019 ControlCase All Rights Reserved
Key Quarterly Themes 25
Segregation
of duties
Technology
operating
effectively
Automation
Dedicated
PCI project
manager
Repeatability
Periodic
Reviews
- 26. © 2019 ControlCase All Rights Reserved
Calendar of Reminders Tracking Back to Controls 26
- 29. © 2019 ControlCase All Rights Reserved
Predictive Continuous Compliance Services 29
70%
company’s assets are
non-compliant at some
point in the year
• Address common non-compliant situations that leave
you vulnerable all year long, including:
• In-scope assets not reporting logs
• In-scope assets missed from vulnerability scans
• Critical, overlooked vulnerabilities due to volume
• Risky firewall rule sets go undetected
• Non-compliant user access scenarios not
flagged
• Go beyond monitoring and alerting to predict,
prioritize and remediate compliance risks before
they become security threats
“The continuous compliance
monitoring is a big value add
to their audit and certification
services, which is good for
organizations that don’t have
the team in-house. It’s a big
differentiator for them.”
VP of IT, Call Center/BPO
Company
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
- 30. © 2019 ControlCase All Rights Reserved
Predictive Continuous Compliance Services 30
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
What is Continuous Compliance
Quarterly review of 20-25 high impact/high risk questions
Technical review of vulnerability scans, log management, asset list and other available automated
systems
Benefits of Continuous Compliance
Eliminates the need for potential major last minute audit findings
Reduces effort for final audit by approximately 25%
Reduces the risk of technical shortcomings such as,
Quarterly scans missed certain assets
Logs from all assets not reporting
Deliverable of Continuous Compliance
- 31. © 2019 ControlCase All Rights Reserved
Automation-driven 31
SkyCAM IT Compliance Portal
Automation-driven certification and continuous compliance
SkyCAM
IT
Compliance
Portal
• Cut evidence collection time up to
70%
• In the cloud or on-prem
• Go beyond monitoring and
alerting to predict, prioritize
and remediate compliance risks
before they become security
threats
Automated
Evidence
Collection
Real-time
Certification
Dashboard
Predictive
Continuous
Compliance
(AI-powered)
• Stay on top of progress with
visibility into your certification
process with drill down capability
GRC Platform
Integration
• Integrate and extend capability of
GRC platforms
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
- 32. © 2019 ControlCase All Rights Reserved
Summary – Why ControlCase 32
“They provide excellent service, expertise and technology. And, the
visibility into my compliance throughout the year and during the audit
process provide a lot of value to us.”
Dir. of Compliance, SaaS company
Your IT Compliance Partner –
Go beyond the auditor’s checklist
Partnership
Approach
SkyCAM
IT
Compliance
Portal
Automation
driven Continuous Compliance
Services
- 33. © 2019 ControlCase All Rights Reserved
Email
contact@controlcase.com
Telephone
Americas +1.703-483-6383
India: +91.22.50323006
Social Media
Conection Suport
www.facebook.com/user
www.linkedin.com/user
Visit our website
www.controlcase.com
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE
TO YOUR
IT COMPLIANCE PROGRAM