Posts

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

The 12 PCI DSS Requirements

This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organization needs to do to become compliant.

The 12 PCI DSS Requirements

The PCI DSS was jointly developed by the payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Its purpose is to ensure that all of the data that lives within the Cardholder Data Environment (CDE) is protected and secured from theft or unauthorized use. If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS. The current version, PCI DSS 3.2, has approximately 394 controls, 6 control objectives, and 12 major subject areas. The 12 requirements are:

PCI Requirement 1

“Install and maintain a firewall configuration to protect cardholder data.” Your organization should focus on securing and hardening your network and securing the inbound and outbound traffic.

Learn More about PCI Requirement 1

PCI Requirement 2

“Do not use vendor-supplied passwords and other security parameters.” Most organizations tend to focus on hardening their operating systems, but this requirement is intended for all assets within the environment.

Learn More about PCI Requirement 2

PCI Requirement 3

“Protect stored cardholder data.” This requirement focuses on securing cardholder data at rest; this is the encryption and the storage of sensitive information.

Learn More about PCI Requirement 3

PCI Requirement 4

“Encrypt transmission of cardholder data across open, public networks.” If you transmit cardholder data over open or public networks, that data must be securely and appropriately protected.

Learn More about PCI Requirement 4

PCI Requirement 5

“Protect all systems against malware and regularly update anti-virus software or programs.” Do not focus on only anti-malware or only anti-virus; this requirement deals with both.

Learn More about PCI Requirement 5

PCI Requirement 6

“Develop and maintain secure systems and applications.” There’s more to this requirement than just securing applications. It’s about identifying vulnerabilities, patching your systems, change management, change controls, and secure software development.

Learn More about PCI Requirement 6

PCI Requirement 7

“Restrict access to cardholder data by business need-to-know.” Requirement 7 goes hand-in-hand with Requirement 8; it focuses on authorization.

Learn More about PCI Requirement 7

PCI Requirement 8

“Identify and authenticate access to system components.” Requirement 8 focuses on authentication.

Learn More about PCI Requirement 8

PCI Requirement 9

“Restrict physical access to cardholder data.” If a hacker as physical access to your assets, they pretty much own that data.

Learn More about PCI Requirement 9

PCI Requirement 10

“Track and monitor all access to network resources and cardholder data.” This requirement is all about logging.

Learn More about PCI Requirement 10

PCI Requirement 11

“Regularly test security systems and processes.” Your organization must ensure that you’re testing for vulnerabilities and managing the security of your environment so that your assets are protected.

Learn More about PCI Requirement 11

PCI Requirement 12

“Maintain a policy that address information security for all personnel.” This is the requirement that addresses the policy and procedure management and vendor management of your organization.

Learn More about PCI Requirement 12

Most organizations tend to focus on the 12 requirements, however, we believe there are 2 appendices that might as well be requirements. The first is for shared hosted services providers and the second is for Designated Entities. We’ll discuss these appendices further in a later video.

Video Transcription

The 12 PCI DSS Requirements

The PCI DSS is comprised of 12 requirements and 2 appendices that we need to have a discussion about. We start out with Requirement 1, which is focused on securing and hardening the network and the inbound and outbound traffic. Requirement 2 is primarily focused with looking to harden the systems and the applications; most organization really just tend to focus on hardening their operating systems, but Requirement 2 is really intended for all assets within the environment. Requirement 3 is focused on securing cardholder data at rest. This is the encryption and the prohibition of storage of sensitive information. Requirement 4 is focused on making sure that when you transmit cardholder data over open or public networks, that the data itself is appropriately protected. Requirement 5 deals with antimalware and deals with antivirus.

Requirement 6 has actually got quite a bit that it deals with. This requirement, when we talk about the PCI DSS, talks about securing applications, but there’s a little bit more than that. It’s identifying vulnerabilities, it’s patching your system, it’s change management, it’s change controls, it’s secure software development and all the requirements that go along with making sure the applications are maintained securely. Requirement 7 and Requirement 8 kind-of go hand-in-hand; Requirement 7 is authorization and Requirement 8 is authentication. We change things up a little bit when we get to Requirement 9. Requirement 9 is focused on the physical security of the environment. If I’m a hacker and I have physical access to your assets, I can pretty much own the data on it. We get to Requirement 10, which is all of your logging. When we get to Requirement 11, it’s focused on making sure that all of things that you’ve put in place to secure your assets are functioning appropriately. This is where we’re testing for vulnerabilities and making sure we’re managing the security of the environment. Requirement 12 is the policy and procedure management and vendor management of the organization. This is really the management aspect of the PCI DSS itself.

Most organizations, most people tend to focus on the 12 requirements themselves, however there are 2 additional appendices that might as well be requirements. The first one we have is for shared hosted services providers. If you have a question of whether you’re a shared hosted service provider, please look at Requirement 2.6 in the PCI DSS. That will clearly explain what a shared hosted service provider is and talk about what the requirements are there. Lastly, we have the last appendix which we need to be concerned with or have conversations about. This is the Designated Entities Appendix. Once again, we’ll talk about what that is when we get to that requirement.

Introduction to PCI DSS: What You Need to Know

This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.

Why was PCI DSS developed?

The PCI Security Standards Council is a third-party organization that was developed for the sole purpose of managing the security of cardholder data. Prior to the PCI Security Standards Council, each payment card brand managed their own security standards.

Eventually, the payment card brands realized that it was counterproductive to have five different sets of standards that their clients had to audit against, thus, the PCI Security Standards Council and the PCI Data Security Standards were created. The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands for the PCI Security Standards Council include Visa, Inc., MasterCard, Discover Financial, American Express, or JCB International.

Who are the participants in the PCI environment?

If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. The PCI Security Standards Council and payment card brands are major participants in the PCI environment and are responsible for tracking and enforcing PCI DSS compliance, penalties, fees, compliance deadlines, and the monitoring and facilitating of investigations. The other entities that are impacted by the PCI DSS compliance lifecycle are acquiring banks, issuing banks, merchants, service providers, and sub-service providers.

An acquiring bank is a bank or financial institution that processes card payments on behalf of a merchant. Acquirers are subject to payment brand rules and procedures regarding ensuring merchant compliance on behalf of the PCI Security Standards Council.

Issuing banks are the financial institutions that issue the payment cards on behalf of the payment card brands and who act as the middle man between the cardholder and the payment brand network.

Merchants accept the credit cards for payment and may store, process, or transmit cardholder data.

A service provider is any entity that stores, processes, or transmits cardholder data on behalf of a third-party (merchant), or otherwise have the ability to impact cardholder data security.

A sub-service provider is any entity that is acting on behalf of a merchant or service provider who has active access to their cardholder data environment.

Video Transcription

Introduction to PCI DSS

Hi, my name is Jeff Wilder and I am the Director of PCI Services here at KirkpatrickPrice. We wanted to develop a series of videos to talk about what the PCI DSS Security Standards are, who they apply to, and then later on, talk about the specific requirements about what you actually need to do to in order to become compliant.

We want to start off the series by talking a little bit about the players within the industry. The PCI Security Standards Council is a third-party independent organization that was established about 10 years ago for the sole purpose of managing the standards themselves. Prior to the PCI Security Standards Council, each card brand managed their own standards. They realized that it wasn’t in their best interest to have five different standards and have clients having to audit against so many different standards. So, they established the Council as the sole means of managing a set of security standards that need to be applied if you interact with a Visa, MasterCard, American Express, or JCB. So in this lifecycle, we have the PCI Security Standards Council, we have the card brands themselves, and we also have what we call acquiring banks. Now these acquiring banks – if you are a merchant having merchant relationship with a bank, if you accept a credit card for payment, you have a relationship with an acquiring bank. These acquiring banks are the entities that, really, are responsible for your compliance. They are responsible for you on behalf of the Council to ensure that you are compliant on a day-to-day basis. Next in the ecosystem, we have what we call issuing banks. Now, the issuing banks have a relationship with the individuals that have credit cards. They’re the ones that actually issue the cards. Of course we have the merchants – these are the organizations that accept the credit cards for payment. Then we have service providers. Now, service providers are any entity that would store, process, or transmit cardholder data on behalf of a third-party, or otherwise have the ability to impact the security of it. If you interact with payment card data in any way, if you store, process, or transmit it, or if you have the ability to impact someone else’s cardholder information or the security of that information, you are subject to the PCI DSS standards.

In this series of videos, we’re going to be going over the requirements and talking about, not so much just what does the PCI DSS Security Standards say and the individual requirements, but what it really means. How is that going to apply into your environment? What I’m going to try to do is provide you with some guidance based off my 10 years of experience in the industry as former Council member helping to develop these standards and training for the last 2.5-3 years, prior to becoming the Director here at KirkpatrickPrice. I’m going to bring to the table all of that knowledge and information for you to use at your discretion. So, hope you enjoy the videos. Thank you.

PCI Readiness Series: PCI Requirement 12

PCI Requirement 12: Maintaining an Information Security Policy

When creating an information security policy, an organization must create a policy that addresses information security for all personnel. Let’s emphasize “all” – this policy is not just for the IT department but is for anyone that would/could be involved in some capacity with storing, processing, and transmitting cardholder data. PCI Requirement 12 helps oversee and govern an organization’s PCI DSS compliance program.

In this webinar, our panelist will discuss the 10 sub-requirements of PCI Requirement 12, which include:

Requirement 12.1 – You must keep a current set of policies accessible to all relevant personnel.

Requirement 12.2 – Risk Assessment is performed at least annually, and also performed when business objectives chance.

Requirement 12.3 – Develop usage policies for critical technologies.

Requirement 12.4 – Security policies must define responsibilities for all users.

Requirement 12.5 – Security management and activities must be formally assigned.

Requirement 12.6 – Implement a formal security awareness program.

Requirement 12.7 – Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.

Requirement 12.8 – Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

Requirement 12.9 – Service providers must acknowledge in writing that they are responsible for the security of cardholder data they possess or store, process, transmit on behalf of the customer, or to the extent that they could impact the security of the cardholder data environment.

Requirement 12.10 – Implement an incident response plan.

The  PCI DSS isn’t just a technical standard; it includes people, processes, and technology. Furthermore, your organization’s policies and procedures are not just pieces of paper. They are an executive-level edict that define how the business will be run. It’s not enough to have policies and procedures. You must make sure that your policies and procedures are effective and actually implemented to ensure they are functioning properly and as you designed them. If your policies aren’t functioning, then you don’t have a policy.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

Making Sense of the Different Audit Frameworks

SSAE 16, SOC 2, HIPAA, PCI DSS, FISMA, ISO 27001. We’ve all heard of the Alphabet Soup, but what do they all really mean?

Which one is right for me? Which one should I pursue? Why would I get this audit over that audit? As auditors, these are the questions we are most frequently asked.

To help answer these questions and truly familiarize you with the different audit frameworks, we’ve broken down the Who’s, What’s, and Why’s for the most commonly reported on frameworks.

SSAE 16/SOC 1

Who asks for an SSAE 16? If you work with publicly traded companies, financial institutions, or state or local government, you will frequently be required to have an SSAE 16 (or SOC 1) audit performed by a third party. It is the most commonly used form of attestation for service providers in the US. So what is an SSAE 16? It’s an audit and report on internal controls (whether related to information security, financial, operational, or compliance controls) at a service provider that are relevant to their client’s data. The SSAE 16 audit takes a risk-based approach, with specified objectives that are created to address client risk, and controls, or activities, to accomplish each objective. A third-party auditor would be looking at your environment to make sure your objectives are appropriate, your controls are effectively designed, and that you are doing what you say you are doing. An SSAE 16 audit is as good as its scope.

SOC 2

Typically, the same clients who are asking you for an SSAE 16 will be the ones asking you for a SOC 2 audit. Whereas SOC 1 was designed to validate internal controls at a service provider that relate to client financial reporting and validate information security, SOC 2 was a framework specifically designed for companies delivering technology related services. The SOC 2 framework is finally gaining popularity. SOC 2 was specifically designed to report on one of five principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The established criteria for each principle address the following questions: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

HIPAA

If you are working for a healthcare provider or a Business Associate who services a healthcare provider, you are going to be asked for validation of your compliance with HIPAA laws. Any entity who handles Protected Health Information (PHI) will be responsible for compliance with HIPAA. Legislation requires appropriate Physical, Administrative, and Technical Safeguards to protect PHI. Much like the SSAE 16, HIPAA compliance is risk-based. You must begin by performing a Risk Assessment to determine what the appropriate physical, administrative, and technical safeguards are, implement those, and then perform regular monitoring to ensure the safeguards are still appropriate. There is no “hard list” of requirements for HIPAA, and there is no certification. A third-party audit would provide validation of your controls and their appropriateness and effectiveness.

PCI

The PCI Data Security Standard applies primarily to the payment card industry. If you store, transmit, or process cardholder data, you will be required to comply with PCI DSS. Additionally, if you have a client who is required to comply with PCI DSS, they are required to validate your compliance with the standard as well. PCI DSS is a very robust information security standard, and is also sometimes used as a best practice, even without handling credit card data. A PCI audit is an information security audit focused on the protection of credit card data. All PCI audits are performed by a PCI Qualified Security Assessor (QSA). There are over 200 controls and 1,000 audit tests that make up the framework and process. There are six control objectives with 12 subject areas. When a third-party auditor performs a PCI audit, it results in a PCI Report on Compliance (ROC).

FISMA

FISMA Compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. FISMA is the law. NIST Special Publication 800-53 is the actual standard that lists the individual security controls required to comply with FISMA. A FISMA audit is a thorough assessment of your information security practices as it relates to NIST SP 800-53 requirements. It involves a detailed risk assessment, and a selection of comprehensive controls determined by whether you are a low, moderate, or high category. Out of the frameworks we’ve covered so far, FISMA is the most extensive.

ISO 27001-27002

If your customers are doing business globally, chances are you’ll be asked for an ISO 27001 audit. It is a very mature, holistic, information security standard that is widely recognized and highly revered on an international level. 27001 is the entire standard, and 27002 refers to just the controls. An ISO 27001 audit is a complete audit of your Information Security Management System (ISMS). This includes management system, risk management, internal audit, management review, continual improvement, and information security controls.

Determining which audit framework is the best for your organization depends on a number of things; who your clients are, who your clients’ clients are, and what kind of information you process. For more information on a specific framework, or if you are interested in speaking with an Information Security Specialist for a consultation, contact us today.