Hybrid strategies common as organizations strive for cloud GRC

By Christine Parizo, contributing writer, SearchCompliance – TechTarget         May 14, 2014

Businesses large and small have moved significant chunks of their operations into the cloud, enticed by its flexibility and easy access. But the cloud also opens up businesses to data security and compliance vulnerabilities.

Letting governance, risk management and compliance (GRC) fall by the wayside isn’t an option for any company. Protocols must be implemented to safeguard data and ensure compliance, as well as to vet vendors well in advance of engagement.

As the end customer, shouldn’t you be provided with something to demonstrate that the company still meets all of your requirements? Jeff VanSickel, security and compliance practice lead, SystemExperts Corp.

Unfortunately, no common framework exists for cloud GRC. Data monitoring and data regulatory management professionals are seeing a slew of new requirements coming down the pipeline and need to be prepared, according to Evelyn de Souza, co-chair of the Cloud Controls Matrix Working Group.

One option that may serve as a starting point for organizations is the Cloud Security Alliance’s (CSA) GRC Stack. The GRC Stack is a set of four tools that help identify controls needed for cloud services providers as well as standardize the way organizations stay abreast of regulations, according to de Souza.

In particular, the Cloud Controls Matrix takes multiple frameworks and regulations and cross-matches them to a common framework. The Matrix is designed to address key areas of vulnerability in mobile security, mobile interfaces, application development and supply chain management, she said.

While best practices for managing GRC in the cloud depend on the industry and specific deployment models, most organizations turn to hybrid models to quickly reap cloud benefits. In that case, de Souza advises a brokerage model to track deployment and mitigate risk.

“Quite often, the business moved ahead [into the cloud] without IT,” she said. “It’s much [easier] to deploy a brokerage model with a standard profile that an organization can use … to ensure that cloud instances, whether public or private, can be better tracked.”

Know your cloud provider

Vetting providers is critical to maintaining cloud GRC. The CSA offers a Security, Trust and Assurance Registry (STAR) that lists providers and their security ratings as derived from the Cloud Controls Matrix.

“It’s a really good way for organizations, as they’re looking to move to a new cloud provider, to not have to start from scratch with research but take advantage of public knowledge,” de Souza said.

Assessing providers and their cloud security protocols varies by industry, but one common thread is to know what those requirements are and prepare a third-party risk management program accordingly, according to Jeff VanSickel, security and compliance practice lead at Sudbury, Massachusetts-based consultancy SystemExperts Corp. For example, in the healthcare world, third-party risk management goes by the “business associate oversight” moniker.

“It goes by a number of different names, but you want to put together a set of security requirements based on the services you’re going to get,” he said.


When evaluating cloud providers, asking the right questions can help organizations weed out those that aren’t able to meet their compliance and security requirements. Shriram Natarajan, vice president of technology consulting and cloud computing at Persistent Systems, offered the following questions to ask about products or services during the vetting process:

  • Does it have the ability to encrypt data at rest and in transit?
  • Does it have the ability to pull audit information via logs?
  • Does it include role-based access control?
  • Does it have the ability to map roles according to enterprise hierarchy, or a facsimile of the enterprise organizational structure?
  • Can it authenticate against a central system-of-record based on user roles and assignments?
  • Can it integrate with existing command-and-control systems?
  • Can it back up data off the cloud?
  • Does it have built-in disaster recovery capabilities?

Banks, for example, are required by the Gramm-Leach-Bliley Act to have well-rounded third-party risk management, according to VanSickel. This includes initial due diligence on the third party’s history, then extensive research on the security controls and services provided by the company, he said.

Additionally, the organization procuring cloud services will need audit capabilities. Health Insurance Portability and Accountability Act and Payment Card Industry customers need to recertify yearly to ensure they are still complying with regulations, and the cloud provider should be able to meet these requirements. “As the end customer, shouldn’t you be provided with something to demonstrate that the company still meets all of your requirements?” VanSickel asked. That means defining who will be responsible for audits: the organization, the cloud provider or even a third party.

“It’s important to understand and document the data flow,” said Kunwarjeet Panesar, principal architect and head of the GRC practice at global software development and technology firm Persistent Systems. That includes not only data ownership and auditability, but cloud and storage configuration as well. Anything not documented or not included in the contract doesn’t exist, and organizations that want to maintain GRC can’t use a contract template. A customized contract is a must to ensure their needs are met, he added.

Another approach to GRC is using the Plan, Do, Check, Act (PDCA) cycle, also known as the Deming Cycle, for cloud security and compliance management, according to Panesar. The Plan phase addresses the scope of security and compliance requirements, including regulatory and business requirement evaluations, and designing deployment accordingly.

The Do phase puts security and risk management into place by defining the security controls and risk management framework, Panesar said. This includes choosing encryption, security token, identity and access management and identity management options, as well as controls to detect and prevent intrusion, such as security incident and event management and data leak protection products.

In the Check phase, organizations define auditing objectives, while in the Act phase they mitigate vulnerabilities, Panesar said. This not only includes audits, but also continuous monitoring and security improvements.

Ultimately, mitigating risk is an ongoing process, and ensuring cloud GRC requires constant vigilance. As the threat landscape shifts along with regulatory requirements, choosing the right provider and staying abreast of operations will keep data secure and compliant.

About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.




Cloud GRC: Maintaining security and compliance in the cloud

I was recently interviewed by Christine Parizo, SearchCompliance (a TechTarget publication) for an article on how to maintain security and compliance during public and private cloud deployment. The article covers cloud data monitoring strategies as well as cloud data regulatory management best practices.  I found the questions Christine recommends asking cloud providers when evaluating their services to be right on target:

  • Does it have the ability to encrypt data at rest and in transit?
  • Does it have the ability to pull audit information via logs?
  • Does it include role-based access control?
  • Does it have the ability to map roles according to enterprise hierarchy, or a facsimile of the enterprise organizational structure?
  • Can it authenticate against a central system-of-record based on user roles and assignments?
  • Can it integrate with existing command-and-control systems?
  • Can it back up data off the cloud?
  • Does it have built-in disaster recovery capabilities?

If you are looking to move significant pieces of your operations into the cloud, I recommend that you check out Christina’s article.

The ‘Heartbleed’ bug has e-retailers’ hearts racing with anxiety

By Thad Rueter,  Senior Editor,  InternetRETAILER,  April 9, 2014

The flaw could help hackers steal information, including credit card numbers and personal consumer data, from inside servers that operate e-commerce sites. But patches and other steps could help web merchants reduce any risk of fraud, experts say.

Big, huge, deeply worrying—but certainly not catastrophic if the right steps are taken. That was the early view today about the impact the latest web security flaw will have on e-commerce.

Called the Heartbleed Bug, the flaw could help hackers steal information, including credit card numbers and personal consumer data, from inside servers that operate e-commerce sites. The attack also could enable criminals to create web sites that mimic real ones and which could be used to steal from consumers, experts say. While those experts could point to no such thefts today, they say retailers will have to keep their eyes open to make sure they are not victims of fraud.

“Potentially everything is at risk,” says Paul Hill, senior consultant at web security firm System Experts.

The flaw involves free web encryption tools called OpenSSL. Such encryption enables web site operators to protect such data as payment information, user names and passwords—important at all times, but especially so as more consumers use mobile devices from Internet hotspots. Consumers can typically identify sites that use OpenSSL by a digital representation of a padlock or the HTTPS at the beginning of a web address.

“The error allows an attacker to trick the server into disclosing a substantial chunk of memory, repeatedly,” says Ivan Ristic, director of application security research for web security firm Qualys. “As you can imagine, process memory is likely to contain sensitive information—for example server private keys for encryption. If those are compromised, the security of the server goes down the drain, too.”

Because of the widespread use of OpenSSL—SSL stands for “secure sockets layer”—experts have estimated that up to two-thirds of web sites around the world could be impacted. Jeff Schmidt, CEO of cybersecurity firm JAS Global Advisors, says that OpenSSL is the most common SSL implementation in the Linux and Unix operating systems, but not the Microsoft operating system. The problem impacts only secure web pages—that means someone browsing the news at CNN.com doesn’t have reason to worry about his information being stolen.

E-commerce operators and companies involved in online marketing today acknowledged the seriousness of the Heartbleed bug and reassured consumers that security was under control. “This means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” wrote microblogging platform provider Tumblr today.

Online marketplace Etsy Inc. No. 38 in the Internet Retailer 2013 Top 500 Guide, says it learned about the bug Monday. “We quickly began to determine the exposure of both our own systems, and those of our partners,” Etsy says in a notice to consumers. “As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution.”

Such e-commerce giants as Amazon.com I Amazon.com Inc.Google Inc. and eBay Inc. reportedly were found safe from the bug after testing, but none of the companies provided immediate comment. The bug also hit e-mail providers including Yahoo Inc., says Julie Fergerson, vice president of emerging technologies at payment security service Ethoca Ltd. That means is that if a user uses an Yahoo e-mail address for their e-commerce accounts or bank accounts “a takeover will be relatively easy if the crooks have compromised the user ID and password at the e-mail provider,” she says. Yahoo provided  no immediate comment.

So what is the problem and what steps can retailers take to secure their sites and information?

According to web security firm Codenomican and similar experts:

• The flaw affects OpenSSL1.0.1 through 1.0.1f.

• The bug was introduced on OpenSSL in December 2011 and, in the words of Codenomican, “has been out in the wild” since OpenSSL was released in March 2012. What have the attackers been doing since then? No one could say, but Schmidt says that if criminals were stealing encryption key information from SSL certificates, that would enable the attackers to set up phishing sites that seek to attract unsuspecting consumers, usually via e-mail that purports to come from legitimate retailers, banks or other companies.

• OpenSSL 1.0.1g, which was released in April, fixes the bug.

Retailers should take the following immediate steps to make sure they are secure, according to experts:

• Test their web infrastructure for flaws—but make sure to use vetted testing tools from Qualys Inc. and other reputable vendors, lest a tool represent another attempt by criminals to get into the system.

• Contact their web security vendors, which are likely to have software patches ready to go that will fix the problem.

• If a company does its own software maintenance, it should recompile its OpenSSL library.

• Revoke and reissue SSL certificates. That will likely require technical assistance from security vendors. “It’s not hard, just irritating,” Schmidt says. “If you have a lot of web servers, it will take some time.”

• Keep a watch out for an increase in chargebacks and other signs that might point to fraud. “Merchants should stay vigilant for any unusual activity, and look for attributes of an account takeover [such as] shipping to addresses that might not make sense, resetting credentials, coming in from new or unknown IP addresses or unknown device IDs,”  Fergerson  says. “Unfortunately these are all also attributes of good consumers, which is why account takeovers are so hard to detect.”

The “worst possible thing” that could arise from the OpenSSL attack is that criminals are able to grab the private keys that enable encryption, setting the stage for future attacks and fraud, Schmidt says. But as long as e-commerce operators get the patches and follow the other steps, he anticipates no major impact in the long term.

Five Tips to Avoid the Pitfalls Mobile Developers Commonly Fall Into When Pushing out a Customer-Facing Mobile App

Developers of mobile applications must address all of the security concerns that traditional application developers do, and they must also handle additional concerns. The most popular mobile device platforms use modern operating systems that were designed with security in mind from the initial stages.  However, developers still need to understand the unique threats and issues imposed by mobile platforms. Here are five tips to avoid the pitfalls mobile developers commonly fall into when pushing out a customer-facing mobile application:

1. Network bandwidth limitations and power consumption are always a concern.  Security measures should not take up excessive bandwidth and must not be excessively chatty.  Furthermore, keep-alives and other techniques that create an ongoing network dialog that the user is not aware of may use excessive power.

2. Forcing users to perform tasks that are accepted on a desktop system may be unacceptable to users of mobile devices.  The most common example is a repeated prompting for a password. A developer that creates their own storage method for passwords is likely putting the password at risk.

3. Mobile developers also need to take into consideration the possible presence of malware on the device which might be trying to use the same system APIs to access sensitive cached data.  The developers  need to understand the limitations of the system APIs and what additional controls should be implemented when this situation may exist.

4. Mobile developers also need to be very aware of session fixation issues and session termination. In the case of web browsers, non-persistent cookies are normally destroyed.  However, in many cases the mobile environment is different.  When user switches from the web browser to using another app, the web browser doesn’t destroy the non-persistent cookies.  The user might never actually terminate the session.  One potential side effect of this problem is that changes to a user’s authorizations might not take effect until a session is properly terminated and re-established.

5. Mobile users may transition across multiple networks during a single use of an application.  For, example they might start on a Wi-Fi network at home, walk down the street and transition to the cellular network all while using the application. The developers need to ensure this does not affect session fixation.


The Heartbleed Bug — Commentary by Paul Hill

by Cooper Smith – Business Insider

A major flaw in the popular OpenSSL software library, which many Internet companies use to encrypt sensitive data, could leave online shoppers vulnerable to credit card theft. “Potentially everything is at risk,” said Paul Hill, a senior consultant at SystemExperts, IT compliance and security consultancy. After learning about the bug, Amazon, eBay, Etsy, and other major online retailers began testing their systems to find out whether they are at risk. (Internet Retailer)

THREE THINGS TO KNOW ABOUT HEARTBLEED: Here are the top three things to know about the bug:

What kind of data can Heartbleed expose?

Essentially, any data stored on or received through a website’s servers, including account passwords, credit card and transaction data, and personal information.

How does it work?

Using the “heartbeat” communication link that keeps a secure connection active, attackers can trick a server into responding with a block of data-containing system memory. The attack can be repeated until desired information, including the server’s encryption key, is obtained.

Is my website vulnerable?

You can test your site’s current vulnerability by entering the domain name into this tool. Unfortunately, there is no way to determine if a server has been attacked in the past using Heartbleed, but only websites that use a security protocol called OpenSSL would have been affected.

Read more: http://www.businessinsider.com/online-easter-shoppers-plan-to-spend-more-per-person-than-easter-shoppers-overall-2014-4#ixzz2zjkdALyV

Privilege creep: Do your employees have more IT access than they need?

By James Ritchie

As employees move up and around in your organization, they likely end up with more responsibility, more influence — and more access to your IT infrastructure.

The phenomenon is known as privilege creep. As people switch roles in a company, they get login or admin privileges for new systems while retaining access to old ones. It leaves your organization vulnerable to data loss and theft.

“This is a huge problem, and a major potential gap as part of an overall security program,” said David Katz, leader of the privacy and information security practice group at Atlanta-based law firm Nelson Mullins Riley & Scarborough.

Experts say there’s a simple, if not necessarily easy, solution: The access audit. It means periodically — perhaps every six months — making sure that staff members can only get to the information and systems they need.

Privilege creep begins innocently enough. In addition to forgetting to take away old privileges, managers also sometimes choose to be liberal with logins and passwords so that employees don’t need to run to IT to get simple tasks done.

“Over time, it’s not uncommon to find that an employee has attained very broad privileges, which may not be in the best interest of the business,” said Dwayne Melancon, chief technology officer for Portland, Ore.-based cybersecurity firm Tripwire.

The consequences can range from mild, such as an employee looking at information from another project, to crushing, such as compliance issues resulting from illegal access to financial or human resources information. Some workers may also seek to take sensitive data with them when they leave the company, and unfettered access compounds the problem.

IT and human resources departments should work together to control privilege creep, Katz said. That means setting policies for what happens to accounts when employees are terminated, reassigned or promoted, and maintaining lists of who has what type of access.

Audits might take place anywhere from once a year to once a quarter, depending on “how dynamic the environment is, as well as the risks and liabilities that will be encountered if an employee gains too much authorized access,” said Paul Hill, a consultant with Boston-based network security consulting firm SystemExperts.

In small firms, decisions about access might rest with a designated security officer, he said. Larger organizations often delegate the review to each managing supervisor.

Companies operating in complicated or regulated environments do best with a centralized system that tracks all privileges along with who made approvals and when, Hill said.

Beyond data breaches, privilege creep can lead to less obvious but deeper problems within an organization, subverting systems of checks and balances.

“A single individual might end up with the authority to request, approve and grant a particular action or transaction,” Hill said.

If no audit has been conducted for a while, one approach is to start from scratch, revoking all privileges and determining who needs what, said Tim Parkin, an Orlando, Fla.-based online business consultant and president of Parkin Web Development.

“Businesses should never be shy about being aggressive in protecting and limiting access,” he said. “It’s always better to revoke access and see if someone notices or complains, rather than assume that a person needs the access they were given.”

Getting Your Employees to Buy into Your BYOD Security Policy

Getting your employees to buy into your BYOD security policy can be challenging. I was recently asked by Sue Poremba, Business News Daily, what pieces of advice I could share with employers to get employees to follow the company’s BYOD security policies. In addition to the tips includes in Sue’s article, I’d like to share my thoughts on the pros and cons that enterprises should consider when looking to implement a BYOD program:

Pros of a BYOD policy for the enterprise include: 

  • An attempt to foster employee morale by granting employees the ability to adopt new platforms of their own choosing

  • Eliminating a potential tax reporting burden if the IRS decides that company provided smartphones and tablets are taxable benefits

  • Potential time savings by avoiding corporate dialing and data plans with carriers

Cons facing companies when they adopt a BYOD policy include:

  • Higher support costs — support staff may need to be trained to answer questions about a wider variety of platforms;  multiple answers to address a single issue may need to be established, and some support staff specialization may occur

  • Increased security risks — not all mobile platforms support all security features

  • Handling of corporate — understanding where corporate data may reside, ensuring compliance with data retention policies, eDiscovery, and ensuring that all corporate data is being properly handled

  • Balancing corporate requirements/liabilities — organizations are not yet requiring employees to sign liability waivers to protect companies that may accidentally ​destroy personal data if a device has to be remotely wiped.

Despite the risks, the desire to achieve cost savings and improve employee morale will continue to drive BYOD for the foreseeable future.

BYOD Security: Getting Employees to Buy In

By Sue Marquette Poremba

Do you have a Bring Your Own Device (BYOD) security policy in place for your company? If you do, your employees may not be too happy about it: A recent report by technology research firm Gartner found that one-fifth of BYOD policies fail because employees find the rules too restrictive and don’t bother to follow them.

BYOD gives the workforce flexibility without the extra cost of supplying employees with gadgets. But workers are generally uninformed about BYOD security policies, or simply don’t care about them. And when company leaders try to enact policies that seem too strict, employees just tune out.

Another study, by security solutions provider Absolute Software, found that nearly a quarter of those surveyed don’t think they should be held to any consequences if their personal device used for work is lost or stolen. Under this line of thought, the security of corporate data isn’t the worker’s responsibility.

The study also found that employees are unaware of the value of business data stored on their devices. This attitude may explain why, if a security incident with an employee’s own phone, tablet or other device does occur, many employees do nothing new to improve their security behavior.

Toronto-based startup Better Dwelling, an on-demand maid-booking service, has its maids use their smartphones to keep in touch with the main office. The company needs to engage the employees in smart BYOD policies because a breach could cripple the entire business, said Better Dwelling employee Paige Ring. The company has policies in place to secure the network, such as encryption and password protection, but those security functions are pointless if no one understands why they are there.

“You can’t force your employees to do anything with their own hardware,” Ring said.

If employees aren’t following BYOD security policies, it puts company information and the company network at risk, Ring said. But first employees need to buy into those policies.

“BYOD is tricky, because once employees know they can use their own devices and applications at work, they don’t see the rationale for any limitations on top of that,” said Cortney Thompson, CTO of cloud hosting and colocation provider Green House Data. “[For example,] if I can use the company cloud storage, why can’t I use Dropbox? Why can’t I play this game over the network?”

The best time to address BYOD issues is at the moment the policies are implemented, Thompson added. Don’t introduce the policies with a generic email outlining the rules. Instead, Thompson recommended introducing BYOD policies at a corporate-wide meeting, stressing the reasons for mobile device management. This also provides an opportunity for an engaged dialogue between employees and leadership about the policies.

After that meeting, continue to hold regular BYOD-related meetings that reinforce the policies or discuss changes. Leadership should approach these policy meetings with an open mind; employees may present concerns that the policies don’t address.

Paul Hill, from IT security consulting firm System Experts, said businesses must take two critical steps in order to engage employees in BYOD security once policies are formally introduced.

“First, companies should require employees participating in BYOD to annually sign a form acknowledging the policies and employee responsibilities, and waiving the company of any liabilities resulting from deleting employee data or applications,” he said.

“Second, companies should require BYOD participants to enroll the authorized devices with the company’s mobile device management system so that security configurations can be automatically configured, including providing the company with the ability to remotely lock and/or wipe the device if it is reported lost or stolen.”

An information-centric approach to managing these risks is essential because devices not issued by the company are too numerous, varied and vulnerable to be effectively managed.

“Keeping the lid on the risks presented by the new BYOD ecosystem will require IT departments to rapidly and effectively deploy business-wide strategies, policies and management technologies,” said Steve Durbin, global vice president of the Information Security Forum. “While safeguarding your organization’s data is of paramount importance, empowering employees to use their own devices safely and flexibly is essential to better workplace productivity, competitiveness, as well as keeping workforce morale and talent retention high.”

BYOD policy options can be crafted to reflect differing factors such as the information type, device ownership and the likelihood of access to more-sensitive information, Durbin added. For example, information and functionality may not be made available through a BYOD device for specific groups/roles, such as commercial systems or a human resources system. Use of certain types of devices and applications can also be restricted to those in specific job duties that require out-of-office network access.

For policy controls to work, organizations must be able to trust their people to do the right thing. This is only realistic if the organization provides communication, training, monitoring and enforcement that make clear what behaviors are expected of employees. Behaviors can be difficult to change, and security awareness is often elusive.

True behavioral change will require not just good company citizenship, but also solutions that provide value for the employee, said Adam Ely, founder and COO of Bluebox Security. If there are too many restrictions, employees will find ways to work around them.

Employers also need to show they respect their employee’ privacy. One way to do that is enable a privacy dashboard that displays exactly what the company is, and isn’t, tracking. You can also give your employee the chance to suspend business use of the device. That option gives employees a greater sense of control over their own devices, Ely said.

Knowing that they have some control and privacy makes it much easier for employees to buy into BYOD security policies.

Accepting Credit Cards? PCI Compliance a Concern for Small Businesses

Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn’t only big companies that need to worry about adhering to these regulations. The rules apply to every business that relies on credit and debit cards for transactions. Even if your business employs four people and it conducts one credit-card transaction a month, it must be PCI compliant.

This is easier said than done. The Verizon 2014 PCI Compliance Report found that most companies struggle to meet the PCI Data Security Standard, the set of regulations created to help keep credit and debit card data safe and secure. According to Computerworld, more than 82 percent of companies were compliant with only about 8 in 10 of these requirements at the time of their annual assessments, and needed several months to close the gaps. In addition, only 11.1 percent of businesses maintain their compliance status between assessments.

Being PCI compliant is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company does meet compliance standards can be daunting. Jeff VanSickel, senior consultant at IT compliance consulting firm SystemExperts, provided a few tips to prepare for a PCI assessment, and to keep your standards at secure levels at all times. [The Best Credit Card Processing Services]

1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the PCI Scope of Assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.

2. Understand the boundaries of the cardholder data environment and all of the data that flows into and out of it. Any system that connects to the cardholder data environment is in scope for compliance, and therefore must meet PCI requirements. The cardholder data environment includes all processes and technology as well as the people that store, process or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.

3. Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protectedwherever it is imported, processed, stored and transmitted. It must then be properly disposed of at the end of its life span.

“Backups must also preserve the confidentiality and integrity of cardholder data,” VanSickel added. “Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.”

4. Have an incident response plan in place. When an incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This incident response plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations.

“Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary,” VanSickel said.

5. Explain and enforce security procedures. You can never be sure that employees understand security best practices and other behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated about security procedures and PCI compliance procedures.

The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments. For more information, visit PCIComplianceGuide.org.

Originally published on Business News Daily

Accepting Credit Cards? PCI Compliance a Concern For Small Businesses

Preparing for a Payment Card Industry (PCI) audit requires merchants and service providers that store, process or transmit credit card data to have a detailed security assessment. The purpose of the assessment is to confirm that the merchant or service provider is handling card data in compliance with the Payment Card Industry Data Security Standards (PCI DSS).

I was recently quoted in a BusinessNewsDaily article talking about tips to help merchants and service providers prepare for a PCI assessment. In addition to the two tips mentioned in the article, I’d like to share an additional three tips on preparing for a PCI assessment:

1. Establish operating controls to protect the confidentiality and integrity of any cardholder data wherever it is input/imported, processed, stored, output/transmitted and properly disposed of at the end of its lifespan.

Even if an organization is not storing cardholder data on its systems, a QSA must document the procedures used to confirm that cardholder data is not stored on the organization’s systems.

Even if an organization has not deployed wireless networking, the PCI security standards require periodic attempts to detect rogue wireless networks connected to systems.

Backups must also preserve the confidentiality and integrity of all cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company owned computer systems but also leased systems and the storage included in modern copy machines and printers.

The management of cryptographic keys is also in scope. The PCI DSS references the key management procedures published by NIST. NIST has issued special publication (SP) 800-57 that discusses encryption key management. It goes into detail not only on encryption itself (volume 1), but also key management (volume 2). For most organizations volume 2 is the most relevant unless you are using IPSec, PKI or other special cases, in which case, volume 3 would also be relevant.

2. Establish controls to document and distribute security incident response and escalation procedures to ensure timely and effective handling of all compromised situations.

An incident response plan should define roles, responsibilities, communication requirements, and contact strategies in the event of a compromise, including notification of the payment brands. It should include legal counsel and public relations. Another important aspect is business continuity and returning to secure operations as quickly as possible. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence while preserving the chain of evidence, end testify as an expert witness if necessary.

3. Make sure documented controls are in place for users to follow, IT to configure and management to enforce.

An organization cannot safely assume that its employees just know to “do the right thing.” Each organization has the responsibility to educate its employees, contractors and temporary employees about acceptable behaviors, unacceptable behaviors,and how to identify and report suspected security incidents. IT employees should have documentation that addresses configuration standards, logging requirements, data retention requirements, and access control requirements. All staff must be made aware of the potential penalties for not complying with policies and procedures.

Undergoing a PCI audit does not have to be a daunting task If companies follow these guidelines to help prepare for it.