Compliance ESSENTIAL GUIDE TO

Transcription

I N F O R M A T I O N
ECURITY
S
®
E SS E NTIAL G U I D E TO
Compliance
Q
You need to be nimble and proactive
about compliance efforts in order to build
a comprehensive program. That means
learning more about risk assessment
frameworks and global regulations while
maintaining your established privacy and
PCI programs.
INSIDE
8 DATA and You
15 Navigating Data Privacy, Security and
Management Across Borders
22 Sizing Up Risk
31 Culturally Boost Infosec Compliance and
Risk Management
34 PCI DSS 2.0: PCI Assessment Changes Explained
40 Enterprise Protection for Web Add-Ons
INFOSECURITYMAG.COM
The Ultimate
Enterprise Threat and Risk
Management Platform.
The ArcSight ETRM Platform is the world’s most advanced system for safeguarding
your company against data theft, complying with policies and minimizing internal
and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight
ETRM Platform gives you better visibility of real-time events and better context for
risk assessment, resulting in reduced response time and costs.
Learn more at www.arcsight.com/etrm
ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved.
contents
F E AT U R E S
DATA and You
8
The Data Accountability and Trust Act,
if passed into law, would create a national standard for privacy
and data protection. BY R ICHAR D E. MACKEY J R.
DATA PROTECTION
Navigating Data Privacy, Security
and Management Across Borders
Companies should revisit
streamlined global data operations with an eye toward
revamping compliance. BY CYNTH IA O’DONOG H U E,
15 I NTE R NATIONAL R EG U LATIONS
KATHAR I NA A. WE I M E R AN D AMY M USHAHWAR
Sizing Up Risk
There are a lot of risk assessment
frameworks out there. Here’s what you need to know in order
to pick the right one. BY R ICHAR D E. MACKEY J R.
22 R ISK M ETHODOLOG I ES
Hurdle Cultural Barriers to Compliance
Engage stakeholders frequently
about their role in compliance and reducing risk inside your
organization. BY E R IC HOLMQU IST
31 B USI N ESS I NTEG RATION
ALSO
PCI Assessment Changes Explained
The latest update to PCI is relatively minor, but
that doesn’t mean security and compliance managers can
afford to slack. BY E D MOYLE
34 P CI DSS 2.0
Has Compliance Stifled
Security Innovation?
5
E DITOR’S DESK Enterprises,
driven by regulations, continue
to shoot for a bare minimum
set of security controls. That
approach is impacting innovation.
BY M ICHAE L S. M I MOSO
40 SP ONSOR R ESOU RCES
3
I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE
Compliance Vulnerability
Are you Compliant or Not?
SOX DS 5.4 - Maintain user access rights in a central repository; ensure that rights are enforced
PCI-DSS 7,8, and 10 - Restrict access rights of privileged users; do not use shared passwords
HIPAA 4.14 and 4.16 - Ensure that system activity can be traced to a specific user
FoxT provides Enterprise Access Management solutions that will enable you to control access
to privileged accounts and data across your diverse servers and business applications.
In addition to enabling you to achieve compliance with HIPAA, SOX, PCI, NERC-CIP and
other regulations, centralized access management will also protect corporate value by
reducing the risk of insider fraud.
FOR MORE INFORMATION: www.foxt.com
Enterprise Access Management
EDITOR’S DESK
Has Compliance Stifled
Security Innovation?
Enterprises, driven by regulations, continue
to shoot for a bare minimum set of security controls.
That approach is impacting innovation. BY MICHAEL S. MIMOSO
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
5
i
IF YOU PITCH your boss for the latest and greatest security technology, is your boss’ first
question whether you’ll incur a fine if you don’t? Does your IT decision maker fear an
auditor more than an attacker?
This is the influence compliance, PCI DSS compliance in particular, has inside enterprises
and bigger picture, on innovation. Companies invest more in protecting custodial data than
corporate secrets, despite the balance of value between the two leaning toward corporate
secrets. Sure it’s costly if you lose PCI data in a breach, but if your trade secrets are in the
clear, does your business have long to live?
Yet it’s the checkmark that gets the pretty girl
at the dance. And some think concurrently that
PCI is turning innovation into a wallflower.
Security observers and experts don’t put all
the blame on PCI; security is a bloated market
with dozens of products addressing dozens of
threats in dozens of ways. Complexity and a
still unsteady economy forces people to look for
a crutch to lean on. PCI is a convenient one
because it mandates controls more than most
other industry and federal regulations.
“It’s tough to spend on innovative solutions
—JOSHUA CORMAN, analyst, 451 Group
that aren’t required,” says 451 Group analyst Joshua
Corman.
Blame the vendors too. Blame them for still selling based on fear, uncertainty and doubt—
FUD doesn’t hold up when there’s no money to spend on something that might happen.
Sure you might get attacked, but you will get fined. So whatever satisfies the auditor gets
the resources.
“What we’re left with is instead of doing the best we could, now we’re doing what doing
what’s mandatory,” Corman says. “We do that and not a whole lot more.”
Regulations, in theory, are supposed to be the bare minimum set of controls you have to
manage. They’re not the end game, yet most companies shoot for just the bare minimum,
which isn’t good enough. That’s why firewalls, antivirus, encryption, vulnerability management, log management and IDS remain top-of-mind security technologies. Nothing wrong
with that list, but most organizations’ arsenals don’t go much deeper. And if they do, as in
“What we’re left with
is instead of doing the
best we could, now
we’re doing what’s
mandatory. We do
that and not a whole
lot more.”
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
the case of Web application firewalls, it’s only because they’re specifically called out by PCI
6.6, for example.
If you look at this issue of innovation vs. compliance from a business point of view, vendors
will tell you that compliance, by setting that minimum standard, influences spending and
stimulates certain markets. Vendors actually are competitive in those markets, products
improve in a relatively short period of time and prices go down.
Paul Judge, chief research officer and VP at Barracuda Networks, founded Purewire and
was in on the ground floor at SecureComputing and CipherTrust. He’s a VC too. He says
compliance is about enforcing best practices for a class of constituents, be they consumers
or health care patients, for example.
“When you enforce best practices, you do influence spending,” Judge says. “When you
compete on those fronts, it creates better products for the market and you’re creating innovation on one of those fronts. If a problem is real and [a control is] mandated by legislation,
you have a beautiful thing where everyone benefits from the vast improvements in short
amount of time versus a market that is stagnant without motivation.”
Judge’s best example is that of the Web application firewalls. WAF appliances can be had
for relatively cheap today, compared to five years ago when he says the price was as much as
10 times more. WAFs are built into proxy appliances today, or can even be integrated into a
load balancer. Because of the mandates in PCI 6.6, WAF has evolved into a technology that’s
within reach of most of the market—more of a commodity.
“This frees budget for more,” Judge says. “You can stop hitting your head against the wall
for some problems.”
Compliance is a complex monster that governs the direction of most IT security organizations. You’re still a cost center, yet you understand threats and risks better than anyone
else. And you understand the shortcomings are shooting for a bare minimum standard.
Keep making your case to management that innovative solutions have merit beyond a
checkbox. Prove your business case for these defensive technologies, because if you don’t
influence spending, the market won’t innovate and when new threats arrive, your holster
is going to be empty.w
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this
column to [email protected].
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
6
Malware Protection
Data Protection
Business Productivity
IT Efficiency
Compliance
Hospital food
w or ry l e s s . a c c o m pl i sh m or e . w w w. s opho s . c o m
DATA PROTECTION
DATA and You
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
8
The Data
Accountability
and Trust Act,
if passed into
law, would
create a national
standard for
privacy and
data protection.
BY RICHARD E. MACKEY, JR.
t
THERE ARE CURRENTLY more than 40 different state and territorial laws that require organi-
zations entrusted with personally identifiable information to notify individuals when
their information has been exposed to unauthorized parties. These laws range from those
only requiring notification to those that mandate full security programs designed to prevent breaches in the first place. They define personally identifiable information differently,
require different notification processes and force organizations to deal not only with the
victims of the breach, but also the attorneys general of all the states where victims reside.
The complexity and cost of notification, let alone the difficulty of ensuring compliance
with security program requirements, is daunting.
Still, breaches that lead to identity theft happen regularly and people expect organizations
to be held accountable for the security of their personal information. Politicians have heard
the public outcry and have recognized that there is a need for more uniform protection of
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
9
personal data and more manageable and predictable notification processes. Consequently, every
year there seem to be a handful of new proposed federal laws to address the growing problem of
sloppy handling of personal information and breaches.
At the end of 2009, the U.S. House of Representatives passed the Data Accountability and Trust
Act of 2009 (DATA). If passed by the Senate and signed into law, DATA would supersede existing
state laws and thereby eliminate the complex array of
notification procedures and the myriad protection
mechanisms required by the states. The proposed law
would also provide a universal definition of personally
identifiable information, appoint the Federal Trade
Commission to specify regulations and enforce compliance, and require organizations to implement formal
security programs to prevent unauthorized access to
personally identifiable information. Compared to other
data protection legislative efforts, DATA’s passage in
the House makes it the only bill to gather the necessary
support in either chamber. Its impact is potentially far
reaching, and organizations should understand how it
might affect them.
If passed by the Senate
and signed into law, DATA
would supersede existing
state laws and thereby
eliminate the complex
array of notification procedures and the myriad
protection mechanisms
required by the states.
PERSONAL INFORMATION DEFINED
At the heart of DATA, or any data protection law, is the definition of personally identifiable
information. The definition is critical because it not only spells out what types of information
need to be protected, but also helps organizations strip out elements of data sets to avoid having
to protect them. This practice, known as scrubbing, is commonly used to protect credit card
numbers and Social Security numbers by masking all but the last four digits.
DATA defines personal information as an individual’s first name or initial and last name, or
address, or phone number, in combination with any one or more of the following data elements
for that person:
• Social Security number;
• Driver’s license number, passport number, military identification number, or other similar
number issued on a government document used to verify identity;
• Financial account number, or credit or debit card number, and any required security code,
access code, or password that is necessary to permit access to an individual’s financial
account.
This definition is similar to most state breach laws with some notable differences: It does not
consider a financial account number alone (without a PIN or password) sensitive. In addition,
unlike another proposed federal law—S. 1490, the Personal Data Privacy and Security Act—
DATA makes no mention of mother’s maiden name as sensitive (even though it is often used to
authenticate an individual’s identity).
The law would provide room for the FTC to modify the definition of personal information
as necessary to accomplish the goals of the act as long as these changes do not unreasonably
impede interstate commerce.
APPLICATION AND ENFORCEMENT
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
One of the most significant repercussions of the
appointment of the FTC
is the limit of the legislation’s jurisdiction; the
FTC does not regulate
banks, savings and loans,
or common carriers such
as airlines and railroads.
As proposed, DATA will be regulated and enforced by
the FTC. Consequently, the legislation applies only to
those entities over which the FTC has jurisdiction. Even
though DATA states that it applies to persons, partnerships, or corporations engaged in interstate commerce,
it does not apply to all organizations. One of the most
significant repercussions of the appointment of the
FTC is the limit of the legislation’s jurisdiction; the
FTC does not regulate banks, savings and loans, or
common carriers such as airlines and railroads.
However, the FTC is not the only enforcer of the
law. DATA also carves out room for state attorneys
general to take action against violators. They are
empowered to enjoin further violation, compel compliance, or obtain civil penalties. In other
words, state attorneys general have about the same power they have under the current state laws.
The FTC or U.S. Attorney General, though, could intervene and limit state prosecution while
federal actions are pending.
PREVENTATIVE CONTROLS
One of the ways DATA distinguishes itself from state laws that simply deal with breach notification
is that it requires organizations to implement a security program designed to prevent compromise
of the information. Organizations need to:
• Appoint a person as a point of contact who is responsible for overseeing the program;
• Document a security policy for the collection, use, sale, dissemination, and maintenance
of personal information;
• Establish contracts with third parties with access to the information to establish controls
meeting the requirements of the act;
• Establish a process to identify risks and vulnerabilities and implement administrative and
technical controls to mitigate the risk of compromise of the information;
• Define and implement a process for securely disposing of both digital and paper records
including personal information.
The security controls required by DATA are similar to those required by state regulations
such as Massachusetts 201 CMR 17; they include a risk assessment, a vulnerability assessment,
testing, remediation, and secure destruction and disposal of personal information. One
10
Information Brokers in the Crosshairs
Companies that collect personal data face extra requirements under DATA.
A MAJOR DIFFERENCE between state
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
laws and DATA is the set of special
requirements for information brokers. DATA
requires information brokers to implement
additional controls and program elements to
those required by data owners. This provision is
likely an attempt to avoid another breach like the one
involving Choice Point in 2005 by making data brokers
accountable to the information they collect and sell.
The legislation defines information brokers as a
commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers.
Information brokers collect such data in order to sell
it or provide third party access to it for a fee; they
may either collect information themselves or contract
others to collect and maintain the information. The definition specifically excludes entities that maintain
information about employees, customers, or former
customers.
Under DATA, information brokers must establish
“reasonable procedures” to assure the accuracy of personal information they collect, assemble, or maintain.
In addition to striving to maintain accuracy, they must
support a program to respond to individuals’ written
requests to provide information assembled about them
once per year. These responses must be provided at no
cost to the individual and the method for
submitting requests must be conspicuously advertised on the organization’s
website. Individuals must also be able to
use this method for expressing a preference as to how their information might be
used for marketing purposes.
If someone finds inaccuracies, the information broker must provide a mechanism for the individual to
request changes to correct the inaccuracies. If the broker is not the source of the information (e.g., the data
was harvested from public records), the brokers must
provide the person the source of the information and a
method for correcting the inaccuracy at the source
organization. The individual may provide proof that the
public record has been corrected and require the information broker to correct its version of the information.
Someone may also require a broker to mark the information as disputed if it hasn’t been corrected.
As proposed by DATA, when an information broker has
a breach, it must follow the same reporting procedures as
other businesses. However, these organizations must also
submit the policies governing their personal data protection program to the FTC as part of the notification and
may be required to undergo an FTC security audit. The
FTC has the right to request an information broker’s policy at any time.w
—RICHARD E. MACKEY, JR.
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
11
notable exception is that DATA only requires organizations to establish contracts with third
parties to protect personal information; it does not require definition of the policy and procedure
for vetting the security practices of these organizations. Some state and federal regulations, most
notably 201 CMR 17 and HIPAA, provide more in-depth requirements for dealing with business
associates and service providers. This may be an area that the FTC will spell out more clearly if
DATA becomes law.
The legislation also does not provide requirements for where encryption is required. State laws
and regulations from Massachusetts and Nevada require encryption of personal information
when it is transmitted over public networks or stored on removable devices. This may also be
an area eventually addressed by FTC regulations or guidance.
BREACH NOTIFICATION RULES
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
12
Any organization that has gone through the process of breach notification according to multiple
state laws would likely welcome the single set of rules that would come from a federal law.
DATA defines “breach of security” as the unauthorized access to or acquisition of data in
electronic form containing personal information. However, the legislation allows the data owner
to avoid the process of notification if the data owner determines that there is a no reasonable
risk of identity theft, fraud, or unlawful activity. While this is a rather broad statement, it means,
at a minimum, that information that was encrypted and exposed to unauthorized parties would
not be considered breached.
In the event of a breach, DATA requires data owners to notify the FTC and directly notify
each individual throughout the U.S. whose data has been exposed. This notification must take
place within 60 days of discovery of the breach.
The data owner may send notice in writing or electronically. However, electronic notification
is only acceptable if the individual has consented to receiving official communications in that
manner. In cases where the data owner does not have
complete contact information for all individuals, the
data owner may use email to the full extent possible,
publish a notice on its website, and issue notification
in print and broadcast media for areas where the
victims reside.
The notification must include a description of the
information breached and a toll-free number to inquire
about the breach. The letter must also include an offer
to receive free quarterly credit reports for two years or
a credit monitoring service. The individual must also be
given toll-free numbers for credit reporting agencies and
contact information for the FTC to learn about identity
theft.
The Act sets the maximum
civil penalty for violations
of each type to $5 million,
making it possible for a
single organization to pay
up to $10 million for a
combination of security
program and notification
violations.
PENALTIES
DATA sets out steep penalties for violations, which come in two types: failure to comply with
security program requirements, and failure to follow the breach notification rules.
The two types of penalties are calculated differently. The amount for security program
penalties is based on the number of days the organization is found to be non-compliant
multiplied by a maximum of $11,000 per day. Notification penalties are calculated by multiplying the number of violations—individuals they failed to notify—by an $11,000 maximum.
Each failure to send notification is considered a separate violation. The Act sets the maximum
civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations.
LOOKING AHEAD
TABLE OF CONTENTS
EDITOR’S DESK
The biggest difference between existing state laws and the proposed federal laws (both DATA and
other similar bills) is the inclusion of special requirements for information brokers (see p. 25). This
special treatment will not be taken well by the large organizations in the information broker
business as it increases cost substantially.
It will be interesting to see how information brokers and businesses in general react to these
bills as they are debated in the Senate. Maplight.org, a nonprofit, nonpartisan research organization that tracks money and influence in the U. S. Congress, shows that the backers of the bill
receive campaign contributions from finance companies and credit agencies. This makes sense
as both these groups would benefit from stronger identity controls. Maplight.org shows no
money associated with opposition to the bill–at least not as yet.
DATA clearly has benefits for the general population and, whether they want to admit it or
not, businesses that will need to notify people when breaches occur. The overall approach of
ensuring that organizations formally protect information, implement sound technical controls
that include risk assessment and treatment, and follow a uniform set of notification and support
procedures promises to reduce the incidence of identity compromise and create incentives to
improve overall security.w
Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send
comments on this article to [email protected].
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
13
security is all we do
20,000 Malware Specimens Daily
13 Billion Events Every Day
3,000 Customers in 70 Countries
85 of The Fortune 500®
Not surprisingly, the
most powerful weapon
in information security
is information.
At Dell SecureWorks, we turn raw security data into actionable security information. With the massive
volume of relevant incidents we collect and analyse every day, we are able to better understand the threat
landscape across the globe. We use that information to identify threats sooner and better protect our
customers. Discover what makes us different, and learn how our information can help keep yours safer.
See how one leading analyst rates the top MSSPs
at secureworks.com/magic
Contact us at [email protected] or call +44 (0)131 718 0600.
©2011 Dell Inc. All rights reserved.
INTERNATIONAL REGULATIONS
Navigating Data
Privacy, Security
and Management
Across Borders
Companies should revisit
streamlined global data
operations with an eye
toward revamping
compliance.
TABLE OF CONTENTS
EDITOR’S DESK
BY CYNTHIA O’DONOGHUE,
KATHARINA A. WEIMER
AND AMY MUSHAHWAR
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
15
w
WITH THE GLOBAL economic downturn, economies of
scale are of increasing importance,
and to achieve cost synergies, many companies have shed their geographic silos in favor
of a streamlined centralized data infrastructure. Far more multinational companies
with offices on all continents and production facilities in multiple countries share
centralized databases, processing capabilities and even IT support teams that make
integrated production possible on a 24/7 basis.
While we have seen many industries such as life sciences, real estate and entertainment
streamline their IT operations, all have one item in common—they store personal
employee, customer, supplier and website visitor data. With the myriad data privacy,
security and management laws that exist in the U.S. and abroad, data privacy compliance
can be a difficult area to navigate.
By now, most companies understand that U.S.
federal, state and local governments have weaved
an intricate web of laws protecting many aspects of
Americans’ privacy (i.e., banking, telecom services,
higher education, health care, financial services).
Even with all of its privacy laws, the U.S. leaves some
areas of personal data-processing largely unregulated.
Unlike the U.S. sectoral approach, the EU views
There are efforts underway by the
privacy as a fundamental human right and has an
Federal Trade Commission and the
omnibus data protection law that regulates the
Department of Commerce to develop
collection and handling of information related to
a comprehensive and uniform privacy
identifiable individuals: “European Union Directive
policy for the U.S.
on the Protection of Individuals with Regard to the
But these uniformity proposals are
Processing of Personal Data and on the Free Movelikely to take years to fully implement
ment of Such Data” (the EU Directive).
and there does not appear to be a conBear in mind that the legislative tool the EU
sensus as to whether either agency’s
selected for privacy law—a “directive”—requires
efforts alone can assist with closing the
each EU member state to enact its own local law
sectoral privacy gaps. It is safe to say
adopting (or transposing) the directive into nationthat the U.S. is several years away
al legislation. Therefore, the text of the EU Data
from a fully comprehensive privacy
Protection Directive offers only a blueprint or
framework.w
framework for data privacy laws across Europe.
National legislation implementing the directive has
resulted in variations among EU member states.
Over the years, we have witnessed the compliance issues and various legal conflicts of law
that spring from this cross-border culture clash. We will identify a few typical scenarios that
require some international data privacy, security and management issue-spotting.
U.S. Privacy
Framework
Lagging
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
DATA INTEGRATION ISSUES TO WATCH OUT FOR
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
16
Before we begin, we would like you to imagine a midsized company, Doggie’s Night Out
(DNO, Inc.), a high-end manufacturer of canine retractable leashes with built-in flash lights,
treats and waste disposal bags headquartered in the US. DNO, Inc. already has several offices
across the U.S., a manufacturing site in China, and subsidiaries across South America, and it
intends to acquire a German manufacturer of designer cat collars called Feline Fun AG, with
nearly 100 local employees. This little gem is for sale at a bargain-basement price and DNO,
after some due diligence, proceeds with the acquisition.
Following the purchase, DNO’s general counsel would like to know everything about
Feline Fun, including all information about the employees. DNO wishes to maintain ongoing
data flows about the general business operations and activities of Feline Fun to fully integrate
it and leverage its data capture and analytics tools globally (i.e., such as those for employees,
job applicants, customer data, suppliers, third-party partners, purchased data, conferences,
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
and market research). Such data integration would necessitate the transfer of personal data
of European citizens to the U.S. headquarters of DNO, Inc. Not surprisingly, the internal
data protection officer of Feline Fun has some objections.
Immediately upon hearing the data integration plans, the internal German data protection
officer reminds the U.S.-based general counsel that the EU Directive regulates the processing
of individuals’ personal data, a much broader concept than what is referred to in the U.S. as
personally identifiable information. He explains that the broad definition covers nearly all
information that DNO, Inc. would like to integrate for example, DNO, Inc. knew that certain
information fields (or combinations of information fields) were protected under US law. For
example items such as a name and account number could be protected personal financial
information under the U.S. Graham Leach Bliley Act. Presently, however, there is little U.S.
regulation governing the collection of information. For instance, while the EU Directive
regulates the mere independent collection of an individual’s name, email address, or IP
Address, the U.S. does not unless an individual’s name is collected in conjunction with
other information, such as an individual’s social security number.
The German data protection officer made DNO, Inc. aware that such limited information
fields are only starting to be by U.S. federal regulators as part of the FTC privacy proceeding.
Practically speaking, the broad concept of personal data under the EU Directive requires
Feline Fun to examine two items for nearly all individual information it wishes to transfer
to DNO, Inc.: (1) the legal basis for transferring the data, and (2) whether the transfer was
to a country with data protection laws sufficiently similar to those in the EU, such that those
laws provide adequate protection to the data, or a legal transfer method.
Local Compliance with Data Transfer Requirements: According to EU and German law, before any
processing of personal data may be undertaken (including transfer), there must be a legal
basis to do so. The legal basis for transfer is satisfied if the transfer is necessary for the fulfillment of a contract or a contractual relationship with the data subject, i.e., the person whose
data shall be transferred.
For instance, personnel data can be transferred if and to the extent such transfer is necessary for the fulfillment of the employment contract. We must emphasize “necessary,” which
is more than plain usefulness, for example, the transfer must be required for the employment
relationship. Data transfer of customer data can sometimes be based on the contract with the
customer; for instance, if the contract will be fulfilled out of another site and the other site
requires the customer information for its performance.
While these two examples tend to be the most common, other legal bases exist. As a last
resort, the data controller can always try and obtain the individual’s consent to the processing,
but any such consent must be voluntary (already disputable in an employment relationship),
informed and revocable; it should therefore not be the No. 1 choice for establishing a legally
secure way of transferring personal data.
Transferring Data to a Country with Adequate Protection or an Appropriate Legal Process Alternative: Any
recipient of personal data located outside the European Economic Area (EEA) must generally
17
provide an adequate level of protection to personal data. Data transfers to companies located
in countries with adequate privacy laws akin to those in the EU/European Economic Area
include Switzerland, Canada, Argentina, the Isle of Man, Guernsey, Jersey, Israel and Andorra.
Transfer is also permissible to U.S. companies that participate in the Department of Commerce
Safe Harbor Program. U.S. companies must self certify that their data privacy, security and
management practices provide adequate protection (then, these companies must re-certify
to the Department of Commerce annually thereafter), always provided that this processing
step as such, i.e., the transfer, is permissible as described above. To be eligible to submit a
U.S.-EU Safe Harbor program self certification, an organization can (1) join a self-regulatory
privacy program that adheres to the U.S.-EU Safe Harbor Framework’s requirements; or (2)
develop its own self-regulatory privacy policy that conforms to the U.S.-EU Safe Harbor
Framework.
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
18
The Feline Fun data protection officer learns that all data will be transferred from Germany
to the U.S. and DNO, Inc. has not self-certified under the Safe Harbor Program. But an
adequate level of protection may be achieved by other means: (1) Feline Fun and DNO,
Inc. could enter into a set of contractual clauses approved by the European Commission
as establishing an adequate level of protection (“Model Clauses”), or (2) DNO, Inc. could
establish Binding Corporate Rules (“BCRs”) for its entire group that are approved by a lead
data protection authority in Europe.
Approximately 50 U.S. companies per month file initial self-certifications to the Safe
Harbor program, and approximately 150 companies submit annual re-certifications. More
than 50 percent of the companies in Safe Harbor have joined during the past two years.
Currently, more than 2,100 companies are on the Safe Harbor list. Placed in context, this
means that more companies join Safe Harbor in a single month than the total number of
companies that have obtained approval for BCRs to date. This trend is counter-intuitive,
given the recent statements of the Düsseldorfer Kreis (a body formed by the German data
protection authorities) and other EU member state bodies issuing critical opinions regarding
the Safe Harbor program.
Practitioners point to the following items as a potential reason for Safe Harbor’s
increased popularity at the moment:
• Greater control for the U.S. company. Safe Harbor primarily requires the U.S. company
to undertake relevant compliance steps, and requires little to no significant local affiliate
involvement.
• Enhanced brand reputation for outsourcing providers and satisfaction of EU customer
requirements.
• The Swiss Federal Data Protection and Information Commission (Swiss DPA) has
recently established the U.S.-Swiss Safe Harbor Framework with the United States.
• Streamlining of local filing procedures. In a number of EU member states, cross-border
transfers of EU personal data trigger registration requirements with the data protection
authorities. In some of these countries, the Safe Harbor facilitates the local registration
process by avoiding procedural approvals that apply to the use of Model Contracts and
the “substantive” approvals for BCRs.
• Avoiding administrative burdens of maintaining several versions of Model Contracts.
However, there are as many good reasons to join Safe Harbor, or use Safe Harbor as a
baseline to authorize certain data transfers, as there are good reasons why Safe Harbor may
not be sufficient for all data transfers. Some negative aspects of Safe Harbor include:
• FTC enforcement. The promise to comply with Safe Harbor is ultimately subject to the
enforcement authority of the FTC.
• Some data transfers are not eligible for coverage by Safe Harbor. U.S. companies are
only eligible to join the Safe Harbor to protect certain transfers of EU Personal Data to
the United States. Other transfers within a global enterprise, such as transfers from the
EU to Asia or Latin America, are not covered by Safe Harbor. Likewise, financial institutions and other organizations that fall outside the scope of FTC and DOT authority
are not eligible to join Safe Harbor, even if the organizations are located in the United
States.
TABLE OF CONTENTS
EDITOR’S DESK
Likewise, even in the context of e-discovery, attorneys must address whether cross-border data transfers are permissible under local EU law, and this is typically viewed as a prime
area of conflict, and transfers of data for purposes of litigation may expose the EU affiliate
to liability. With this general data transfer background, we also identify a few other issuespotting items that we have seen reoccur over the years.
DATA PROTECTION
EU EMPLOYEES ENJOY MORE PRIVACY PROTECTIONS
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
Implementing data integration measures along those proposed by DNO, Inc. may be common sense to any U.S. company, but integrating the data of European affiliates may trigger
a variety of issues, such as whistleblower protections. A person whose behavior is reported
through an employer-provided hotline retains his or her data privacy rights. Yet his/her
personal details have been communicated to a third party in a country without adequate
protection and without his/her knowledge.
Employee monitoring, for example, is a sensitive topic in Europe; every country has
different rules and, generally speaking, employees have a rightful expectation of privacy
even in the work environment. The employee’s (potentially private) use of the telecommunications infrastructure provided by the employer may trigger obligations of secrecy vis-à-vis
the employee—the employer may not be able to access the employee’s communication or
even Internet history.
SPONSOR RESOURCES
USING WEBSITE ADVERTISING AND ANALYTICS IN THE EU
If DNO, Inc. were to integrate website advertising and analytics operations, there may also
be issues. Recently, German data protection authorities have been in discussions with
Google about the legitimacy of its analytics programs under German data protection law
19
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
and came to the conclusion that analytics currently does not provide adequate safeguards to
the consumer. The authorities objected to the use of IP addresses, considered personal data
by the data protection authorities.
Court decisions differ in this aspect. Some consider an IP address to be personal data, others
do not. While it is ultimately up to a court to decide, the initial assessment will be carried out by
the data protection authorities and their opinion should be carefully considered. It should also
be noted that the U.S. FTC has made recent statements that an IP address may be included in
the definition of protected personally identifiable information.
While Google demonstrated goodwill and allowed an anonymization tool to be built into
the software, and additionally built a plug-in for Internet users with which they can set their
browser to object to the collection of the IP address, this did not satisfy the data protection
authorities’ requirements: The anonymization is in the discretion of the website operator
and the plug-in does not work for all browsers. As the issue has yet to be resolved, there is
a risk that the authorities may proceed against website operators that use analytics without
consumer opt-in.
IT MAY BE RAINING CATS AND DOGS
BUT THERE ARE TOOLS TO WEATHER THE STORM
Decisions by multinationals to centralize data should not be taken lightly. The complexity
of the EU data protection law poses special problems and must be considered fully as part
of any data centralization initiative. Recently, the U.S. has made attempts to move closer to
EU-style data protection, but these efforts will not come into fruition for some time. The
data compliance scramble should not stop U.S. companies from wading out into the storm
to access the wide variety of personal data available from EU entities. Rather, the philosophical
and jurisprudential gap can be bridged by relying on the number of tools available to organizations that allows them to transfer data, while being mindful that the EU takes its obligation
to safeguard its citizens’ privacy very seriously.w
Cynthia O’Donoghue is a partner and co-practice leader of Reed Smith LLP’s Data Privacy, Security and Management group and is based in London. Katharina A. Weimer is an associate in the Munich office of Reed Smith LLP
with a focus on Media law and Data Protection. Amy Mushahwar is an associate in the Data Privacy, Security and
Management practice in the Washington D.C. law office of Reed Smith LLP. Send comments on this column to
[email protected].
SPONSOR RESOURCES
20
Your One Stop Shop for All Things Networking
Nowhere else will you find such a
highly targeted combination of
resources specifically dedicated to the
success of today’s IT-networking and
service provider professionals. Free.
Access time-saving technical tips, independent expert advice, checklists and
tutorials, along with webcasts, white papers, newsletters and more - all for free!
We also have half-day and full-day seminars, multi-day conferences, and dinner
events coming to a city near you, as well as virtual shows you can view from the
comfort of your desktop. Topics covered include: unified communications, WAN
optimization, network management and more. View our full 2010-2011 schedule
at: events.techtarget.com
RISK METHODOLOGIES
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
There are
a lot of risk
assessment
frameworks
out there.
Here’s what
you need to
know in order
to pick the
right one.
Sizing Up Risk
BY RICHARD E. MACKEY, JR.
m
MANY REGULATIONS and virtually all security frameworks require some objective
PCI DSS 2.0
SPONSOR RESOURCES
22
assessment of risks. The reason is simple: Security controls should be selected based
on real risks to an organization’s assets and operations. The alternative—selecting
controls without a methodical analysis of threats and controls—is likely to result in
implementation of security controls in the wrong places, wasting resources while at
the same time leaving an organization vulnerable to unanticipated threats.
A risk assessment framework establishes the rules for what is assessed, who needs
to be involved, the terminology used in discussing risk, the criteria for quantifying,
qualifying, and comparing degrees of risk, and the documentation that must be
collected and produced as a result of assessments and follow-on activities. The
goal of a framework is to establish an objective measurement of risk that will allow an organization to understand business risk to critical information and assets both qualitatively and
quantitatively. In the end, the risk assessment framework provides the tools necessary to make
business decisions regarding investments in people, processes, and technology to bring risk to
acceptable level.
Two of the most popular risk frameworks in use
today are OCTAVE (Operationally Critical Threat,
Asset, and Vulnerability Evaluation), developed at
Carnegie Mellon University, and the NIST risk
assessment framework documented in NIST Special
Publication 800-30. Other risk frameworks that have
a substantial following are ISACA’s RISK IT (part of
COBIT), and ISO 27005:2008 (part of the ISO 27000
series that includes ISO 27001 and 27002). All the
frameworks have similar approaches but differ in
their high level goals. OCTAVE, NIST, and ISO
27005 focus on security risk assessments, whereas
RISK IT applies to the broader IT risk management space.
How does a company know which framework is the best fit for its needs? We’ll provide
an overview of the general structure and approach to risk assessment, draw a comparison of
the frameworks, and offer some guidance for experimentation and selection of an appropriate
framework.
OCTAVE, NIST, and ISO
27005 focus on security
risk assessments, whereas RISK IT applies to the
broader IT risk management space.
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
23
ASSET-BASED ASSESSMENTS
All risk assessment methods require organizations to select an asset as the object of the
assessment. Generally speaking, assets can be people, information, processes, systems, applications, or systems. However frameworks differ in how strict they are in requiring organizations
to follow a particular discipline in identifying what constitutes an asset. For example CMU’s
original OCTAVE framework allowed an organization to select any item previously described as
the asset to be assessed, where the most recent methodology in the OCTAVE series, Allegro,
requires assets to be information.
There are advantages and disadvantages associated with any definition of asset. For
example, if an asset is a system or application, the assessment team will need to include all
information owners affected by the system. On the other hand, if the asset is information,
the scope of the assessment would need to include all systems and applications that affect
the information. Practically speaking, it is important to define the asset precisely so the
scope of the assessment is clear. It is also useful to be consistent in how assets are defined
from assessment to assessment to facilitate comparisons of results.
A critical component of a risk assessment framework is that it establishes a common set
of terminology so organizations can discuss risk effectively. See p. 30 for a list of terms used
in most frameworks.
Framework Terminology
Risk assessment frameworks establish the meaning of
terms to get everyone on the same page. Here
are terms used in most frameworks.
Actors, motives, access: These describe who is responsible for the threat, what might motivate the actor or
attacker to carry out an attack, and the access that is necessary to perpetrate an attack or carry out the threat.
Actors may be a disgruntled employee, a hacker from the Internet, or simply a well meaning administrator who
accidently damages an asset. The access required to carry out an attack is important in determining how large
a group may be able to realize a threat. The larger the attacking community (e.g., all users on the Internet versus a few trusted administrators), the more likely an attack can be attempted.
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
Asset owners: Owners have the authority to accept risk. Owners must participate in risk assessment and management as they are ultimately responsible for allocating funding for controls or accepting the risk resulting
from a decision not to implement controls.
Asset custodians: A person or group responsible for implementing and maintaining the systems and security
controls that protect an asset. This is typically an IT entity.
Impact: The business ramifications of an asset being compromised. The risk assessment team needs to understand and document the degree of damage that would result if the confidentiality, integrity, or availability of
an asset is lost. The terms impact, business impact, and inherent risk are usually used to describe, in either
relative or monetary terms, how the business would be affected by the loss. It’s important to note that impact
assumes the threat has been realized; impact is irrespective of the likelihood of compromise.
Information asset: An abstract logical grouping of information that is, as a unit, valuable to an organization.
Assets have owners that are responsible for protecting value of the asset.
Risk magnitude or risk measurement criteria: The product of likelihood and the impact described above. If
we consider likelihood a probability value (less than 1) and impact a value of high, medium, or low, the risk
magnitude can be “calculated” and compared to risks of various threats on particular assets.
Security requirements: The qualities of an asset that must be protected to retain its value. Depending on the
asset, different degrees of confidentiality, integrity, and availability must be protected. For example, confidentiality and integrity of personal identifying information may be critical for a given environment while availability may be less of a concern.
glossary
Threats, threat scenarios or vectors: According to OCTAVE, threats are conditions or situations that may
adversely affect an asset. Threats and threat scenarios involve particular classes of actors (attackers or users)
and methods or vectors by which an attack or threat may be carried out.
24
RISK ASSESSMENT METHODOLOGY
The heart of a risk assessment framework is an objective, repeatable methodology that gathers
input regarding business risks, threats, vulnerabilities, and controls and produces a risk
magnitude that can be discussed, reasoned about, and treated. The various risk frameworks
follow similar structures, but differ in the description and details of the steps. However, they
all follow the general pattern of identifying assets and stakeholders, understanding security
requirements, enumerating threats, identifying and assessing the effectiveness of controls,
and calculating the risk based on the inherent risk of compromise and the likelihood that
the threat will be realized. The following is a basic methodology, largely derived from the
OCTAVE and NIST frameworks.
1. Identify assets and stakeholders
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
All risk assessment methods require a risk assessment team to clearly define the scope of the
asset, the business owner of the asset, and those people responsible for the technology and
particularly the security controls for the asset. The asset defines the scope of the assessment
and the owners and custodians define the members of the risk assessment team.
NIST’s approach allows the asset to be a system, application, or information, while
OCTAVE is more biased toward information and OCTAVE Allegro requires the asset to be
information. Regardless of what method you choose, this step must define the boundaries
and contents of the asset to be assessed.
2. Analyze impact
The exercise of analyzing
the value or impact of
asset loss can help
determine which assets
should undergo risk
assessment.
The next step is to understand both the dimensions
and magnitude of the business impact to the organization, assuming the asset was compromised. The
dimensions of compromise are confidentiality,
integrity, and availability while the magnitude is
typically described as low, medium, or high corresponding to the financial impact of the compromise.
It’s important to consider the business impact
of a compromise in absence of controls to avoid the
common mistake of assuming that a compromise could not take place because the controls
are assumed to be effective. The exercise of analyzing the value or impact of asset loss can help
determine which assets should undergo risk assessment. This step is mostly the responsibility
of the business team, but technical representatives can profit by hearing the value judgments
of the business.
The output of this step is a document (typically a form) that describes the business impact in
monetary terms or, more often, a graded scale for compromise of the confidentiality, integrity,
and availability of the asset.
3. Identify threats
Identify the various ways an asset could be compromised that would have an impact on the
25
business. Threats involve people exploiting weaknesses or vulnerabilities intentionally or unintentionally that result in a compromise. This process typically starts at a high level, looking at
general areas of concern (e.g., a competitor gaining access to proprietary plans stored in a database) and progressing to more detailed analysis (e.g., gaining unauthorized access through a
remote access method). The idea is to list the most common combinations of actors or perpetrators and paths that might lead to the compromise an asset (e.g., application interfaces,
storage systems, remote access, etc.). These combinations are called threat scenarios.
The assessment team uses this list later in the process to determine whether these threats
are effectively defended against by technical and process controls. The output of this step is
the list of threats described in terms of actors, access path or vector, and the associated impact
of the compromise.
4. Investigate vulnerabilities
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
26
Use the list of threats and analyze the technical components and business processes for flaws
that might facilitate the success of a threat. The vulnerabilities may have been discovered in
separate design and architecture reviews, penetration testing, or control process reviews. Use
these vulnerabilities to assemble or inform the threat scenarios described above. For example,
a general threat scenario may be defined as a skilled attacker from the Internet motivated by
financial reward gains access to an account withdrawal function; a known vulnerability in a
Web application may make that threat more likely.
This information is used in the later stage of likelihood determination.
This step is designed to allow the assessment team
to determine the likelihood that a vulnerability can
be exploited by the actor identified in the threat scenario. The team considers factors such as the technical skills and access necessary to exploit the vulnerability in rating the vulnerability exploit likelihood
from low to high. This will be used in the likelihood
calculation later to determine the magnitude of risk.
The exercise of analyzing
the value or impact
of asset loss can help
determine which assets
should undergo risk
assessment.
5. Analyze controls
Look at the technical and process controls surrounding an asset and consider their effectiveness in
defending against the threats defined earlier. Technical controls like authentication and authorization, intrusion detection, network filtering and routing, and encryption are considered in this
phase of the assessment. It’s important, however, not to stop there. Business controls like
reconciliation of multiple paths of transactions, manual review and approval of activities,
and audits can often be more effective in preventing or detecting attacks or errors than technical controls. The multi-disciplinary risk assessment team is designed to bring both types
of controls into consideration when determining the effectiveness of controls.
At the conclusion of this step, the assessment team documents the controls associated with
the asset and their effectiveness in defending against the particular threats.
The Value of Formal Assessments
A thorough analysis of risk helps justify security spending
Formal, methodical risk analysis allows
organizations to reason about the magnitude of business risk given the value
of the system or information at risk, a
set of threats, and a set of security
controls like authentication, firewalls,
and monitoring. The magnitude of the
risk is a function of the degree of damage or loss that
would occur if the threat is realized and the likelihood
of the realization of the threat. This kind of thoughtful
and objective approach not only helps to meet regulatory requirements, but also provides a practical way to
manage security expenditures.
The value of assessing risk in this manner is that it
transforms risk discussion from a conversation among
strategy
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
27
technical people into a one relating
technical vulnerabilities and controls to
business impact. The process requires
technical and business representatives
to come to an understanding of what
the business risk is and how it relates
to technical risk. It also facilitates the
economic discussion of whether investments in technology and processes are justified by the damage that
may result from an attack or incident and the likelihood
of the event. In short, it steers organizations away from
being held hostage by the fear mongers or being
starved for security investment by business people who
do not appreciate the dangers posed by insufficient
—RICHARD E. MACKEY, JR.
security controls.w
6. Calculate threat likelihood
After identifying a particular threat, developing scenarios describing how the threat may be
realized, and judging the effectiveness of controls in preventing exploitation of a vulnerability,
use a “formula” to determine the likelihood of an actor successfully exploiting a vulnerability
and circumventing known business and technical controls to compromise an asset.
The team needs to consider the motivation of the actor, the likelihood of being caught
(captured in control effectiveness), and the ease with which the asset may be compromised,
then come up with a measure of overall likelihood, from low to high.
7.
Calculate risk magnitude
The calculation of risk magnitude or residual risk combines the business impact of compromise
of the asset (considered at the start of the assessment), taking into consideration the diminishing
effect of the particular threat scenario under consideration (e.g., the particular attack may
only affect confidentiality and not integrity) with the likelihood of the threat succeeding. The
result is a measure of the risk to the business of a particular threat. This is typically expressed
as one of three or four values (low, medium, high, and sometimes severe).
This measure of risk is the whole point of the risk assessment. It serves as a guide to the
business as to the importance of addressing the vulnerabilities or control weaknesses that
allow the threat to be realized. Ultimately, the risk assessment forces a business decision to
treat or accept risk.
Anyone reading a risk assessment method for the first time will probably get the impression
that it describes a clean and orderly process that can be sequentially executed. However, you’ll
find that you need to repeatedly return to earlier steps when information in later steps helps
to clarify the real definition of the asset, which actors may be realistically considered in a
threat scenario, or what the sensitivity of a particular asset is. It often takes an organization
several attempts to get used to the idea that circling back to earlier steps is a necessary and
important part of the process.
WHICH FRAMEWORK IS BEST?
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
28
Over the years, many risk frameworks have been developed and each has its own advantages
and disadvantages. In general, they all require organizational discipline to convene a multidisciplinary team, define assets, list threats, evaluate
controls, and conclude with an estimate of the risk
magnitude.
OCTAVE, probably the most well known of the
risk frameworks, comes in three sizes. The original,
full-featured version is a heavyweight process with
substantial documentation meant for large organizations. OCTAVE-S is designed for smaller organizations where the multi-disciplinary group may be
represented by fewer people, sometimes exclusively
technical folks with knowledge of the business. The
documentation burden is lower and the process is
lighter weight.
The latest product in the OCTAVE series is Allegro, which has more of a lightweight feel and takes a
more focused approach than its predecessors. Allegro
requires the assets to be information, requiring additional discipline at the start of the process, and views
systems, applications, and environments as containers.
The scope of the assessment needs to be based on the information abstraction (e.g., protected
health information) and identify and assess risk across the containers in which the information
is stored, processed, or transmitted.
One of the benefits of the OCTAVE series is that each of the frameworks provides templates
for worksheets to document each step in the process. These can either be used directly or
customized for a particular organization.
The NIST framework, described in NIST Special Publication 800-30, is a general one that can
be applied to any asset. It uses slightly different terminology than OCTAVE, but follows a similar
structure. It doesn’t provide the wealth of forms that OCTAVE does, but is relatively straightforward to follow. Its brevity and focus on more concrete components (e.g., systems) makes it a
good candidate for organizations new to risk assessment. Furthermore, because it’s defined by
NIST, it’s approved for use by government agencies and organizations that work with them.
ISACA’s COBIT and the ISO 27001 and 27002 are IT management and security frameworks that require organizations to have a risk management program. Both offer but don’t
require their own versions of risk assessment frameworks: COBIT has RISK IT and ISO has
Business controls like
reconciliation of multiple
paths of transactions,
manual review and
approval of activities,
and audits can often
be more effective in
preventing or detecting
attacks or errors than
technical controls.
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
ISO 27005:2008. They recommend repeatable methodologies and specify when risk assessments should take place. The ISO 27000 series is designed to deal with security, while COBIT
encompasses all of IT; consequently, the risk assessments required by each correspond to
those scopes. In other words, risk assessment in COBIT—described in RISK IT—goes beyond
security risks and includes development, business continuity and other types of operational
risk in IT, whereas ISO 27005 concentrates on security exclusively.
ISO 27005 follows a similar structure to NIST but defines terms differently. The framework includes steps called context establishment, risk identification and estimation, in which
threats, vulnerabilities and controls are considered, and a risk analysis step that discusses and
documents threat likelihood and business impact. ISO 27005 includes annexes with forms
and examples, but like other risk frameworks, it’s up to the organization implementing it to
evaluate or quantify risk in ways that are relevant to its particular business.
Organizations that do not have a formal risk assessment methodology would do well to
review the risk assessment requirements in ISO 27001 and 27002 and consider the 27005 or
NIST approach. The ISO standards provide a good justification for formal risk assessments
and outline requirements, while the NIST document provides a good introduction to a risk
assessment framework.
With practice, an organization can establish a
methodology based on this approach. However, it is
worthwhile to review the OCTAVE family and, in
particular, the Allegro framework. Its focus on information, its forms and relatively lightweight approach
(when compared to other OCTAVE methods) provides a good alternative to NIST and will allow an
organization to build a customized method that
meets its own requirements.
One of the benefits of
the OCTAVE series is that
each of the frameworks
provides templates for
worksheets to document
each step in the process.
CONSISTENCY IS KEY
In the end, the most important aspect of choosing a framework is ensuring that the organization
will use it. Auditors will seldom inspect the details of your risk assessment method, but will look
at whether you have a systematic method and apply it regularly. It’s an organization’s prerogative
to accept risks that are too difficult or expensive to mitigate. However, one can only accept risks
that one understands. Consistent and repeatable risk assessments provide the mechanism to not
only understand risk, but also to demonstrate to auditors and regulators that the organization
understands risk.
Whether your goal is to simply achieve good security or also meet regulatory requirements,
creating a risk assessment method based on a well-known framework is a good place to start.w
Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send
comments on this article to [email protected].
29
Information Security magazine
CALL FOR NOMINATIONS
It’s Time to Recognize the Industry’s
Best Security Professionals
Information Security magazine and SearchSecurity.com
announce that nominations are open for the seventh annual
Security 7 Awards. Find the nomination form at:
http://www.surveygizmo.com/s3/462797/Security-7
SECURITY
7
Prestigious Industry Accolades
The honor roll of past Security 7 Award winners is a prestigious list
of distinguished security practitioners and dignitaries, including
Dorothy Denning, Gene Spafford, Michael Assante and Christofer
Hoff. Since 2005, we’ve recognized the most innovative and stalwart
security practitioners in the industry. It’s time to do it again.
2 0 11
Seven Industries, Seven Winners
The Security 7 Award honors innovative security practitioners
in seven vertical markets. We recognize the achievements and
contributions of practitioners in the financial services, telecommunications, manufacturing, retail, government/public sector/
non-profit, education and healthcare/pharmaceutical industries.
How to Nominate Your Peers
—MARK WEATHERFORD
Do you know someone worthy of recognition? Nominate them
by filling out the form. A panel of editors and industry experts
will review the nominees and select our winners.
2008 Security 7 Government winner
Former CISO for the states of California and
Colorado and current CSO at the North American
Electric Reliability Corporation (NERC)
S ECURITY
®
For more information, please visit our
website: www.searchsecurity.com
Recognize the Security Industry’s Best Today!
BUSINESS INTEGRATION
Hurdle Cultural
Barriers to
Compliance
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
Engage stakeholders frequently about their role in compliance
and reducing risk inside your organization. BY ERIC HOLMQUIST
w
WHEN LOOKING TO create or expand information security reporting to senior management, the
biggest challenge is often not technical but cultural.
Business managers can be hesitant to have areas of risk highlighted for fear that they will be
perceived as not doing their jobs. Lawyers are often nervous that putting vulnerabilities in writing
could ultimately be used against the organization. And managers are sometimes hesitant to tell
senior management too much, fearing the managers won’t understand the information they are
given, but recognizing that it represents a significant risk, will feel obligated to give arbitrary
directives in a misguided attempt to solve problems they don’t fully understand.
While these are all realities that we as security and compliance managers live with, they are
ones that mature organizations must push past if they are to holistically manage information
security risk and compliance.
Contrary to what many believe, when seeking to address security and compliance weaknesses,
knowledge is power and transparency is good. However, to successfully evolve beyond cultural
barriers to effective information security reporting, a strategy is required. The following are
some time-tested solutions to address these cultural barriers that often stifle effective information
security risk and compliance management.
PCI DSS 2.0
Tips for fostering a compliance culture
SPONSOR RESOURCES
English only please – Unquestionably, the most critical make-or-break factor in information
security reporting is language. Simply put, any report, whether in scorecard or narrative, must
be limited to basic business terminology. No IT terms, no obscure acronyms, no exceptions—
ever. An IDS system or other gateway device may produce a wonderfully detailed 20-page technical report, and while that may be helpful to technical staff, they should never see the light of day
in an executive report. Instead, require these data owners to summarize their reports as succinctly
31
as possible using language that someone who has no familiarity with technology would understand.
Make disclosure safe – The second most critical factor is to create an environment where disclosure
is safe. Meaning people must be allowed to express both their observations of potential risk as well as
operational failures without being persecuted, and managers must foster an environment where such
disclosures are encouraged. For observed risks, the focus must be on an assessment of the risk and an
analysis of response options. For failures, the focus of the reporting needs to be 1) what happened, 2)
what is being doing about it, and 3) what could be done so that it doesn’t happen again. Blame is the
mortal enemy of collaboration, so any disciplinary action must be done privately. Once people begin
to realize that risk and failure can be brought up for healthy discussion, more and more risks will
suddenly come out of the woodwork and that is a healthy thing.
Focus on solutions – Simply put, make sure any material risk that is reported to management
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
32
includes a management-level assessment of that risk and a plan of action (or, at minimum, a series of
options). Highlighting a risk in isolation can be paralyzing and is often interpreted that people aren’t
doing their jobs. But presenting risks with a variety of solutions is empowering and reinforces the fact
that people are on the job.
Let them make decisions – When presenting information on the state of the information security
program and compliance, give management the opportunity not only to provide input, but also to
make decisions. Even if this means simply submitting a menu of choices for a given area of concern,
this engages them in the process and builds ownership. This may seem risky (Who wants “pointyhaired bosses” actually making decisions?), but it really does work to build engagement if risks are
explained clearly and options area detailed out. Trust me, engagement is very good.
Start small – The fact is that most organizations can’t go from nothing to a detailed scorecard in one
pass; It just doesn’t happen. Start small by focusing on more innocuous data points that allow management to take action (training completion, third-party governance, etc.) As management becomes more
comfortable with the reporting cycle, move to more sensitive areas, such as open audit issues, control
failures, operational incidents, risk heat maps, etc. (The latter having more direct association with
specific business areas.)
In the end, the goal is to create a compliance culture through dialog and engagement. Start small,
being exceedingly clear and keep pressing. Eventually people will realize these topics are more approachable then they thought and that creating forums for discussion with a range of constituencies is healthy
for the organization, ultimately creating a compliance culture that will serve an organization well.w
Eric Holmquist is a principal with consulting firm Holmquist Advisory. He has more than 25 years experience in the
financial services industry and is a frequent industry author and speaker. As the former vice president and director of
operations risk management for Advanta Bank Corp., he was responsible for the development and oversight of the
bank’s operational risk management program and its information security strategy. In addition, Holmquist chaired
the bank’s MIS council, an oversight group that provides governance with regard to standards, methods and production of financial and operational reports and the management of enterprise data.
Now there’s an online resource tailored specifically to
the distinct challenges faced by security pros in
the financial sector. Information Security magazine’s
sister site is the Web’s most targeted information
resource to feature FREE access to unbiased product
reviews, webcasts, white papers, breaking industry
news updated daily, targeted search engine powered
by Google, and so much more.
Activate your FREE membership today and benefit
from security-specific financial expertise focused on:
• Regulations and compliance
• Management strategies
• Business process security
• Security-financial technologies
• And more
www.SearchFinancialSecurity.com
The Web’s best information resource for security pros in the financial sector.
®
PCI DSS 2.0
PCI Assessment
Changes
Explained
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
34
The latest update to
PCI is relatively minor,
but that doesn’t mean
security and compliance
managers can afford
to slack. BY ED MOYLE
v
VERSIONS 2.0 OF the Payment Card Industry Data Security Standard
(PCI DSS) and Payment Application Data Security Standard (PA DSS) made
their debuts last fall. Since then, organizations have been trying to make sense of the
updates, the new timetable for compliance and how this impacts established security and compliance programs.
From a PCI assessment standpoint, there are two things to call out about the changes at a
macro level before going into the details of the changes themselves: First, the changes are relatively
minor. This wasn’t entirely expected; a number of industry experts speculated that the standard
would follow a “major release/minor release” paradigm (similar to what you’d see in a software
product). Following a “point” release of PCI DSS 1.2 in October 2008, many thought the PCI DSS
2.0 “major revision” last year could mean sweeping change, but this wasn’t the way it turned out.
The council cites maturity in the standard as the reason for the relatively small number of
changes, which means companies can also expect a lesser volume of change in future revisions.
For those that were hit hard by the (fairly significant) changes in the 1.x iterations during the past
five years, this should be welcome news.
Secondly, the enforcement timing of changes is beneficial: In other words, there is time
to respond before organizations are called to task on how they’ve implemented the changes.
Merchants have a year to comply from the January launch date, meaning there is plenty of
time to get environments in shape before enterprises actually have to go through an assessment
based on the updates.
But these positive developments shouldn’t encourage security and compliance managers to
slack. Although most of the changes represent a reduction of the scope of controls, there could be
a few that might have broader impact depending on your current processes, scope of compliance
efforts, and how your company has interpreted the controls in the past. So starting now, look at
the changes and update your compliance plan accordingly. It will be time well spent.
PCI 2.0: If anything, mostly a slight reduction of assessment impact
TABLE OF CONTENTS
EDITOR’S DESK
As outlined, most of the changes reflect a decrease in the effort associated with the PCI assessment process, changes that provide additional flexibility for the assessor or for you to generally
decrease the scope of assessment effort because they allow interpretive latitude—both for you
and your QSA. That interpretive latitude means less time spent trying to force-fit what you’ve
deployed into narrow parameters; in combination with clarifications about control scope
means less time-consuming back-and-forth discussion between merchants/service providers
and QSAs about intent and meaning. The chart (see p. 36) outlines areas where the changes
have either no impact on PCI assessment effort or that decrease the effort associated with the
assessment process:
As you can see, with the exception of the two areas called out, the items in this list connote
relatively little impact on an assessment. It’s these other two areas that merchants and service
providers may want to keep an eye out for.
Two areas to watch
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
35
One of the most significant changes is the clarification of PCI assessment scope (item No. 2 in
the change list in the chart). It’s still unclear specifically how the scope change will be reflected
in the final document, but what is there should be enough for anybody who’s been through an
assessment to take notice. Specifically, according to this, scope of cardholder data flow diagrams should include all locations and all areas.
That’s an “uh-oh” for many firms; as it turns out, many organizations just aren’t where they
need to be on this point. Producing up-to-date diagrams of cardholder data everywhere in the
enterprise may seem negligible at first glance, but in a large retail environment with multiple
business units, diagrams might cover only one business unit of many, or a subset of payment
flows throughout the whole organization. So this change could very well mean a significant
effort to share flow information between business units (since one process might intersect
multiple business units) and to ensure all payment flows are accounted for in the documentation. Lack of appropriate documentation has always been one of the primary issues within an
assessment context, so this change amps up what was already a known issue.
Secondly, the update for virtualization on the surface seems relatively innocuous; after all,
many of us have been asking for a long time how virtualization ties into requirements like “one
function per server” (Requirement 2.2.1). However, under the surface, expansion of the definition of “system components” to include virtual components might have additional ramifications
beyond just 2.2.1; it could affect other requirements as well. For example, some requirements and
test procedures specifically refer to “all system components” (for example, Requirements 10.6,
“Review logs for all system components at least daily…”, and Requirement 2.2, “Develop configuration standards for all system components…”).
Requirements that address “all system components” now implicitly include the virtual enviI N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE
PCI 2.0 EXPLAINED
TABLE OF CONTENTS
Requirement
Proposed Change
Assessment Impact
PCI DSS Intro
Clarify that PCI DSS Requirements 3.3 and 3.4
apply only to PAN. Align language with PTS
Secure Reading and Exchange of Data (SRED)
module.
In most cases, minimal impact on assessment
effort. Potential reduction in assessment scope
of effort if you or your QSA interpreted 3.3. or
3.4 as applying to other cardholder data in past
assessments.
Scope of
Assessment
Clarify that all locations and flows of cardholder
data should be identified and documented to
ensure accurate scoping of cardholder data
environment.
Potential area of impact (described below)
PCI DSS Intro
and various
requirements
Expanded definition of system components to
include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary
function per server” and use of virtualization.
Potential area of impact (described below)
PCI DSS
Requirement 1
Provide clarification on secure boundaries
between Internet and card holder data
environment.
It isn’t clear from the description what this
clarification will be. However, since the controls
around separation of the CDE from the Internet
are relatively unambiguous currently, this is
likely to be a minimal impact issue.
PCI DSS
Requirement 3.2
Recognize that issuers have a legitimate
business need to store Sensitive Authentication
Data.
The scope of an issuer’s business requirements
has little bearing on an assessment at a
merchant or service provider. Minimal impact
to assessment effort.
PCI DSS
Requirement 3.6
Clarify processes and increase flexibility for
cryptographic key changes, retired or replaced
keys, and use of split control and dual
knowledge.
We don’t have enough information to know
from the change description how this will
change. The intent of the change is to increase
flexibility, which suggests reduction in assessment effort.
PCI DSS
Requirement 6.2
Update requirement to allow vulnerabilities to
be ranked and prioritized according to risk.
This moves the requirement more in-line with
what firms do; this change allows latitude to
reflect that practice during an assessment.
PCI DSS
Requirement 6.5
Merge requirement 6.3.1 into 6.5 to eliminate
redundancy for secure coding for internal and
Web-facing applications. Include examples of
additional secure coding standards, such as
CWE and CERT.
Consolidation in this area means reduced
assessment effort as merchants and QSA’s are
no longer writing up results twice for the same
controls.
PCI DSS
Requirement
12.3.10
Update requirement to allow business justification for copy, move and storage of CHD during
remote access.
This change recognizes that business may need
to manipulate cardholder data during a remote
access scenario. Therefore, businesses that
required doing this will no longer have to write
up compensating controls to do so.
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
36
ronment as well, as do the test procedures. So a test procedure like 2.2.a (“Examine the organization’s system configuration standards for all types of system components and verify the system
configuration standards are consistent with industry accepted hardening standards”) means that
not only will an organization need to have a hardening standard for its virtual environment,
but its assessor will also need to obtain and review that standard. This might not have been the
case in prior assessments.
So overall for merchants and service providers, this version of the standard represents a
streamlining of the assessment process, which should help ease the PCI DSS compliance burden
somewhat. But the expansion of system components to include virtualization and the updates
to required documentation could make those elements of the assessment process more complex, so be sure to address each with your assessor when the time comes for your company’s
first assessment under PCI DSS 2.0; also, it’s a good idea to start the planning now for areas
where your current control deployment may not address the entirety of the scope.w
Ed Moyle is currently a manager with CTG’s Information Security Solutions practice, providing strategy,
consulting, and solutions to clients worldwide as well as a founding partner of SecurityCurve.
TABLE OF CONTENTS
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
37
TECHTARGET SECURITY MEDIA GROUP
S ECURITY
®
EDITORIAL DIRECTOR Michael S. Mimoso
VICE PRESIDENT/GROUP PUBLISHER Doug Olender
SENIOR SITE EDITOR Eric Parizo
PUBLISHER Josh Garland
EDITOR Marcia Savage
DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver
MANAGING EDITOR Kara Gattine
DIRECTOR OF MARKETING Nick Dowd
NEWS DIRECTOR Robert Westervelt
SALES DIRECTOR Tom Click
SITE EDITOR Jane Wright
CIRCULATION MANAGER Kate Sullivan
ASSOCIATE EDITOR Carolyn Gibney
PROJECT MANAGER Elizabeth Lareau
ASSISTANT EDITOR Maggie Sullivan
PRODUCT MANAGEMENT & MARKETING
Kim Dugdale, Andrew McHugh, Karina Rousseau
ASSISTANT EDITOR Greg Smith
UK BUREAU CHIEF Ron Condon
ART & DESIGN
CREATIVE DIRECTOR Maureen Joyce
TABLE OF CONTENTS
SALES REPRESENTATIVES
Eric Belcher [email protected]
Patrick Eichmann [email protected]
Sean Flynn [email protected]
Jennifer Gebbie [email protected]
COLUMNISTS
Marcus Ranum, Lee Kushner, Mike Murray
Jaime Glynn [email protected]
Leah Paikin [email protected]
EDITOR’S DESK
DATA PROTECTION
INTERNATIONAL
REGULATIONS
RISK
METHODOLOGIES
BUSINESS
INTEGRATION
CONTRIBUTING EDITORS
Michael Cobb, Phillip Cox, Scott Crawford, Peter Giannoulis,
Ernest N. “Ernie” Hayden, Robbie Higgins, Jennifer Jabbusch,
David Jacobs, Diana Kelley, Nick Lewis, Richard E. Mackey Jr.,
Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ashley Podhradsky,
Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser
USER ADVISORY BOARD
Phil Agcaoili, Cox Communications
Richard Bejtlich, GE
Seth Bromberger,
Energy Sector Consortium
Chris Ipsen, State of Nevada
Diana Kelley, Security Curve
Nick Lewis, ACM
Rich Mogull, Securosis
Craig Shumard, CIGNA CISO Retired
Marc Sokol, Guardian Life
Gene Spafford, Purdue University
Tony Spinelli, Equifax
INFORMATION SECURITY DECISIONS
GENERAL MANAGER OF EVENTS
Amy Cleary
Jeff Tonello [email protected]
Vanessa Tonello [email protected]
George Whetstone [email protected]
Nikki Wise [email protected]
TECHTARGET INC.
CHIEF EXECUTIVE OFFICER Greg Strakosch
PRESIDENT Don Hawk
EXECUTIVE VICE PRESIDENT Kevin Beam
CHIEF FINANCIAL OFFICER Jeff Wakely
EUROPEAN DISTRIBUTION
Parkway Gordon
Phone 44-1491-875-386
www.parkway.co.uk
LIST RENTAL SERVICES
Julie Brown
Phone 781-657-1336 Fax 781-657-1100
PCI DSS 2.0
SPONSOR RESOURCES
Information Security’s Essential Guide to Compliance is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111;
Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any
means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.
39
SPONSOR RESOURCES
See ad page 2
• ArcSight Customer Success
• First Annual Cost of Cyber Crime Study - Benchmark Study of U.S. Companies
• Using Advanced Event Correlation to Improve Enterprise Security, Compliance and
Business Posture
See ad page 4
• FoxT Demonstration on Privileged Access Management
• FoxT Compliance Report Packs for SOX, PCI, HIPAA, NERC-CIPs
• Solving Key Compliance Audit Issues with Enterprise Access Management
• Choosing a Cloud Provider with Confidence
• Stop Phishing: A Guide to Protecting Your Web Site Against Phishing Scams
• GeoTrust SSL Solutions
SPONSOR RESOURCES
See ad page 14
• Dell SecureWorks Webcast: An Expert Approach to PCI compliance
See ad page 7
• Compliance for Dummies Book from Sophos
• 8 Steps to Protecting PII (Personally Identifiable Information)
• Learn how to implement a data loss prevention strategy
• Webinar: Managed DNS - Using Hybrid Routing to Optimize DNS Performance
• Webinar: DDoS Defense - Augmenting your Business Continuity Practices in the Face
of the Growing Threat
• Benchmark your Company's Infrastructure Protection: Take the Executive Threat
Assessment

Compliance ESSENTIAL GUIDE TO

Transcription

Similar documents

CHOICEPAY

choicepay - Quantum Solutions

the next generation of multi-input video capture card - Mini

PCI Sound Card uSEr ManuaL

AzureWave ARR5B95 Us..

Desktop Network PCI Card

ALi P1394 / USB2.0 / MS / SD Controller

MySQL DB Editor Documentation