SECURITY Update EXTRA: PCI Tips from Randy Franklin Smith

Security Update Extra The following is an advertorial sponsored by Randy Franklin Smith. November 5, 2007 PCI Questions and Answers from Randy Franklin Smith Randy Franklin Smith is a frequent writer for Windows IT Pro on Windows security topics and has been hard at work helping clients with PCI compliance issues this year. Here are some key points to remember about PCI. Q: Randy, how does the PCI Data Security Standard compare with other compliance regulations? A: Compliance is never fun but if I could pick which regulations I had to comply with, I’d choose PCI over Sarbanes-Oxley and most of the other requirements that so many of us are subject to today. PCI is a comparatively straightforward standard with well-defined scope and 12 specific requirements. The standard applies these 12 requirements to all system components connected to the “cardholder data environment.”  The cardholder data environment is the network or portion thereof that possesses “cardholder data” or “sensitive authentication data”.  Some of the PCI requirements apply to protecting specific data elements if storage of such data is stored and if so, how it is protected. PCI is one the most focused, specific and actionable security standards documents I’ve ever seen.  Whereas many regulations are purposefully vague and subject to interpretation, PCI is pretty easy to follow. Q: What are the most challenging parts of PCI compliance? A: It’s very interesting to note that while there are 12 requirements, they differ widely in how much effort they require for the average organization.  While most of the 12 requirements are presented as process oriented, there are several that are mostly a one-time investment of effort with little or no ongoing work involved. Others, such as Requirements 10 and 11 are potentially massive never ending processes.  I come from a software development background and as you know I’m an Infosec guy today.  In my blog I posted a chart to convey my take on the relative effort involved in the 12 different requirements of PCI DSS in terms of sustained, ongoing effort. Q: How can you most efficiently address the most burdensome requirements in PCI? A: As you can see in the chart above, requirements 10 (Monitoring) and 11 (Testing) are among the top four biggest requirements in PCI based on my experience with clients.  These two requirements are also the best candidates for automation if you invest in the right tools from the ISV market. Take log management for instance. The standard mandates requirements for securing and managing audit trails and related logs against unauthorized viewing and modification.  In fact, PCI DSS requires a centralized log server and monitoring processes for alerting appropriate staff in the event log data is changed. Log management is hugely laborious; manually managing and reviewing logs on a sustained basis is absolutely out of the question.  Thankfully there are a host of great log management solutions out there today. Another opportunity for automation is change management.  Throughout the PCI DSS document, companies are required to recognize significant system changes and perform appropriate tests and other security related procedures to ensure the change has not introduced new vulnerabilities or risk. Q: What other tips do you have for folks under the gun with PCI? A: Besides automating, make sure you have your scope clearly defined in terms of systems and networks impacted by PCI.  The standard impacts all system components connected to the “cardholder data environment” so defining the boundaries of that environment is very important.  Make sure you identify all logical data flows, physical connections and catalog everywhere “cardholder data” is stored.  You may save a lot of work by eliminating some of those data stores and installing internal firewalls to scale down the “cardholder data environment” to something more manageable. Get more tips on PCI from Randy by joining him on Thursday, Nov. 8, 2007 at Noon Eastern Time for his Web seminar, Comply with PCI and Still Have a Life. Click here to register now. Even if you cannot make the live event, by registering you can get access to the recording of the event. Contact Us About the newsletter—letters@windowsitpro.com About technical questions—list.windowsitpro.com/t?ctl=142A1:10365 About product news—products@windowsitpro.com About your subscription—windowsitproupdate@windowsitpro.com About sponsoring this UPDATE—emedia_opps@windowsitpro.com.com Subscription Info This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today! Manage Your Account You are subscribed as boy.blogger@gmail.com. You are receiving this email message because you subscribed to this newsletter on our Web site. To unsubscribe, click the unsubscribe link. View the Windows IT Pro privacy policy. Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All Rights Reserved.