1 / 33

Compliance - It’s Not Over When You Think It’s Over

Compliance - It’s Not Over When You Think It’s Over. Jim McNeill Vanguard Integrity Professionals, Inc. According to Yahoo Finance. The 10 safest jobs during the recession include: Compliance/Risk Officers Ride the Compliance Wave !!!. Regulatory Compliance. International Regulations

alanna
Download Presentation

Compliance - It’s Not Over When You Think It’s Over

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Compliance - It’s Not Over When You Think It’s Over Jim McNeill Vanguard Integrity Professionals, Inc. @2009 Vanguard Integrity Professional's, Inc.

  2. According to Yahoo Finance The 10 safest jobs during the recession include: Compliance/Risk Officers Ride the Compliance Wave !!! @2009 Vanguard Integrity Professional's, Inc.

  3. Regulatory Compliance International Regulations • PCI –Payment Card Industry • DPA - Data Protection ACT • PIPEDA - Personal Information Protection and Electronic Documents Act • EU Data Privacy Directive U.S. Compliance Regulations • PCI –Payment Card Industry • SOX - Sarbanes Oxley • HIPAA – Health Insurance Portability & Accountability Act • GLBA - Gramm-Leach-Bliley Act • Minnesota Plastic Card Act • California Security Breach (SB) 1386 • FISMA - Federal Information Security Management Act • MMA - Medicare Prescription Drug, Improvement and Modernization Act @2009 Vanguard Integrity Professional's, Inc.

  4. Compliance - You Can’t Do It By Yourself ! Why it’s Never Over: • Continuous turn-over across diversified skill sets • Continuous Compliance Awareness Training • You Don’t Always Get Their Best People @2009 Vanguard Integrity Professional's, Inc.

  5. PCI Requirements Build and Maintain a Secure Network • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Requirement 3: Protect stored cardholder data Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus software • Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security @2009 Vanguard Integrity Professional's, Inc.

  6. Security Checklist • What is a Security Checklist ? • Provides detailed instructions to evaluate compliance • Where do you find Security Checklists? • PCI Data Security Requirements • SANS Information Security Management Audit Checklist • DISA Checklists @2009 Vanguard Integrity Professional's, Inc.

  7. How Many DISA Checklists are There? @2009 Vanguard Integrity Professional's, Inc.

  8. How Many DISA Checklists are There? @2009 Vanguard Integrity Professional's, Inc.

  9. DISA RACF Checklist The DISA RACF Checklist contains 300+ Requirements @2009 Vanguard Integrity Professional's, Inc.

  10. DISA RACF Checklist Categories @2009 Vanguard Integrity Professional's, Inc.

  11. STIG ZWMQ0049 for RACF a)Ensure the following MQSeries/WebSphere MQ resource classes are active: MQADMIN MQPROC GMQADMIN GMQPROC MQCONN MQNLIST MQCMDS GMQNLIST MQQUEUE GMQQUEUE NOTE: If the MQADMIN resource class is not active, no security checking is performed. b) If all the resource classes in (a) are active, there is NO FINDING. c) If any resource class in (a) is inactive, this is a FINDING. @2009 Vanguard Integrity Professional's, Inc.

  12. STIG ZWMQ0049 for Top Secret a) Ensure the following MQSeries/WebSphere MQ security classes are defined to the TSS RDT: MQADMIN MQQUEUE MQCONN MQPROC MQCMDS MQNLIST b) Review ownership of each ssid. resource in the above resource classes. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If all of the security classes in (a) are defined to the RDT and ownership in (b) is defined for each ssid., there is NO FINDING. d) If any security class in (b) is not defined to the RDT or ownership in (c) is not defined for each ssid., this is a FINDING. @2009 Vanguard Integrity Professional's, Inc.

  13. STIG ZWMQ0049 for ACF2 a) Ensure the following items are defined to ACF2: 1) The SYSTEM AUTHORIZATION FACILITY DEFINITIONS include an entry for MQSeries/WebSphere MQ as follows: INSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP 2) The INTERNAL CLASMAP DEFINITIONS include the following entries: INSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62) INSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53) NSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53) INSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22) INSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10) INSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53) b) If all the resource classes in (a) are active, there is NO FINDING. c) If any resource class in (a) is inactive, this is a FINDING. @2009 Vanguard Integrity Professional's, Inc.

  14. Who Validates Compliance ? • A company’s Internal Auditors • A company’s External Auditors • Office of the Comptroller of Currency (OCC) Audits • Ensures a safe and sound National Banking System • For PCI Compliance - Qualified Data Security Assessor’s (QDSA) • For the Government – Government Accountability Office (GAO) @2009 Vanguard Integrity Professional's, Inc.

  15. PCI Non-Compliant Penalties • PCI-Noncompliance Penalties • Monthly fines from your merchant bank • Increased transaction fees • Potential barrier to changing merchant banks • Potential loss of ability to accept credit cards • PCI penalties if compromised due to non-compliance: • Potential fines of up to $500,000 • All fraud losses • Cost of re-issuing cards associated with the compromise • Any other costs incurred by credit card issuers • Cost of any additional fraud prevention/detection activities • Forensic audit • PCI penalties if compromised due to compliance: • Minimal, VISA will absorb most of the expenses @2009 Vanguard Integrity Professional's, Inc.

  16. Regulations are Still Evolving Lifecycle Process for Changes to PCI DSS @2009 Vanguard Integrity Professional's, Inc.

  17. Compliance Drivers System Components • Network Components • Firewalls, switches, routers, wireless access points, network & security appliances • Operating Systems • z/OS, Windows, Unix, Linux • Servers • Web, database, authentication, mail, proxy, NTP, domain name servers (DNS) • Applications • Includes all purchased and custom applications • Databases • DB2, Oracle, SQL • Conclusion: • The more System Components you have, the more work there is to become, and stay compliant @2009 Vanguard Integrity Professional's, Inc.

  18. Compliance Drivers The Large Volume of Requirements • PCI DSS • Contains 200+ diversified/generic requirements • Requirements “expand” depending on system components • System components determine the workload • DISA STIG Checklists • And there are over 60+ checklists • The RACF Checklist contains 300 Requirements • Requirements apply to each system component @2009 Vanguard Integrity Professional's, Inc.

  19. Compliance Drivers • Legislation (existing and new) • “Contractors Must Comply” clauses • New “System Components” • Acquisitions • Purchased a company that processes credit cards • New Applications • New Technology • Virtualization – Linux on z/VM @2009 Vanguard Integrity Professional's, Inc.

  20. Regulatory Changes Effect Compliance • Regulatory Changes Require: • Changes to Information Security policy • System configuration changes • Changes to testing procedures • Changes to documentation • “Gap Analysis” projects • Remediation projects • Introduction of new applications (e.g. PCI Certified) • New technology (e.g. encryption) • Security awareness training • New security products (e.g. mainframe intrusion detection) • And, the list goes on ...... @2009 Vanguard Integrity Professional's, Inc.

  21. Re-Occurring Assessments Ongoing Validations and Certifications • Daily, Monthly, Quarterly, Semi-Annual and Annual Compliance requirements • PCI Requirement 12.9.2 – “Test the plan at least annually” • PCI requires annual Re-certification • Your opportunity to review all supporting documentation with a QSA • DISA Checklist requires Quarterly Re-certification @2009 Vanguard Integrity Professional's, Inc.

  22. Sample of PCI Re-Occurring Events @2009 Vanguard Integrity Professional's, Inc.

  23. Supporting Documentation • NIST trademarked the phrase: “It’s not enough to be secure, you have to prove you’re secure TM “ • It’s Impossible to be Complaint without DOCUMENTATION, and Lots of it !!! • Even if you are compliant w/o a Process, if Records Don’t Exist to Prove It, It May Not Count @2009 Vanguard Integrity Professional's, Inc.

  24. Supporting Documentation @2009 Vanguard Integrity Professional's, Inc.

  25. Supporting Documentation @2009 Vanguard Integrity Professional's, Inc.

  26. Supporting Documentation @2009 Vanguard Integrity Professional's, Inc.

  27. Recommendations for Reducing the Compliance Workload • Become an “expert” on compliance requirements by reviewing: • “New Release” Documentation • “Summary of Changes” Documents • Supplemental Requirements Documents • FAQ’s • Look for Opportunities to Reduce the “Compliance Scope” • Understand the importance of well defined, written security polices @2009 Vanguard Integrity Professional's, Inc.

  28. Recommendations for Reducing the Compliance Workload 4. Map the Compliance Requirements to your Information Security Policy • Implement a Compliance Awareness Program • Implement Vendor Products that identify and automate processes 7. Develop and Maintain a Network Diagram and an Architecture / Application Data Flow Diagram @2009 Vanguard Integrity Professional's, Inc.

  29. Recommendations for Reducing theCompliance Workload 8. Use “Subject Matter Experts” for advice and to perform a “Compliance Assessment” against Policy 9. Identify and Leverage “Regulatory Overlap” • Example: Network vulnerability assessments and penetration tests 10. Retain your Compliance Team @2009 Vanguard Integrity Professional's, Inc.

  30. Vanguard Solutions Compliance & Audit Suite Includes: • Vanguard inCompliance TM • Vanguard Advisor TM • Vanguard Analyzer TM • Vanguard Enforcer TM • Vanguard Policy Manager TM @2009 Vanguard Integrity Professional's, Inc.

  31. Conclusion When it comes to Compliance: It’s Not Over When You Think It’s Over, It Just Goes On, and On, Forever ....... @2009 Vanguard Integrity Professional's, Inc.

  32. References • Vanguard Integrity Professionals Using Vanguard Products to Support PCI Requirements http://www.go2vanguard.com • SANS Information Security Management Audit Checklist http://www.oispp.ca.gov/government/documents/docs/ISO_17799_2005-Checklist.doc • PCI Data Security Standards https://www.pcisecuritystandards.org/ • National Institute of Standards and Technology (NIST) http://csrcnist.gov/ • DISA Security Checklists http://iase.disa.mil/stigs/checklist/index.html @2009 Vanguard Integrity Professional's, Inc.

  33. Thank You! For more information, please visit: http://www.go2vanguard.com info@go2vanguard.com @2009 Vanguard Integrity Professional's, Inc.

More Related