Compliance Its Not Over When You Think Its Over - PowerPoint PPT Presentation

1 / 33

About This Presentation

Title:

Compliance Its Not Over When You Think Its Over

Description:

Vanguard EnforcerTM. Enforces granular controls over the assignment of user privileges: Vanguard Policy ManagerTM ... Vanguard Enforcer ... – PowerPoint PPT presentation

Number of Views:123

Avg rating:3.0/5.0

Slides: 34

Provided by: creat106

Category:

more less

Transcript and Presenter's Notes

Title: Compliance Its Not Over When You Think Its Over

1
Compliance - Its Not Over When You Think Its
Over

Jim McNeill
Vanguard Integrity Professionals, Inc.

2
Find the Wave
3
According to Yahoo Finance

The 10 safest jobs during the recession include
Compliance/Risk Officers
Ride the Compliance Wave !!!

4
Prior to Regulatory Compliance, Life was Good !
5
Then along came The Grinch (Alias Compliance)
6
Regulatory Compliance

International Regulations
PCI Payment Card Industry
DPA - Data Protection ACT
PIPEDA - Personal Information Protection and
Electronic Documents Act
EU Data Privacy Directive

U.S. Compliance Regulations
PCI Payment Card Industry
SOX - Sarbanes Oxley
HIPAA Health Insurance Portability
Accountability Act
GLBA - Gramm-Leach-Bliley Act
Minnesota Plastic Card Act
California Security Breach (SB) 1386
FISMA - Federal Information Security Management
Act
MMA - Medicare Prescription Drug, Improvement and
Modernization Act

7
Compliance - You Cant Do It By Yourself !

Why its Never Over
Continuous turn-over across diversified skill
sets
Continuous Compliance Awareness Training
You Dont Always Get Their Best People

8
PCI Requirements

Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall
configuration to protect cardholder data
Requirement 2 Do not use vendor-supplied
defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirement 4 Encrypt transmission of cardholder
data across open, public networks
Requirement 3 Protect stored cardholder data
Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update
anti-virus software
Requirement 6 Develop and maintain secure
systems and applications
Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data
by business need-to-know
Requirement 8 Assign a unique ID to each person
with computer access
Requirement 9 Restrict physical access to
cardholder data
Regularly Monitor and Test Networks
Requirement 10 Track and monitor all access to
network resources and cardholder data

9
PCI Requirement 7.1.2
10
PCI Requirement 8.5.9
11
Security Checklist

What is a Security Checklist ?
Provides detailed instructions to evaluate
compliance
Where do you find Security Checklists?
PCI Data Security Requirements
SANS Information Security Management Audit
Checklist
DISA Checklists

12
How Many DISA Checklists are There?

13
How Many DISA Checklists are There?

14
DISA RACF Checklist

The DISA RACF Checklist contains 300
Requirements

15
DISA RACF Checklist Categories
16
STIG ZWMQ0049 for RACF

a) Ensure the following MQSeries/WebSphere MQ
resource classes are active
MQADMIN MQPROC
GMQADMIN GMQPROC
MQCONN MQNLIST
MQCMDS GMQNLIST
MQQUEUE
GMQQUEUE
NOTE If the MQADMIN resource class is not
active, no security checking is performed.
b) If all the resource classes in (a) are
active, there is NO FINDING.
c) If any resource class in (a) is inactive,
this is a FINDING.

17
STIG ZWMQ0049 for Top Secret

a) Ensure the following MQSeries/WebSphere MQ
security classes are defined to the TSS RDT
MQADMIN MQQUEUE
MQCONN MQPROC
MQCMDS MQNLIST
b) Review ownership of each ssid. resource in
the above resource classes.
NOTE ssid is the queue manager name (a.k.a.,
subsystem identifier).
c) If all of the security classes in (a) are
defined to the RDT and ownership in (b) is
defined for each ssid., there is NO FINDING.
d) If any security class in (b) is not defined
to the RDT or ownership in (c) is not defined for
each ssid., this is a FINDING.

18
STIG ZWMQ0049 for ACF2

a) Ensure the following items are defined to
ACF2
1) The SYSTEM AUTHORIZATION FACILITY DEFINITIONS
include an entry for MQSeries/WebSphere MQ as
follows
INSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4)
MODE(IGNORE)
RACROUTE(REQUESTEXTRACT,CLASSMQADMIN) REP
2) The INTERNAL CLASMAP DEFINITIONS include the
following entries
INSERT CLASMAP.MQADMIN RESOURCE(MQADMIN)
RSRCTYPE(MQA) ENTITYLN(62)
INSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE)
RSRCTYPE(MQQ) ENTITYLN(53)
NSERT CLASMAP.MQNLIST RESOURCE(MQNLIST)
RSRCTYPE(MQN) ENTITYLN(53)
INSERT CLASMAP.MQCMDS RESOURCE(MQCMDS)
RSRCTYPE(MQC) ENTITYLN(22)
INSERT CLASMAP.MQCONN RESOURCE(MQCONN)
RSRCTYPE(MQK) ENTITYLN(10)
INSERT CLASMAP.MQPROC RESOURCE(MQPROC)
RSRCTYPE(MQP) ENTITYLN(53)
b) If all the resource classes in (a) are
active, there is NO FINDING.
c) If any resource class in (a) is inactive,
this is a FINDING.

19
Using Vanguard Security Solutions

20
Using Vanguard Policy Manager TMto Lockdown DISA
STIG Sensitive Datasets

21
Using Tools to Ensure Compliance

22
Who Validates Compliance ?

A companys Internal Auditors
A companys External Auditors
Office of the Comptroller of Currency (OCC)
Audits
Ensures a safe and sound National Banking System
For PCI Compliance - Qualified Data Security
Assessors (QDSA)
For the Government Government Accountability
Office (GAO)

23
PCI Non-Compliant Penalties

PCI-Noncompliance Penalties
Monthly fines from your merchant bank
Increased transaction fees
Potential barrier to changing merchant banks
Potential loss of ability to accept credit cards
PCI penalties if compromised due to
non-compliance
Potential fines of up to 500,000
All fraud losses
Cost of re-issuing cards associated with the
compromise
Any other costs incurred by credit card issuers
Cost of any additional fraud prevention/detection
activities
Forensic audit
PCI penalties if compromised due to compliance
Minimal, VISA will absorb most of the expenses

24
Regulations are Still Evolving

Lifecycle Process for Changes to PCI DSS

25
Compliance Drivers

System Components
Network Components
Firewalls, switches, routers, wireless access
points, network security appliances
Operating Systems
z/OS, Windows, Unix, Linux
Servers
Web, database, authentication, mail, proxy, NTP,
domain name servers (DNS)
Applications
Includes all purchased and custom applications
Databases
DB2, Oracle, SQL
Conclusion
The more System Components you have, the more
work there is to become, and stay compliant

26
Compliance Drivers

The Large Volume of Requirements
PCI DSS
Contains 200 diversified/generic requirements
Requirements expand depending on system
components
System components determine the workload
DISA STIG Checklists
And there are over 60 checklists
The RACF Checklist contains 300 Requirements
Requirements apply to each system component

27
Compliance Drivers

Legislation (existing and new)
Contractors Must Comply clauses
New System Components
Acquisitions
Purchased a company that processes credit cards
New Applications
New Technology
Virtualization Linux on z/VM

28
Regulatory Changes Effect Compliance

Regulatory Changes Require
Changes to Information Security policy
System configuration changes
Changes to testing procedures
Changes to documentation
Gap Analysis projects
Remediation projects
Introduction of new applications (e.g. PCI
Certified)
New technology (e.g. encryption)
Security awareness training
New security products (e.g. mainframe intrusion
detection)
And, the list goes on ......

29
Re-Occurring Assessments

Ongoing Validations and Certifications
Daily, Monthly, Quarterly, Semi-Annual and Annual
Compliance requirements
PCI Requirement 12.9.2 Test the plan at least
annually
PCI requires annual Re-certification
Your opportunity to review all supporting
documentation with a QSA
DISA Checklist requires Quarterly
Re-certification

30
Sample of PCI Re-Occurring Events

31
Supporting Documentation

NIST trademarked the phrase
Its not enough to be secure, you have to prove
youre secure TM
Its Impossible to be Complaint without
DOCUMENTATION, and Lots of it !!!
Even if you are compliant w/o a Process, if
Records Dont Exist to Prove It, It May Not
Count

32
Supporting Documentation
33
Supporting Documentation

34
Supporting Documentation

35
Recommendations for Reducing the Compliance
Workload

Become an expert on compliance requirements by
reviewing
New Release Documentation
Summary of Changes Documents
Supplemental Requirements Documents
FAQs
Look for Opportunities to Reduce the Compliance
Scope
Understand the importance of well defined,
written security polices

36
Recommendations for Reducing the Compliance
Workload

4. Map the Compliance Requirements to your
Information Security Policy
Implement a Compliance Awareness Program
Implement Vendor Products that identify and
automate processes
7. Develop and Maintain a Network Diagram and
an Architecture / Application Data Flow Diagram

37
Recommendations for Reducing theCompliance
Workload

8. Use Subject Matter Experts for advice
and to perform a Compliance Assessment against
Policy
9. Identify and Leverage Regulatory Overlap
Example Network vulnerability assessments and
penetration tests
10. Retain your Compliance Team

38
Vanguard Solutions