PCI is easy, if you've got the basics right.
Gary Hawkins
Views are my own, may be exaggerated for dramatic effect, and subject to change without warning or reason.
Despite having been around for more than a decade the number of companies that are PCI compliant is still much lower than anyone would like given that it's often seen as a starting point for information security. Of the companies that have achieved compliance many of them fail to maintain that compliance throughout the year. The Verizon report on PCI Compliance provides some interesting background reading on the subject.
The challenge I encounter most often is that the basics of information security are not in place after an organisation has grown without structured guidance, making it far more difficult to get back to these basics than it would have been to instill them from the start. Maintaining a solid foundation might require a little extra setting up and administrative overhead but you'll probably be in the green overall by having to spend less time fighting fires.
What do I mean by basics?
Know what you've got
This applies to data and people as well as devices, and is fundamental to almost all other security controls. If you don't have an accurate list of authorised devices then how can you identify and remove rogue devices? If you don't know what software you're using then how can you ensure it's kept up to date? if you don't know what data you have and who is using it then how can you determine that access controls and protections are appropriate?
Principle of least privilege
It's a quick fix to grant administrative privileges during deployment. You're not sure what ports a new piece of software needs so you'll add a quick Any/Any rule to the firewall to get things going. Don't kid yourself that anyone is going to come back later and clean up so do things properly the first time. Shortcuts make long delays.
Audits and alerts are a benefit not a burden
Keeping records up to date should be part of every process, so recording keep systems should be made straightforward where they cannot be automated. Trying to retrospectively explain why someone has access to finance or HR files will take much longer than obtaining and recording the proper approval at the time.
Any alerts should be baselined so that thresholds are meaningful and noise is kept to a minimum, otherwise you won't get alerts when they're most needed or they'll be ignored amongst a myriad of false positives.
Patch all the things
You know exactly what software is running on every PC and server thanks to your robust asset management and restriction of administative privileges, right? A well defined patching process will include staged deployment, regression testing, procedures for handling any detrimental exceptions, and procedures for handling emergencies. You've also taken steps to make sure that development and legacy systems don't impede patching by demanding fixed versions of course. Then why can't patches be applied in a timely fashion?
Defense in depth
If systems are set up appropriatley from from the beginning then response procedures make it straightforward to amend the system and its preventative security controls if/when an a change is needed or an issue is detected.
If this is the norm from day one then PCI is no longer a mad panic once a year. Many of the 250+ controls will already be ingrained and the solution doesn't need to rely on extensive reduction of scope as any and all areas of the company would already be very close to if not fully compliant.
What are your thoughts; Are these 'basics' achievable, are they sustainable? Are there other InfoSec tenets or controls that you think should form the foundation of any IT environment?
Senior Security Consultant CISA, CISM, PCI QSA, NIS 2 Directive Lead Implementer, SWIFT CSP Assessor at Verizon Enterprise Solutions
9 年I'd say that the basics ARE achievable and that they DO give you added value, security, insights. It's hard to protect components that you don't know that you have. No argument there. PCI is easy - AFTER you've done the PCI journey towards compliance. PCI can be HARD before you've completed the journey. If I would have to sum PCI up I'd say that: "PCI is the art of asking the right questions". If you master the art of PCI, then PCI is easy.
Data Protection & Privacy | AI Governance | CIPM | DPO | Speaker | IAPP Advisory Board Member | Change Mgmt | Trainer | Mentor
9 年Fantastic writeup gary, you've hit the nail... This is especially true for SME's i suppose, as midsize organisations do usually have very strict and structured processes in place to avoid being in such situations. I completely agree with David, one of the first things you may want to advocate is bringing in a security culture in the organisation. I would like to add hardening of the PC's/servers as one of the basics to this list with additional being end-to-end encryption even for internal applications and having a stringent change management procedures
I protect data, don't care what kind.
9 年Quite right! But it all starts with the CEO, there is no culture shift toward security if they don't care. BTW; "Maintaining a solid foundation might require a little extra setting up and administrative overhead but you'll probably you're in the green overall in having to spend less time fighting fires."?