Protecting My Business? Sorry, I'm not interested!

Background

Okay, so for years I have been thinking about writing a book but was not sure how I could author a book was any different to any other book that was available on the market.

Then, when attending an industry event, in Toronto, in Sept 2019 (ISMG Cyber Security Summit), the idea hit me like a bolt of lightning:

I could relate the majority of the topics to actual real-life protective security experiences from my time in the RAF Police.

Lessons from a 30+ career

With this in mind, I started to fan the flames of this idea into a book proposal and began collating some notes on how this idea could be used to provide additional explanations to help explain the objectives and principles of the PCI DSS controls framework.

Now, since leaving the RAF Police (having got tired of spending every other Christmas in hot, dusty and hostile conditions), I successfully transitioned across to the corporate sector through extensive reading and self-study to pass ISACA's Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC).

To this day, I still volunteer with ISACA and seek new insights from my professional peers and try to add a new book to my professional library, and now I felt it was my time to make a further contribution.

What subject should be the focus for the book?

This came to me through a combination of hearing negative reflections of PCI DSS and reading the research of the declining PCI DSS compliance trends, within Verizon's 2019 Payment Security report.

I began to ask myself:

• Don't businesses appreciate the value of payment card data to today's criminals?
• Haven't the changes to data privacy, across the globe, changed it's importance?
• Don't all businesses have some assets that they value and that if they became compromised could be detrimental to their organisation?
• Are there not lessons that can be learned and applied from the PCI DSS controls framework that can help reduce the risk for businesses?

The concept was born

Why could I not attempt to author a book, which could use my career experiences, and the knowledge gleaned from my professional library, to help explain the PCI DSS protective security principles and objectives, to help defend valuable business assets (in this case, any asset associated with the processing, storage and transmission of cardholder data (CHD)).

That way the principles and objectives could be applicable to a far more reaching audience than just organisations that are involved in CHD.

The Development Process

First of all, it is important that nearly all businesses will have an asset that will be of interest to an opportunist attacker and that there will be an impact on the organisation should these assets suffer a compromise of Confidentiality, Integrity or Availability (CIA).

Consequently, these assets need to be protected from the external or internal threat actors, across their full 'life-cycles'.

• Before we can start to do this, we need to understand what we mean by an asset?

Fortunately, the military's approach was to treat anything that was valuable to supporting their 'Mission Statement' was deemed to be an asset and each asset needed to be categorised in accordance with the value this asset presented to supporting the 'Mission Statement'.

• Think:

"What is the value of a weapon system?

What is the value of the ammunition for the weapon system?

What is the value of the weapon system operator?

What is the value of the weapon system engineer?

What is the value of the weapon system's storage system?

What is the value of the weapon system cleaning kit?"

As you can imagine the list goes on and on, but each has a contribution to the keeping that weapon system operational.

The closest definition I could get to this principle was from NIST's Glossary:

"A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems".

With this thought in mind, a set about aligning the concepts learned from my reading list with my career experiences, to use these to explaining what the PCI DSS controls framework to help organisations to achieve and how this fits into the modern business, and regulatory requirements.

Whether you are a seasoned protective security professional (aka Information Security, Cyber Security, Cyber/Business Resilience, Compliance Officer, etc.) or business stakeholder, I have tried to include something that will be of interest and benefit to you.

That is, of course, unless you believe that your business has nothing of value to a thief!

Please think of this book as an opportunity to look at your business from a different perspective and to help to identify some 'Quick Wins' and some recommendations to help reduce the risks for your business, whilst helping to demystify some of the complexities of protective security.

Unfortunately, NIST does not currently have a formal definition for Protective Security, so here is the UK Military definition:

The Definition of Protective Security

Protective security is the protection of assets from compromise. Compromise can be a breach of:

• Confidentiality. The restriction of information and other valuable assets to authorized individuals (e.g. protection from espionage, eavesdropping, leaks and computer hacking).
• Integrity. The maintenance of information systems of all kinds and physical assets in their complete and usable form (e.g. protection from unauthorized alteration to a computer programme).
• Availability. The permitting of continuous or timely access to information systems or physical assets by authorized users (e.g. protection from sabotage, malicious damage, theft, fire and flood).

In assessing integrity and availability, consideration must be given to both the direct and indirect consequences of compromise (aka FAIR Model's Primary & Secondary Losses).

For example, the theft of a personal computer may be of limited direct consequence as such equipment can be relatively cheaply replaced. The loss of the information contained on the computer may have significant indirect consequences, particularly if no arrangements have been made for backup storage of the information it contains.

#pcidss #pcicompliance #informationsecurity #cybersecurity #business #riskmanagement