Compliance it s not over when you think it s over
Download
1 / 33

- PowerPoint PPT Presentation


  • 219 Views
  • Uploaded on

Compliance - It’s Not Over When You Think It’s Over. Jim McNeill Vanguard Integrity Professionals, Inc. According to Yahoo Finance. The 10 safest jobs during the recession include: Compliance/Risk Officers Ride the Compliance Wave !!!. Regulatory Compliance. International Regulations

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - alanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Compliance it s not over when you think it s over l.jpg

Compliance - It’s Not Over When You Think It’s Over

Jim McNeill

Vanguard Integrity Professionals, Inc.

@2009 Vanguard Integrity Professional's, Inc.


According to yahoo finance l.jpg
According to Yahoo Finance

The 10 safest jobs during the recession include:

Compliance/Risk Officers

Ride the Compliance Wave !!!

@2009 Vanguard Integrity Professional's, Inc.


Regulatory compliance l.jpg
Regulatory Compliance

International Regulations

  • PCI –Payment Card Industry

  • DPA - Data Protection ACT

  • PIPEDA - Personal Information Protection and Electronic Documents Act

  • EU Data Privacy Directive

U.S. Compliance Regulations

  • PCI –Payment Card Industry

  • SOX - Sarbanes Oxley

  • HIPAA – Health Insurance Portability & Accountability Act

  • GLBA - Gramm-Leach-Bliley Act

  • Minnesota Plastic Card Act

  • California Security Breach (SB) 1386

  • FISMA - Federal Information Security Management Act

  • MMA - Medicare Prescription Drug, Improvement and Modernization Act

@2009 Vanguard Integrity Professional's, Inc.


Compliance you can t do it by yourself l.jpg
Compliance - You Can’t Do It By Yourself !

Why it’s Never Over:

  • Continuous turn-over across diversified skill sets

  • Continuous Compliance Awareness Training

  • You Don’t Always Get Their Best People

@2009 Vanguard Integrity Professional's, Inc.


Pci requirements l.jpg
PCI Requirements

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data

  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

  • Requirement 3: Protect stored cardholder data

    Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software

  • Requirement 6: Develop and maintain secure systems and applications

    Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know

  • Requirement 8: Assign a unique ID to each person with computer access

  • Requirement 9: Restrict physical access to cardholder data

    Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data

  • Requirement 11: Regularly test security systems and processes

    Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

@2009 Vanguard Integrity Professional's, Inc.


Security checklist l.jpg
Security Checklist

  • What is a Security Checklist ?

    • Provides detailed instructions to evaluate compliance

  • Where do you find Security Checklists?

    • PCI Data Security Requirements

    • SANS Information Security Management Audit Checklist

    • DISA Checklists

@2009 Vanguard Integrity Professional's, Inc.


How many disa checklists are there l.jpg
How Many DISA Checklists are There?

@2009 Vanguard Integrity Professional's, Inc.


How many disa checklists are there8 l.jpg
How Many DISA Checklists are There?

@2009 Vanguard Integrity Professional's, Inc.


Disa racf checklist l.jpg
DISA RACF Checklist

The DISA RACF Checklist contains 300+ Requirements

@2009 Vanguard Integrity Professional's, Inc.


Disa racf checklist categories l.jpg
DISA RACF Checklist Categories

@2009 Vanguard Integrity Professional's, Inc.


Stig zwmq0049 for racf l.jpg
STIG ZWMQ0049 for RACF

a)Ensure the following MQSeries/WebSphere MQ resource classes are active:

MQADMIN MQPROC

GMQADMIN GMQPROC

MQCONN MQNLIST

MQCMDS GMQNLIST

MQQUEUE

GMQQUEUE

NOTE: If the MQADMIN resource class is not active, no security checking is performed.

b) If all the resource classes in (a) are active, there is NO FINDING.

c) If any resource class in (a) is inactive, this is a FINDING.

@2009 Vanguard Integrity Professional's, Inc.


Stig zwmq0049 for top secret l.jpg
STIG ZWMQ0049 for Top Secret

a) Ensure the following MQSeries/WebSphere MQ security classes are defined to the TSS RDT:

MQADMIN MQQUEUE

MQCONN MQPROC

MQCMDS MQNLIST

b) Review ownership of each ssid. resource in the above resource classes.

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) If all of the security classes in (a) are defined to the RDT and ownership in (b) is defined for each ssid., there is NO FINDING.

d) If any security class in (b) is not defined to the RDT or ownership in (c) is not defined for each ssid., this is a FINDING.

@2009 Vanguard Integrity Professional's, Inc.


Stig zwmq0049 for acf2 l.jpg
STIG ZWMQ0049 for ACF2

a) Ensure the following items are defined to ACF2:

1) The SYSTEM AUTHORIZATION FACILITY DEFINITIONS include an entry for MQSeries/WebSphere MQ as follows:

INSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE)

RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP

2) The INTERNAL CLASMAP DEFINITIONS include the following entries:

INSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62)

INSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53)

NSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53)

INSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22)

INSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10)

INSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53)

b) If all the resource classes in (a) are active, there is NO FINDING.

c) If any resource class in (a) is inactive, this is a FINDING.

@2009 Vanguard Integrity Professional's, Inc.


Who validates compliance l.jpg
Who Validates Compliance ?

  • A company’s Internal Auditors

  • A company’s External Auditors

  • Office of the Comptroller of Currency (OCC) Audits

    • Ensures a safe and sound National Banking System

  • For PCI Compliance - Qualified Data Security Assessor’s (QDSA)

  • For the Government – Government Accountability Office (GAO)

@2009 Vanguard Integrity Professional's, Inc.


Pci non compliant penalties l.jpg
PCI Non-Compliant Penalties

  • PCI-Noncompliance Penalties

    • Monthly fines from your merchant bank

    • Increased transaction fees

    • Potential barrier to changing merchant banks

    • Potential loss of ability to accept credit cards

  • PCI penalties if compromised due to non-compliance:

    • Potential fines of up to $500,000

    • All fraud losses

    • Cost of re-issuing cards associated with the compromise

    • Any other costs incurred by credit card issuers

    • Cost of any additional fraud prevention/detection activities

    • Forensic audit

  • PCI penalties if compromised due to compliance:

    • Minimal, VISA will absorb most of the expenses

  • @2009 Vanguard Integrity Professional's, Inc.


    Regulations are still evolving l.jpg
    Regulations are Still Evolving

    Lifecycle Process for Changes to PCI DSS

    @2009 Vanguard Integrity Professional's, Inc.


    Compliance drivers l.jpg
    Compliance Drivers

    System Components

    • Network Components

      • Firewalls, switches, routers, wireless access points, network & security appliances

    • Operating Systems

      • z/OS, Windows, Unix, Linux

    • Servers

      • Web, database, authentication, mail, proxy, NTP, domain name servers (DNS)

    • Applications

      • Includes all purchased and custom applications

    • Databases

      • DB2, Oracle, SQL

    • Conclusion:

      • The more System Components you have, the more work there is to become, and stay compliant

    @2009 Vanguard Integrity Professional's, Inc.


    Compliance drivers18 l.jpg
    Compliance Drivers

    The Large Volume of Requirements

    • PCI DSS

      • Contains 200+ diversified/generic requirements

      • Requirements “expand” depending on system components

      • System components determine the workload

    • DISA STIG Checklists

      • And there are over 60+ checklists

      • The RACF Checklist contains 300 Requirements

      • Requirements apply to each system component

    @2009 Vanguard Integrity Professional's, Inc.


    Compliance drivers19 l.jpg
    Compliance Drivers

    • Legislation (existing and new)

    • “Contractors Must Comply” clauses

    • New “System Components”

    • Acquisitions

      • Purchased a company that processes credit cards

    • New Applications

    • New Technology

      • Virtualization – Linux on z/VM

    @2009 Vanguard Integrity Professional's, Inc.


    Regulatory changes effect compliance l.jpg
    Regulatory Changes Effect Compliance

    • Regulatory Changes Require:

      • Changes to Information Security policy

      • System configuration changes

      • Changes to testing procedures

      • Changes to documentation

      • “Gap Analysis” projects

      • Remediation projects

      • Introduction of new applications (e.g. PCI Certified)

      • New technology (e.g. encryption)

      • Security awareness training

      • New security products (e.g. mainframe intrusion detection)

      • And, the list goes on ......

    @2009 Vanguard Integrity Professional's, Inc.


    Re occurring assessments l.jpg
    Re-Occurring Assessments

    Ongoing Validations and Certifications

    • Daily, Monthly, Quarterly, Semi-Annual and Annual Compliance requirements

    • PCI Requirement 12.9.2 – “Test the plan at least annually”

    • PCI requires annual Re-certification

      • Your opportunity to review all supporting documentation with a QSA

    • DISA Checklist requires Quarterly Re-certification

    @2009 Vanguard Integrity Professional's, Inc.


    Sample of pci re occurring events l.jpg
    Sample of PCI Re-Occurring Events

    @2009 Vanguard Integrity Professional's, Inc.


    Supporting documentation l.jpg
    Supporting Documentation

    • NIST trademarked the phrase:

      “It’s not enough to be secure, you have to prove you’re secure TM “

    • It’s Impossible to be Complaint without DOCUMENTATION, and Lots of it !!!

    • Even if you are compliant w/o a Process, if Records Don’t Exist to Prove It, It May Not Count

    @2009 Vanguard Integrity Professional's, Inc.


    Supporting documentation24 l.jpg
    Supporting Documentation

    @2009 Vanguard Integrity Professional's, Inc.


    Supporting documentation25 l.jpg
    Supporting Documentation

    @2009 Vanguard Integrity Professional's, Inc.


    Supporting documentation26 l.jpg
    Supporting Documentation

    @2009 Vanguard Integrity Professional's, Inc.


    Recommendations for reducing the compliance workload l.jpg
    Recommendations for Reducing the Compliance Workload

    • Become an “expert” on compliance requirements by reviewing:

      • “New Release” Documentation

      • “Summary of Changes” Documents

      • Supplemental Requirements Documents

      • FAQ’s

    • Look for Opportunities to Reduce the “Compliance Scope”

    • Understand the importance of well defined, written security polices

    @2009 Vanguard Integrity Professional's, Inc.


    Recommendations for reducing the compliance workload28 l.jpg
    Recommendations for Reducing the Compliance Workload

    4. Map the Compliance Requirements to your Information Security Policy

    • Implement a Compliance Awareness Program

    • Implement Vendor Products that identify and automate processes

      7. Develop and Maintain a Network Diagram and an Architecture / Application Data Flow Diagram

    @2009 Vanguard Integrity Professional's, Inc.


    Recommendations for reducing the compliance workload29 l.jpg
    Recommendations for Reducing theCompliance Workload

    8. Use “Subject Matter Experts” for advice and to perform a “Compliance Assessment” against Policy

    9. Identify and Leverage “Regulatory Overlap”

    • Example: Network vulnerability assessments and penetration tests

      10. Retain your Compliance Team

    @2009 Vanguard Integrity Professional's, Inc.


    Vanguard solutions l.jpg
    Vanguard Solutions

    Compliance & Audit Suite Includes:

    • Vanguard inCompliance TM

    • Vanguard Advisor TM

    • Vanguard Analyzer TM

    • Vanguard Enforcer TM

    • Vanguard Policy Manager TM

    @2009 Vanguard Integrity Professional's, Inc.


    Conclusion l.jpg
    Conclusion

    When it comes to Compliance:

    It’s Not Over When You Think It’s Over,

    It Just Goes On, and On, Forever .......

    @2009 Vanguard Integrity Professional's, Inc.


    References l.jpg
    References

    • Vanguard Integrity Professionals

      Using Vanguard Products to Support PCI Requirements

      http://www.go2vanguard.com

    • SANS Information Security Management Audit Checklist

      http://www.oispp.ca.gov/government/documents/docs/ISO_17799_2005-Checklist.doc

    • PCI Data Security Standards

      https://www.pcisecuritystandards.org/

    • National Institute of Standards and Technology (NIST)

      http://csrcnist.gov/

    • DISA Security Checklists

      http://iase.disa.mil/stigs/checklist/index.html

    @2009 Vanguard Integrity Professional's, Inc.


    Thank you l.jpg
    Thank You!

    For more information, please visit:

    http://www.go2vanguard.com

    [email protected]

    @2009 Vanguard Integrity Professional's, Inc.


    ad