Tag: cybersecurity

Did you know that the Payment Card Industry Data Security Standard (PCI-DSS) requires that specific cybersecurity operations procedures be conducted on a periodic basis?

Depending on whether you’re a merchant or a service provider — and the nature of how you deal with credit cards — these mandatory procedures may include (but are not limited to):

DAILY

• Security log reviews

MONTHLY

• Patching of software and system components

QUARTERLY

• Internal and external vulnerability scans

SEMI-ANNUAL

• Firewall rule reviews

ANNUAL

• Internal and external penetration testing (Also called pen testing: the practice of testing a computer network, web application or computer system to uncover vulnerabilities)
• Security policy updates
• Incident response testing
  (see article: Your Cyber Incident Response Exercise)
• Security awareness training
  (see article: Step Up Employee Cybersecurity Training with These 3 Resources)

Many of the operations processes required by the PCI-DSS are not only required to be executed according to the specified period, but also when a change to the environment compels an update, such as a penetration test of a new application or vulnerability scan of a new technology environment.

Take Note! Maintaining Records is a Must

The challenge from a compliance perspective is that these procedures must not only be executed, but records must be maintained because you will need to be able to demonstrate that these procedures have taken place if audited or the subject of a breach investigation.

The PCI-DSS requires that these operations processes be executed according to documented procedures, and that the records demonstrate that these procedures were followed. Moreover, if an annual PCI-DSS assessment discovers that the execution of a periodic operations process was missed at some point over the last 12 months, that is potential grounds for your organization being deemed non-compliant.

Prepare to Succeed

“For every minute spent organizing, an hour is earned.” ~ Benjamin Franklin

It is simply not feasible to meet these PCI-DSS requirements without a formal cybersecurity operations program. Your organization needs to develop a plan for this program.

Step 1: List the periodic cybersecurity operations tasks required, with the required frequency.

Step 2: Document the procedures for the execution of each task.

Step 3: Assign personnel to execute the procedures and document the results.

Step 4: Assign one or more different personnel to review the records to make sure the procedures are being done.

As you go through this exercise, you’ll likely discover that you aren’t sure how to interpret a particular operations requirement, or that you don’t have sufficient personnel to execute the procedures according to the prescribed frequency.

If that is the case, you may need to contract outside assistance to work with you to develop some of the procedures, or to handle some of the operations tasks. Maybe you’ll need to hire more personnel or reassign existing personnel away from lower priorities.

You won’t know until you develop the plan. And you won’t achieve PCI-DSS compliance without a formal cybersecurity operations program.

Dominic Genzano is the CEO and Founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

The Payment Card Industry Data Security Standard (PCI-DSS) requires organizations that accept credit card payments to:

• “Create an incident response plan to be implemented in the event of a system breach”
• “Review and test the plan” (minimally on an annual basis)
• “Provide appropriate training to staff with security breach responsibilities”
• “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments”

Most organizations that accept credit card payments aren’t in the business of cybersecurity. The idea of a data breach is difficult to grasp.

What are the ways that it could happen? How can you guard against it? How would you know if a breach happened? What would you do about it if you knew a breach had occurred? What would be the consequences to your business?

Required Cybersecurity Controls

The PCI-DSS requires that your organization implement a specific set of cybersecurity controls, based on how your organization deals with credit card information. These cybersecurity controls are intended to prevent a security breach that would put credit card information at risk, and allow you to detect a breach should it occur.

But data breaches happen every day, and often go undetected for extended periods of time, even when the required cybersecurity controls are in place.

In many cases, organizations are completely unaware that a data breach may have occurred until their merchant bank or payment processor contacts them to inform them that fraud was reported for a large number of credit cards that were recently used to transact with their business.

Your Organization’s Vital Incident Response Test

The incident response test required by the PCI-DSS, if conducted properly, provides your organization with:

1. Invaluable preparation to respond to a suspected or confirmed breach

2.  An effective means of continually improving your organization’s cybersecurity program to prevent a breach from occurring in the first place

In the context of PCI certification, and general cybersecurity best practices, an “incident response test” is essentially a tabletop exercise: a meeting where a few potential breach scenarios are discussed in some detail with the relevant members of your organization, and potentially third-party service providers who would be involved in the case of a breach.

What Would You Do If …

The exercise of discussing potential breach scenarios is vital because you don’t want the first time your organization asks “what should I do if …” to be during an actual breach. These scenarios must be discussed among the team before a breach occurs, at a ’safe distance’ from an actual event so that the members of your team can think clearly.

Questions come up during such exercises that change your perspective and allow your organization to significantly improve your incident response capability with relatively small investments of time and money:

• Who are you required to notify? Banks, processors, business partners, customers?
• Are you sure that you have the correct contact information?
• What would you tell them?
• Where would you find the information you need from the systems to find out what happened?
• Would you understand what you were looking at?
• How would you determine the extent of the breach, or even make certain that there was a breach?
• Do you have the tools that you would need to even try any of this?
• If the response to such a breach is outside of your capabilities, who would you call? Do you have an arrangement in place to get the help when you need it?

These can be scary questions of course, but it’s better to ask them now, and to have thought them through to a reasonable degree ahead of time so that you can be prepared to act decisively and responsibly, even if that just means knowing who to call.

This is the intent of the incident response planning and testing requirements of the PCI-DSS: to prepare your organization as best as possible to minimize the damage of a security breach, thereby (hopefully) minimizing the amount of credit card information put at risk.

Taking Proactive Steps

The real value of a cyber incident response exercise is when the questions start to move in a proactive direction:

• How would you detect such a breach?
• How can you alter your security monitoring processes to detect such breach activity faster?
• Now how can you adjust existing security controls, or implement new ones, to better prevent such a breach from occurring in the first place?

These are the types of questions that result in the continued improvement of your cybersecurity program, and take you past just ‘checking the box’ for your PCI-DSS certification, to a place where you are actually protecting your information.

Even if you work with a company like Constellation Payments for payment processing/merchant services that reduces your PCI scope, your organization should conduct an incident response test to ensure that the proper safeguards are in place at the organization/employee level.

I hope this article gives you a good starting point to develop your own incident response test. If you have any questions on performing an incident response test at your organization, or questions around cybersecurity, feel free to reach out to me at dom@stig.net.

Dominic Genzano is the CEO and co-founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.