0511 ISM Eg Compliance v2

I N F O R M A T I O N
ECURITY S
E SS E NTIAL G U I D E TO
Compliance
You need to be nimble and proactive about compliance efforts in order to build a comprehensive program. That means learning more about risk assessment frameworks and global regulations while maintaining your established privacy and PCI programs.
,
INSIDE
6 DATA and You
12 Navigating Data Privacy, Security and Management Across Borders 18 Sizing Up Risk 26 Hurdle Cultural Barriers to Compliance 28 PCI DSS 2.0: PCI Assessment Changes Explained
INFOSECURITYMAG.COM
security is all we do
20,000 malware specimens Daily 13 Billion events every Day 3,000 customers in 70 countries 85 of the fortune 500
Not surprisiNgly, the most powerful weapoN iN iNformatioN security is iNformatioN.
At Dell SecureWorks, we turn raw security data into actionable security information. With the massive volume of relevant incidents we collect and analyse every day, we are able to better understand the threat landscape across the globe. We use that information to identify threats sooner and better protect our customers. Discover what makes us different, and learn how our information can help keep yours safer.
See how one leading analyst rates the top MSSPs at secureworks.com/magic
Contact us at UKenquiry@secureworks.com or call +44 (0)131 718 0600.

2011 Dell Inc. All rights reserved.
contents
F E AT U R E S
DATA and You
6 DATA PROTECTION
The Data Accountability and Trust Act, if passed into law, would create a national standard for privacy and data protection. BY R ICHAR D E. MACKEY J R.
Navigating Data Privacy, Security and Management Across Border

12 I NTE R NATIONAL R EG U LATIONS
Companies should revisit streamlined global data operations with an eye toward revamping compliance. BY CYNTH IA ODONOG H U E,
KATHAR I NA A. WE I M E R AN D AMY M USHAHWAR
Sizing Up Risk
18 R ISK M ETHODOLOG I ES
There are a lot of risk assessment frameworks out there. Heres what you need to know in order to pick the right one. BY R ICHAR D E. MACKEY J R.
Hurdle Cultural Barriers to Compliance

26 B USI N ESS I NTEG RATION
Engage stakeholders frequently about their role in compliance and reducing risk inside your organization. BY E R IC HOLMQU IST
ALSO
PCI Assessment Changes Explained

28 P CI DSS 2.0
The latest update to PCI is relatively minor, but that doesnt mean security and compliance managers can afford to slack. BY E D MOYLE
Has Compliance Stifled Security Innovation?

4 E DITORS DESK Enterprises, driven by regulations, continue to shoot for a bare minimum set of security controls. That approach is impacting innovation. BY M ICHAE L S. M I MOSO 33 SP ONSOR R ESOU RCES
I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE
EDITORS DESK
Has Compliance Stifled Security Innovation?

Enterprises, driven by regulations, continue to shoot for a bare minimum set of security controls. That approach is impacting innovation. BY MICHAEL S. MIMOSO
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
INTERNATIONAL REGULATIONS
RISK METHODOLOGIES
BUSINESS INTEGRATION
PCI DSS 2.0
SPONSOR RESOURCES
IF YOU PITCH your boss for the latest and greatest security technology, is your boss first question whether youll incur a fine if you dont? Does your IT decision maker fear an auditor more than an attacker? This is the influence compliance, PCI DSS compliance in particular, has inside enterprises and bigger picture, on innovation. Companies invest more in protecting custodial data than corporate secrets, despite the balance of value between the two leaning toward corporate secrets. Sure its costly if you lose PCI data in a breach, but if your trade secrets are in the clear, does your business have long to live? Yet its the checkmark that gets the pretty girl at the dance. And some think concurrently that PCI is turning innovation into a wallflower. Security observers and experts dont put all the blame on PCI; security is a bloated market with dozens of products addressing dozens of threats in dozens of ways. Complexity and a still unsteady economy forces people to look for a crutch to lean on. PCI is a convenient one because it mandates controls more than most other industry and federal regulations. Its tough to spend on innovative solutions JOSHUA CORMAN, analyst, 451 Group that arent required, says 451 Group analyst Joshua Corman. Blame the vendors too. Blame them for still selling based on fear, uncertainty and doubt FUD doesnt hold up when theres no money to spend on something that might happen. Sure you might get attacked, but you will get fined. So whatever satisfies the auditor gets the resources. What were left with is instead of doing the best we could, now were doing what doing whats mandatory, Corman says. We do that and not a whole lot more. Regulations, in theory, are supposed to be the bare minimum set of controls you have to manage. Theyre not the end game, yet most companies shoot for just the bare minimum, which isnt good enough. Thats why firewalls, antivirus, encryption, vulnerability management, log management and IDS remain top-of-mind security technologies. Nothing wrong with that list, but most organizations arsenals dont go much deeper. And if they do, as in
What were left with is instead of doing the best we could, now were doing whats mandatory. We do that and not a whole lot more.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
the case of Web application firewalls, its only because theyre specifically called out by PCI 6.6, for example. If you look at this issue of innovation vs. compliance from a business point of view, vendors will tell you that compliance, by setting that minimum standard, influences spending and stimulates certain markets. Vendors actually are competitive in those markets, products improve in a relatively short period of time and prices go down. Paul Judge, chief research officer and VP at Barracuda Networks, founded Purewire and was in on the ground floor at SecureComputing and CipherTrust. Hes a VC too. He says compliance is about enforcing best practices for a class of constituents, be they consumers or health care patients, for example. When you enforce best practices, you do influence spending, Judge says. When you compete on those fronts, it creates better products for the market and youre creating innovation on one of those fronts. If a problem is real and [a control is] mandated by legislation, you have a beautiful thing where everyone benefits from the vast improvements in short amount of time versus a market that is stagnant without motivation. Judges best example is that of the Web application firewalls. WAF appliances can be had for relatively cheap today, compared to five years ago when he says the price was as much as 10 times more. WAFs are built into proxy appliances today, or can even be integrated into a load balancer. Because of the mandates in PCI 6.6, WAF has evolved into a technology thats within reach of most of the marketmore of a commodity. This frees budget for more, Judge says. You can stop hitting your head against the wall for some problems. Compliance is a complex monster that governs the direction of most IT security organizations. Youre still a cost center, yet you understand threats and risks better than anyone else. And you understand the shortcomings are shooting for a bare minimum standard. Keep making your case to management that innovative solutions have merit beyond a checkbox. Prove your business case for these defensive technologies, because if you dont influence spending, the market wont innovate and when new threats arrive, your holster is going to be empty.w
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to feedback@infosecuritymag.com.
PCI DSS 2.0
SPONSOR RESOURCES
DATA PROTECTION
DATA and You

TABLE OF CONTENTS EDITORS DESK
DATA PROTECTION
The Data Accountability and Trust Act, if passed into law, would create a national standard for privacy and data protection.
BY RICHARD E. MACKEY, JR.
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
THERE ARE CURRENTLY more than 40 different state and territorial laws that require organi-
zations entrusted with personally identifiable information to notify individuals when their information has been exposed to unauthorized parties. These laws range from those only requiring notification to those that mandate full security programs designed to prevent breaches in the first place. They define personally identifiable information differently, require different notification processes and force organizations to deal not only with the victims of the breach, but also the attorneys general of all the states where victims reside. The complexity and cost of notification, let alone the difficulty of ensuring compliance with security program requirements, is daunting. Still, breaches that lead to identity theft happen regularly and people expect organizations to be held accountable for the security of their personal information. Politicians have heard the public outcry and have recognized that there is a need for more uniform protection of
TABLE OF CONTENTS
EDITORS DESK
personal data and more manageable and predictable notification processes. Consequently, every year there seem to be a handful of new proposed federal laws to address the growing problem of sloppy handling of personal information and breaches. At the end of 2009, the U.S. House of Representatives passed the Data Accountability and Trust Act of 2009 (DATA). If passed by the Senate and signed into law, DATA would supersede existing state laws and thereby eliminate the complex array of notification procedures and the myriad protection mechanisms required by the states. The proposed law would also provide a universal definition of personally identifiable information, appoint the Federal Trade Commission to specify regulations and enforce compliance, and require organizations to implement formal security programs to prevent unauthorized access to personally identifiable information. Compared to other data protection legislative efforts, DATAs passage in the House makes it the only bill to gather the necessary support in either chamber. Its impact is potentially far reaching, and organizations should understand how it might affect them.
If passed by the Senate and signed into law, DATA would supersede existing state laws and thereby eliminate the complex array of notification procedures and the myriad protection mechanisms required by the states.
DATA PROTECTION
PERSONAL INFORMATION DEFINED

At the heart of DATA, or any data protection law, is the definition of personally identifiable information. The definition is critical because it not only spells out what types of information need to be protected, but also helps organizations strip out elements of data sets to avoid having to protect them. This practice, known as scrubbing, is commonly used to protect credit card numbers and Social Security numbers by masking all but the last four digits. DATA defines personal information as an individuals first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements for that person: Social Security number; Drivers license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individuals financial account. This definition is similar to most state breach laws with some notable differences: It does not consider a financial account number alone (without a PIN or password) sensitive. In addition, unlike another proposed federal lawS. 1490, the Personal Data Privacy and Security Act DATA makes no mention of mothers maiden name as sensitive (even though it is often used to authenticate an individuals identity).
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
The law would provide room for the FTC to modify the definition of personal information as necessary to accomplish the goals of the act as long as these changes do not unreasonably impede interstate commerce.
APPLICATION AND ENFORCEMENT
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
As proposed, DATA will be regulated and enforced by the FTC. Consequently, the legislation applies only to those entities over which the FTC has jurisdiction. Even though DATA states that it applies to persons, partnerships, or corporations engaged in interstate commerce, it does not apply to all organizations. One of the most significant repercussions of the appointment of the FTC is the limit of the legislations jurisdiction; the FTC does not regulate banks, savings and loans, or common carriers such as airlines and railroads. However, the FTC is not the only enforcer of the law. DATA also carves out room for state attorneys general to take action against violators. They are empowered to enjoin further violation, compel compliance, or obtain civil penalties. In other words, state attorneys general have about the same power they have under the current state laws. The FTC or U.S. Attorney General, though, could intervene and limit state prosecution while federal actions are pending.
One of the most significant repercussions of the appointment of the FTC is the limit of the legislations jurisdiction; the FTC does not regulate banks, savings and loans, or common carriers such as airlines and railroads.
PREVENTATIVE CONTROLS
One of the ways DATA distinguishes itself from state laws that simply deal with breach notification is that it requires organizations to implement a security program designed to prevent compromise of the information. Organizations need to: Appoint a person as a point of contact who is responsible for overseeing the program; Document a security policy for the collection, use, sale, dissemination, and maintenance of personal information; Establish contracts with third parties with access to the information to establish controls meeting the requirements of the act; Establish a process to identify risks and vulnerabilities and implement administrative and technical controls to mitigate the risk of compromise of the information; Define and implement a process for securely disposing of both digital and paper records including personal information. The security controls required by DATA are similar to those required by state regulations such as Massachusetts 201 CMR 17; they include a risk assessment, a vulnerability assessment, testing, remediation, and secure destruction and disposal of personal information. One
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
Information Brokers in the Crosshairs

Companies that collect personal data face extra requirements under DATA.
A MAJOR DIFFERENCE between state
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
laws and DATA is the set of special requirements for information brokers. DATA requires information brokers to implement additional controls and program elements to those required by data owners. This provision is likely an attempt to avoid another breach like the one involving Choice Point in 2005 by making data brokers accountable to the information they collect and sell. The legislation defines information brokers as a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers. Information brokers collect such data in order to sell it or provide third party access to it for a fee; they may either collect information themselves or contract others to collect and maintain the information. The definition specifically excludes entities that maintain information about employees, customers, or former customers. Under DATA, information brokers must establish reasonable procedures to assure the accuracy of personal information they collect, assemble, or maintain. In addition to striving to maintain accuracy, they must support a program to respond to individuals written requests to provide information assembled about them once per year. These responses must be provided at no
cost to the individual and the method for submitting requests must be conspicuously advertised on the organizations website. Individuals must also be able to use this method for expressing a preference as to how their information might be used for marketing purposes. If someone finds inaccuracies, the information broker must provide a mechanism for the individual to request changes to correct the inaccuracies. If the broker is not the source of the information (e.g., the data was harvested from public records), the brokers must provide the person the source of the information and a method for correcting the inaccuracy at the source organization. The individual may provide proof that the public record has been corrected and require the information broker to correct its version of the information. Someone may also require a broker to mark the information as disputed if it hasnt been corrected. As proposed by DATA, when an information broker has a breach, it must follow the same reporting procedures as other businesses. However, these organizations must also submit the policies governing their personal data protection program to the FTC as part of the notification and may be required to undergo an FTC security audit. The FTC has the right to request an information brokers policy at any time.w
RICHARD E. MACKEY, JR.
PCI DSS 2.0
SPONSOR RESOURCES
notable exception is that DATA only requires organizations to establish contracts with third parties to protect personal information; it does not require definition of the policy and procedure for vetting the security practices of these organizations. Some state and federal regulations, most notably 201 CMR 17 and HIPAA, provide more in-depth requirements for dealing with business associates and service providers. This may be an area that the FTC will spell out more clearly if DATA becomes law. The legislation also does not provide requirements for where encryption is required. State laws and regulations from Massachusetts and Nevada require encryption of personal information when it is transmitted over public networks or stored on removable devices. This may also be an area eventually addressed by FTC regulations or guidance.
BREACH NOTIFICATION RULES

Any organization that has gone through the process of breach notification according to multiple state laws would likely welcome the single set of rules that would come from a federal law. DATA defines breach of security as the unauthorized access to or acquisition of data in electronic form containing personal information. However, the legislation allows the data owner to avoid the process of notification if the data owner determines that there is a no reasonable risk of identity theft, fraud, or unlawful activity. While this is a rather broad statement, it means, at a minimum, that information that was encrypted and exposed to unauthorized parties would not be considered breached. In the event of a breach, DATA requires data owners to notify the FTC and directly notify each individual throughout the U.S. whose data has been exposed. This notification must take place within 60 days of discovery of the breach. The data owner may send notice in writing or electronically. However, electronic notification is only acceptable if the individual has consented to receiving official communications in that manner. In cases where the data owner does not have complete contact information for all individuals, the data owner may use email to the full extent possible, publish a notice on its website, and issue notification in print and broadcast media for areas where the victims reside. The notification must include a description of the information breached and a toll-free number to inquire about the breach. The letter must also include an offer to receive free quarterly credit reports for two years or a credit monitoring service. The individual must also be given toll-free numbers for credit reporting agencies and contact information for the FTC to learn about identity theft.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
The Act sets the maximum civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations.
PENALTIES
DATA sets out steep penalties for violations, which come in two types: failure to comply with security program requirements, and failure to follow the breach notification rules. The two types of penalties are calculated differently. The amount for security program penalties is based on the number of days the organization is found to be non-compliant multiplied by a maximum of $11,000 per day. Notification penalties are calculated by multiplying the number of violationsindividuals they failed to notifyby an $11,000 maximum. Each failure to send notification is considered a separate violation. The Act sets the maximum civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations.
PCI DSS 2.0
SPONSOR RESOURCES
10
LOOKING AHEAD
The biggest difference between existing state laws and the proposed federal laws (both DATA and other similar bills) is the inclusion of special requirements for information brokers (see p. 25). This special treatment will not be taken well by the large organizations in the information broker business as it increases cost substantially. It will be interesting to see how information brokers and businesses in general react to these bills as they are debated in the Senate. Maplight.org, a nonprofit, nonpartisan research organization that tracks money and influence in the U. S. Congress, shows that the backers of the bill receive campaign contributions from finance companies and credit agencies. This makes sense as both these groups would benefit from stronger identity controls. Maplight.org shows no money associated with opposition to the billat least not as yet. DATA clearly has benefits for the general population and, whether they want to admit it or not, businesses that will need to notify people when breaches occur. The overall approach of ensuring that organizations formally protect information, implement sound technical controls that include risk assessment and treatment, and follow a uniform set of notification and support procedures promises to reduce the incidence of identity compromise and create incentives to improve overall security.w
Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to feedback@infosecuritymag.com.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
11
Navigating Data Privacy, Security and Management Across Borders

TABLE OF CONTENTS
EDITORS DESK
Companies should revisit streamlined global data operations with an eye toward revamping compliance.
BY CYNTHIA ODONOGHUE, KATHARINA A. WEIMER AND AMY MUSHAHWAR
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
WITH THE GLOBAL economic downturn, economies of
scale are of increasing importance, and to achieve cost synergies, many companies have shed their geographic silos in favor of a streamlined centralized data infrastructure. Far more multinational companies with offices on all continents and production facilities in multiple countries share centralized databases, processing capabilities and even IT support teams that make integrated production possible on a 24/7 basis. While we have seen many industries such as life sciences, real estate and entertainment streamline their IT operations, all have one item in commonthey store personal employee, customer, supplier and website visitor data. With the myriad data privacy, security and management laws that exist in the U.S. and abroad, data privacy compliance can be a difficult area to navigate.
12
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
By now, most companies understand that U.S. federal, state and local governments have weaved an intricate web of laws protecting many aspects of Americans privacy (i.e., banking, telecom services, higher education, health care, financial services). Even with all of its privacy laws, the U.S. leaves some areas of personal data-processing largely unregulated. Unlike the U.S. sectoral approach, the EU views There are efforts underway by the privacy as a fundamental human right and has an Federal Trade Commission and the omnibus data protection law that regulates the Department of Commerce to develop collection and handling of information related to a comprehensive and uniform privacy identifiable individuals: European Union Directive policy for the U.S. on the Protection of Individuals with Regard to the But these uniformity proposals are Processing of Personal Data and on the Free Movelikely to take years to fully implement ment of Such Data (the EU Directive). and there does not appear to be a conBear in mind that the legislative tool the EU sensus as to whether either agencys selected for privacy lawa directiverequires efforts alone can assist with closing the each EU member state to enact its own local law sectoral privacy gaps. It is safe to say adopting (or transposing) the directive into nationthat the U.S. is several years away al legislation. Therefore, the text of the EU Data from a fully comprehensive privacy Protection Directive offers only a blueprint or framework.w framework for data privacy laws across Europe. National legislation implementing the directive has resulted in variations among EU member states. Over the years, we have witnessed the compliance issues and various legal conflicts of law that spring from this cross-border culture clash. We will identify a few typical scenarios that require some international data privacy, security and management issue-spotting.
U.S. Privacy Framework Lagging
RISK METHODOLOGIES
DATA INTEGRATION ISSUES TO WATCH OUT FOR

PCI DSS 2.0
SPONSOR RESOURCES
Before we begin, we would like you to imagine a midsized company, Doggies Night Out (DNO, Inc.), a high-end manufacturer of canine retractable leashes with built-in flash lights, treats and waste disposal bags headquartered in the US. DNO, Inc. already has several offices across the U.S., a manufacturing site in China, and subsidiaries across South America, and it intends to acquire a German manufacturer of designer cat collars called Feline Fun AG, with nearly 100 local employees. This little gem is for sale at a bargain-basement price and DNO, after some due diligence, proceeds with the acquisition. Following the purchase, DNOs general counsel would like to know everything about Feline Fun, including all information about the employees. DNO wishes to maintain ongoing data flows about the general business operations and activities of Feline Fun to fully integrate it and leverage its data capture and analytics tools globally (i.e., such as those for employees, job applicants, customer data, suppliers, third-party partners, purchased data, conferences,
13
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
and market research). Such data integration would necessitate the transfer of personal data of European citizens to the U.S. headquarters of DNO, Inc. Not surprisingly, the internal data protection officer of Feline Fun has some objections. Immediately upon hearing the data integration plans, the internal German data protection officer reminds the U.S.-based general counsel that the EU Directive regulates the processing of individuals personal data, a much broader concept than what is referred to in the U.S. as personally identifiable information. He explains that the broad definition covers nearly all information that DNO, Inc. would like to integrate for example, DNO, Inc. knew that certain information fields (or combinations of information fields) were protected under US law. For example items such as a name and account number could be protected personal financial information under the U.S. Graham Leach Bliley Act. Presently, however, there is little U.S. regulation governing the collection of information. For instance, while the EU Directive regulates the mere independent collection of an individuals name, email address, or IP Address, the U.S. does not unless an individuals name is collected in conjunction with other information, such as an individuals social security number. The German data protection officer made DNO, Inc. aware that such limited information fields are only starting to be by U.S. federal regulators as part of the FTC privacy proceeding. Practically speaking, the broad concept of personal data under the EU Directive requires Feline Fun to examine two items for nearly all individual information it wishes to transfer to DNO, Inc.: (1) the legal basis for transferring the data, and (2) whether the transfer was to a country with data protection laws sufficiently similar to those in the EU, such that those laws provide adequate protection to the data, or a legal transfer method.
Local Compliance with Data Transfer Requirements: According to EU and German law, before any processing of personal data may be undertaken (including transfer), there must be a legal basis to do so. The legal basis for transfer is satisfied if the transfer is necessary for the fulfillment of a contract or a contractual relationship with the data subject, i.e., the person whose data shall be transferred. For instance, personnel data can be transferred if and to the extent such transfer is necessary for the fulfillment of the employment contract. We must emphasize necessary, which is more than plain usefulness, for example, the transfer must be required for the employment relationship. Data transfer of customer data can sometimes be based on the contract with the customer; for instance, if the contract will be fulfilled out of another site and the other site requires the customer information for its performance. While these two examples tend to be the most common, other legal bases exist. As a last resort, the data controller can always try and obtain the individuals consent to the processing, but any such consent must be voluntary (already disputable in an employment relationship), informed and revocable; it should therefore not be the No. 1 choice for establishing a legally secure way of transferring personal data. Transferring Data to a Country with Adequate Protection or an Appropriate Legal Process Alternative: Any recipient of personal data located outside the European Economic Area (EEA) must generally
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
14
provide an adequate level of protection to personal data. Data transfers to companies located in countries with adequate privacy laws akin to those in the EU/European Economic Area include Switzerland, Canada, Argentina, the Isle of Man, Guernsey, Jersey, Israel and Andorra. Transfer is also permissible to U.S. companies that participate in the Department of Commerce Safe Harbor Program. U.S. companies must self certify that their data privacy, security and management practices provide adequate protection (then, these companies must re-certify to the Department of Commerce annually thereafter), always provided that this processing step as such, i.e., the transfer, is permissible as described above. To be eligible to submit a U.S.-EU Safe Harbor program self certification, an organization can (1) join a self-regulatory privacy program that adheres to the U.S.-EU Safe Harbor Frameworks requirements; or (2) develop its own self-regulatory privacy policy that conforms to the U.S.-EU Safe Harbor Framework. The Feline Fun data protection officer learns that all data will be transferred from Germany to the U.S. and DNO, Inc. has not self-certified under the Safe Harbor Program. But an adequate level of protection may be achieved by other means: (1) Feline Fun and DNO, Inc. could enter into a set of contractual clauses approved by the European Commission as establishing an adequate level of protection (Model Clauses), or (2) DNO, Inc. could establish Binding Corporate Rules (BCRs) for its entire group that are approved by a lead data protection authority in Europe. Approximately 50 U.S. companies per month file initial self-certifications to the Safe Harbor program, and approximately 150 companies submit annual re-certifications. More than 50 percent of the companies in Safe Harbor have joined during the past two years. Currently, more than 2,100 companies are on the Safe Harbor list. Placed in context, this means that more companies join Safe Harbor in a single month than the total number of companies that have obtained approval for BCRs to date. This trend is counter-intuitive, given the recent statements of the Dsseldorfer Kreis (a body formed by the German data protection authorities) and other EU member state bodies issuing critical opinions regarding the Safe Harbor program. Practitioners point to the following items as a potential reason for Safe Harbors increased popularity at the moment: Greater control for the U.S. company. Safe Harbor primarily requires the U.S. company to undertake relevant compliance steps, and requires little to no significant local affiliate involvement. Enhanced brand reputation for outsourcing providers and satisfaction of EU customer requirements. The Swiss Federal Data Protection and Information Commission (Swiss DPA) has recently established the U.S.-Swiss Safe Harbor Framework with the United States. Streamlining of local filing procedures. In a number of EU member states, cross-border transfers of EU personal data trigger registration requirements with the data protection authorities. In some of these countries, the Safe Harbor facilitates the local registration process by avoiding procedural approvals that apply to the use of Model Contracts and
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
15
the substantive approvals for BCRs. Avoiding administrative burdens of maintaining several versions of Model Contracts. However, there are as many good reasons to join Safe Harbor, or use Safe Harbor as a baseline to authorize certain data transfers, as there are good reasons why Safe Harbor may not be sufficient for all data transfers. Some negative aspects of Safe Harbor include: FTC enforcement. The promise to comply with Safe Harbor is ultimately subject to the enforcement authority of the FTC. Some data transfers are not eligible for coverage by Safe Harbor. U.S. companies are only eligible to join the Safe Harbor to protect certain transfers of EU Personal Data to the United States. Other transfers within a global enterprise, such as transfers from the EU to Asia or Latin America, are not covered by Safe Harbor. Likewise, financial institutions and other organizations that fall outside the scope of FTC and DOT authority are not eligible to join Safe Harbor, even if the organizations are located in the United States.
TABLE OF CONTENTS
EDITORS DESK
Likewise, even in the context of e-discovery, attorneys must address whether cross-border data transfers are permissible under local EU law, and this is typically viewed as a prime area of conflict, and transfers of data for purposes of litigation may expose the EU affiliate to liability. With this general data transfer background, we also identify a few other issuespotting items that we have seen reoccur over the years.
DATA PROTECTION
EU EMPLOYEES ENJOY MORE PRIVACY PROTECTIONS

RISK METHODOLOGIES
PCI DSS 2.0
Implementing data integration measures along those proposed by DNO, Inc. may be common sense to any U.S. company, but integrating the data of European affiliates may trigger a variety of issues, such as whistleblower protections. A person whose behavior is reported through an employer-provided hotline retains his or her data privacy rights. Yet his/her personal details have been communicated to a third party in a country without adequate protection and without his/her knowledge. Employee monitoring, for example, is a sensitive topic in Europe; every country has different rules and, generally speaking, employees have a rightful expectation of privacy even in the work environment. The employees (potentially private) use of the telecommunications infrastructure provided by the employer may trigger obligations of secrecy vis--vis the employeethe employer may not be able to access the employees communication or even Internet history.
SPONSOR RESOURCES
USING WEBSITE ADVERTISING AND ANALYTICS IN THE EU

If DNO, Inc. were to integrate website advertising and analytics operations, there may also be issues. Recently, German data protection authorities have been in discussions with Google about the legitimacy of its analytics programs under German data protection law
16
TABLE OF CONTENTS
and came to the conclusion that analytics currently does not provide adequate safeguards to the consumer. The authorities objected to the use of IP addresses, considered personal data by the data protection authorities. Court decisions differ in this aspect. Some consider an IP address to be personal data, others do not. While it is ultimately up to a court to decide, the initial assessment will be carried out by the data protection authorities and their opinion should be carefully considered. It should also be noted that the U.S. FTC has made recent statements that an IP address may be included in the definition of protected personally identifiable information. While Google demonstrated goodwill and allowed an anonymization tool to be built into the software, and additionally built a plug-in for Internet users with which they can set their browser to object to the collection of the IP address, this did not satisfy the data protection authorities requirements: The anonymization is in the discretion of the website operator and the plug-in does not work for all browsers. As the issue has yet to be resolved, there is a risk that the authorities may proceed against website operators that use analytics without consumer opt-in.
EDITORS DESK
IT MAY BE RAINING CATS AND DOGS BUT THERE ARE TOOLS TO WEATHER THE STORM
Decisions by multinationals to centralize data should not be taken lightly. The complexity of the EU data protection law poses special problems and must be considered fully as part of any data centralization initiative. Recently, the U.S. has made attempts to move closer to EU-style data protection, but these efforts will not come into fruition for some time. The data compliance scramble should not stop U.S. companies from wading out into the storm to access the wide variety of personal data available from EU entities. Rather, the philosophical and jurisprudential gap can be bridged by relying on the number of tools available to organizations that allows them to transfer data, while being mindful that the EU takes its obligation to safeguard its citizens privacy very seriously.w
Cynthia ODonoghue is a partner and co-practice leader of Reed Smith LLPs Data Privacy, Security and Management group and is based in London. Katharina A. Weimer is an associate in the Munich office of Reed Smith LLP with a focus on Media law and Data Protection. Amy Mushahwar is an associate in the Data Privacy, Security and Management practice in the Washington D.C. law office of Reed Smith LLP. Send comments on this column to feedback@infosecuritymag.com.
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
17
RISK METHODOLOGIES
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
There are a lot of risk assessment frameworks out there. Heres what you need to know in order to pick the right one.
RISK METHODOLOGIES
Sizing Up Risk
BY RICHARD E. MACKEY, JR.
PCI DSS 2.0
SPONSOR RESOURCES
MANY REGULATIONS and virtually all security frameworks require some objective
assessment of risks. The reason is simple: Security controls should be selected based on real risks to an organizations assets and operations. The alternativeselecting controls without a methodical analysis of threats and controlsis likely to result in implementation of security controls in the wrong places, wasting resources while at the same time leaving an organization vulnerable to unanticipated threats. A risk assessment framework establishes the rules for what is assessed, who needs to be involved, the terminology used in discussing risk, the criteria for quantifying, qualifying, and comparing degrees of risk, and the documentation that must be collected and produced as a result of assessments and follow-on activities. The
18
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
goal of a framework is to establish an objective measurement of risk that will allow an organization to understand business risk to critical information and assets both qualitatively and quantitatively. In the end, the risk assessment framework provides the tools necessary to make business decisions regarding investments in people, processes, and technology to bring risk to acceptable level. Two of the most popular risk frameworks in use today are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University, and the NIST risk assessment framework documented in NIST Special Publication 800-30. Other risk frameworks that have a substantial following are ISACAs RISK IT (part of COBIT), and ISO 27005:2008 (part of the ISO 27000 series that includes ISO 27001 and 27002). All the frameworks have similar approaches but differ in their high level goals. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, whereas RISK IT applies to the broader IT risk management space. How does a company know which framework is the best fit for its needs? Well provide an overview of the general structure and approach to risk assessment, draw a comparison of the frameworks, and offer some guidance for experimentation and selection of an appropriate framework.
OCTAVE, NIST, and ISO 27005 focus on security risk assessments, whereas RISK IT applies to the broader IT risk management space.
ASSET-BASED ASSESSMENTS
All risk assessment methods require organizations to select an asset as the object of the assessment. Generally speaking, assets can be people, information, processes, systems, applications, or systems. However frameworks differ in how strict they are in requiring organizations to follow a particular discipline in identifying what constitutes an asset. For example CMUs original OCTAVE framework allowed an organization to select any item previously described as the asset to be assessed, where the most recent methodology in the OCTAVE series, Allegro, requires assets to be information. There are advantages and disadvantages associated with any definition of asset. For example, if an asset is a system or application, the assessment team will need to include all information owners affected by the system. On the other hand, if the asset is information, the scope of the assessment would need to include all systems and applications that affect the information. Practically speaking, it is important to define the asset precisely so the scope of the assessment is clear. It is also useful to be consistent in how assets are defined from assessment to assessment to facilitate comparisons of results. A critical component of a risk assessment framework is that it establishes a common set of terminology so organizations can discuss risk effectively. See p. 30 for a list of terms used in most frameworks.
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
19
Framework Terminology
Risk assessment frameworks establish the meaning of terms to get everyone on the same page. Here are terms used in most frameworks.
Actors, motives, access: These describe who is responsible for the threat, what might motivate the actor or attacker to carry out an attack, and the access that is necessary to perpetrate an attack or carry out the threat. Actors may be a disgruntled employee, a hacker from the Internet, or simply a well meaning administrator who accidently damages an asset. The access required to carry out an attack is important in determining how large a group may be able to realize a threat. The larger the attacking community (e.g., all users on the Internet versus a few trusted administrators), the more likely an attack can be attempted. Asset owners: Owners have the authority to accept risk. Owners must participate in risk assessment and management as they are ultimately responsible for allocating funding for controls or accepting the risk resulting from a decision not to implement controls. Asset custodians: A person or group responsible for implementing and maintaining the systems and security controls that protect an asset. This is typically an IT entity. Impact: The business ramifications of an asset being compromised. The risk assessment team needs to understand and document the degree of damage that would result if the confidentiality, integrity, or availability of an asset is lost. The terms impact, business impact, and inherent risk are usually used to describe, in either relative or monetary terms, how the business would be affected by the loss. Its important to note that impact assumes the threat has been realized; impact is irrespective of the likelihood of compromise. Information asset: An abstract logical grouping of information that is, as a unit, valuable to an organization. Assets have owners that are responsible for protecting value of the asset. Risk magnitude or risk measurement criteria: The product of likelihood and the impact described above. If we consider likelihood a probability value (less than 1) and impact a value of high, medium, or low, the risk magnitude can be calculated and compared to risks of various threats on particular assets. Security requirements: The qualities of an asset that must be protected to retain its value. Depending on the asset, different degrees of confidentiality, integrity, and availability must be protected. For example, confidentiality and integrity of personal identifying information may be critical for a given environment while availability may be less of a concern. Threats, threat scenarios or vectors: According to OCTAVE, threats are conditions or situations that may adversely affect an asset. Threats and threat scenarios involve particular classes of actors (attackers or users) and methods or vectors by which an attack or threat may be carried out.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
glossary
20
RISK ASSESSMENT METHODOLOGY

The heart of a risk assessment framework is an objective, repeatable methodology that gathers input regarding business risks, threats, vulnerabilities, and controls and produces a risk magnitude that can be discussed, reasoned about, and treated. The various risk frameworks follow similar structures, but differ in the description and details of the steps. However, they all follow the general pattern of identifying assets and stakeholders, understanding security requirements, enumerating threats, identifying and assessing the effectiveness of controls, and calculating the risk based on the inherent risk of compromise and the likelihood that the threat will be realized. The following is a basic methodology, largely derived from the OCTAVE and NIST frameworks.
1. Identify assets and stakeholders
TABLE OF CONTENTS
EDITORS DESK
All risk assessment methods require a risk assessment team to clearly define the scope of the asset, the business owner of the asset, and those people responsible for the technology and particularly the security controls for the asset. The asset defines the scope of the assessment and the owners and custodians define the members of the risk assessment team. NISTs approach allows the asset to be a system, application, or information, while OCTAVE is more biased toward information and OCTAVE Allegro requires the asset to be information. Regardless of what method you choose, this step must define the boundaries and contents of the asset to be assessed.
2. Analyze impact
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
The next step is to understand both the dimensions and magnitude of the business impact to the organization, assuming the asset was compromised. The dimensions of compromise are confidentiality, integrity, and availability while the magnitude is typically described as low, medium, or high corresponding to the financial impact of the compromise. Its important to consider the business impact of a compromise in absence of controls to avoid the common mistake of assuming that a compromise could not take place because the controls are assumed to be effective. The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment. This step is mostly the responsibility of the business team, but technical representatives can profit by hearing the value judgments of the business. The output of this step is a document (typically a form) that describes the business impact in monetary terms or, more often, a graded scale for compromise of the confidentiality, integrity, and availability of the asset.
3. Identify threats
The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment.
Identify the various ways an asset could be compromised that would have an impact on the
21
business. Threats involve people exploiting weaknesses or vulnerabilities intentionally or unintentionally that result in a compromise. This process typically starts at a high level, looking at general areas of concern (e.g., a competitor gaining access to proprietary plans stored in a database) and progressing to more detailed analysis (e.g., gaining unauthorized access through a remote access method). The idea is to list the most common combinations of actors or perpetrators and paths that might lead to the compromise an asset (e.g., application interfaces, storage systems, remote access, etc.). These combinations are called threat scenarios. The assessment team uses this list later in the process to determine whether these threats are effectively defended against by technical and process controls. The output of this step is the list of threats described in terms of actors, access path or vector, and the associated impact of the compromise.
4. Investigate vulnerabilities
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
Use the list of threats and analyze the technical components and business processes for flaws that might facilitate the success of a threat. The vulnerabilities may have been discovered in separate design and architecture reviews, penetration testing, or control process reviews. Use these vulnerabilities to assemble or inform the threat scenarios described above. For example, a general threat scenario may be defined as a skilled attacker from the Internet motivated by financial reward gains access to an account withdrawal function; a known vulnerability in a Web application may make that threat more likely. This information is used in the later stage of likelihood determination. This step is designed to allow the assessment team to determine the likelihood that a vulnerability can be exploited by the actor identified in the threat scenario. The team considers factors such as the technical skills and access necessary to exploit the vulnerability in rating the vulnerability exploit likelihood from low to high. This will be used in the likelihood calculation later to determine the magnitude of risk.
The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment.
5. Analyze controls
PCI DSS 2.0
SPONSOR RESOURCES
Look at the technical and process controls surrounding an asset and consider their effectiveness in defending against the threats defined earlier. Technical controls like authentication and authorization, intrusion detection, network filtering and routing, and encryption are considered in this phase of the assessment. Its important, however, not to stop there. Business controls like reconciliation of multiple paths of transactions, manual review and approval of activities, and audits can often be more effective in preventing or detecting attacks or errors than technical controls. The multi-disciplinary risk assessment team is designed to bring both types of controls into consideration when determining the effectiveness of controls. At the conclusion of this step, the assessment team documents the controls associated with the asset and their effectiveness in defending against the particular threats.
22
The Value of Formal Assessments

A thorough analysis of risk helps justify security spending
Formal, methodical risk analysis allows organizations to reason about the magnitude of business risk given the value of the system or information at risk, a set of threats, and a set of security controls like authentication, firewalls, and monitoring. The magnitude of the risk is a function of the degree of damage or loss that would occur if the threat is realized and the likelihood of the realization of the threat. This kind of thoughtful and objective approach not only helps to meet regulatory requirements, but also provides a practical way to manage security expenditures. The value of assessing risk in this manner is that it transforms risk discussion from a conversation among
TABLE OF CONTENTS
strategy
technical people into a one relating technical vulnerabilities and controls to business impact. The process requires technical and business representatives to come to an understanding of what the business risk is and how it relates to technical risk. It also facilitates the economic discussion of whether investments in technology and processes are justified by the damage that may result from an attack or incident and the likelihood of the event. In short, it steers organizations away from being held hostage by the fear mongers or being starved for security investment by business people who do not appreciate the dangers posed by insufficient RICHARD E. MACKEY, JR. security controls.w
EDITORS DESK
6. Calculate threat likelihood
DATA PROTECTION
After identifying a particular threat, developing scenarios describing how the threat may be realized, and judging the effectiveness of controls in preventing exploitation of a vulnerability, use a formula to determine the likelihood of an actor successfully exploiting a vulnerability and circumventing known business and technical controls to compromise an asset. The team needs to consider the motivation of the actor, the likelihood of being caught (captured in control effectiveness), and the ease with which the asset may be compromised, then come up with a measure of overall likelihood, from low to high.
7. Calculate risk magnitude
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
The calculation of risk magnitude or residual risk combines the business impact of compromise of the asset (considered at the start of the assessment), taking into consideration the diminishing effect of the particular threat scenario under consideration (e.g., the particular attack may only affect confidentiality and not integrity) with the likelihood of the threat succeeding. The result is a measure of the risk to the business of a particular threat. This is typically expressed as one of three or four values (low, medium, high, and sometimes severe). This measure of risk is the whole point of the risk assessment. It serves as a guide to the business as to the importance of addressing the vulnerabilities or control weaknesses that allow the threat to be realized. Ultimately, the risk assessment forces a business decision to treat or accept risk. Anyone reading a risk assessment method for the first time will probably get the impression that it describes a clean and orderly process that can be sequentially executed. However, youll find that you need to repeatedly return to earlier steps when information in later steps helps to clarify the real definition of the asset, which actors may be realistically considered in a
23
threat scenario, or what the sensitivity of a particular asset is. It often takes an organization several attempts to get used to the idea that circling back to earlier steps is a necessary and important part of the process.
WHICH FRAMEWORK IS BEST?

Over the years, many risk frameworks have been developed and each has its own advantages and disadvantages. In general, they all require organizational discipline to convene a multidisciplinary team, define assets, list threats, evaluate controls, and conclude with an estimate of the risk magnitude. OCTAVE, probably the most well known of the risk frameworks, comes in three sizes. The original, full-featured version is a heavyweight process with substantial documentation meant for large organizations. OCTAVE-S is designed for smaller organizations where the multi-disciplinary group may be represented by fewer people, sometimes exclusively technical folks with knowledge of the business. The documentation burden is lower and the process is lighter weight. The latest product in the OCTAVE series is Allegro, which has more of a lightweight feel and takes a more focused approach than its predecessors. Allegro requires the assets to be information, requiring additional discipline at the start of the process, and views systems, applications, and environments as containers. The scope of the assessment needs to be based on the information abstraction (e.g., protected health information) and identify and assess risk across the containers in which the information is stored, processed, or transmitted. One of the benefits of the OCTAVE series is that each of the frameworks provides templates for worksheets to document each step in the process. These can either be used directly or customized for a particular organization. The NIST framework, described in NIST Special Publication 800-30, is a general one that can be applied to any asset. It uses slightly different terminology than OCTAVE, but follows a similar structure. It doesnt provide the wealth of forms that OCTAVE does, but is relatively straightforward to follow. Its brevity and focus on more concrete components (e.g., systems) makes it a good candidate for organizations new to risk assessment. Furthermore, because its defined by NIST, its approved for use by government agencies and organizations that work with them. ISACAs COBIT and the ISO 27001 and 27002 are IT management and security frameworks that require organizations to have a risk management program. Both offer but dont require their own versions of risk assessment frameworks: COBIT has RISK IT and ISO has
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
Business controls like reconciliation of multiple paths of transactions, manual review and approval of activities, and audits can often be more effective in preventing or detecting attacks or errors than technical controls.
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
24
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
ISO 27005:2008. They recommend repeatable methodologies and specify when risk assessments should take place. The ISO 27000 series is designed to deal with security, while COBIT encompasses all of IT; consequently, the risk assessments required by each correspond to those scopes. In other words, risk assessment in COBITdescribed in RISK ITgoes beyond security risks and includes development, business continuity and other types of operational risk in IT, whereas ISO 27005 concentrates on security exclusively. ISO 27005 follows a similar structure to NIST but defines terms differently. The framework includes steps called context establishment, risk identification and estimation, in which threats, vulnerabilities and controls are considered, and a risk analysis step that discusses and documents threat likelihood and business impact. ISO 27005 includes annexes with forms and examples, but like other risk frameworks, its up to the organization implementing it to evaluate or quantify risk in ways that are relevant to its particular business. Organizations that do not have a formal risk assessment methodology would do well to review the risk assessment requirements in ISO 27001 and 27002 and consider the 27005 or NIST approach. The ISO standards provide a good justification for formal risk assessments and outline requirements, while the NIST document provides a good introduction to a risk assessment framework. With practice, an organization can establish a methodology based on this approach. However, it is worthwhile to review the OCTAVE family and, in particular, the Allegro framework. Its focus on information, its forms and relatively lightweight approach (when compared to other OCTAVE methods) provides a good alternative to NIST and will allow an organization to build a customized method that meets its own requirements.
One of the benefits of the OCTAVE series is that each of the frameworks provides templates for worksheets to document each step in the process.
RISK METHODOLOGIES
CONSISTENCY IS KEY
In the end, the most important aspect of choosing a framework is ensuring that the organization will use it. Auditors will seldom inspect the details of your risk assessment method, but will look at whether you have a systematic method and apply it regularly. Its an organizations prerogative to accept risks that are too difficult or expensive to mitigate. However, one can only accept risks that one understands. Consistent and repeatable risk assessments provide the mechanism to not only understand risk, but also to demonstrate to auditors and regulators that the organization understands risk. Whether your goal is to simply achieve good security or also meet regulatory requirements, creating a risk assessment method based on a well-known framework is a good place to start.w
Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to feedback@infosecuritymag.com.
PCI DSS 2.0
SPONSOR RESOURCES
25
Hurdle Cultural Barriers to Compliance

TABLE OF CONTENTS EDITORS DESK DATA PROTECTION
Engage stakeholders frequently about their role in compliance and reducing risk inside your organization. BY ERIC HOLMQUIST
WHEN LOOKING TO create or expand information security reporting to senior management, the
RISK METHODOLOGIES
biggest challenge is often not technical but cultural. Business managers can be hesitant to have areas of risk highlighted for fear that they will be perceived as not doing their jobs. Lawyers are often nervous that putting vulnerabilities in writing could ultimately be used against the organization. And managers are sometimes hesitant to tell senior management too much, fearing the managers wont understand the information they are given, but recognizing that it represents a significant risk, will feel obligated to give arbitrary directives in a misguided attempt to solve problems they dont fully understand. While these are all realities that we as security and compliance managers live with, they are ones that mature organizations must push past if they are to holistically manage information security risk and compliance. Contrary to what many believe, when seeking to address security and compliance weaknesses, knowledge is power and transparency is good. However, to successfully evolve beyond cultural barriers to effective information security reporting, a strategy is required. The following are some time-tested solutions to address these cultural barriers that often stifle effective information security risk and compliance management.
PCI DSS 2.0
Tips for fostering a compliance culture

SPONSOR RESOURCES
English only please Unquestionably, the most critical make-or-break factor in information
security reporting is language. Simply put, any report, whether in scorecard or narrative, must be limited to basic business terminology. No IT terms, no obscure acronyms, no exceptions ever. An IDS system or other gateway device may produce a wonderfully detailed 20-page technical report, and while that may be helpful to technical staff, they should never see the light of day in an executive report. Instead, require these data owners to summarize their reports as succinctly
26
as possible using language that someone who has no familiarity with technology would understand.
Make disclosure safe The second most critical factor is to create an environment where disclosure
is safe. Meaning people must be allowed to express both their observations of potential risk as well as operational failures without being persecuted, and managers must foster an environment where such disclosures are encouraged. For observed risks, the focus must be on an assessment of the risk and an analysis of response options. For failures, the focus of the reporting needs to be 1) what happened, 2) what is being doing about it, and 3) what could be done so that it doesnt happen again. Blame is the mortal enemy of collaboration, so any disciplinary action must be done privately. Once people begin to realize that risk and failure can be brought up for healthy discussion, more and more risks will suddenly come out of the woodwork and that is a healthy thing.
Focus on solutions Simply put, make sure any material risk that is reported to management
includes a management-level assessment of that risk and a plan of action (or, at minimum, a series of options). Highlighting a risk in isolation can be paralyzing and is often interpreted that people arent doing their jobs. But presenting risks with a variety of solutions is empowering and reinforces the fact that people are on the job.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
Let them make decisions When presenting information on the state of the information security program and compliance, give management the opportunity not only to provide input, but also to make decisions. Even if this means simply submitting a menu of choices for a given area of concern, this engages them in the process and builds ownership. This may seem risky (Who wants pointyhaired bosses actually making decisions?), but it really does work to build engagement if risks are explained clearly and options area detailed out. Trust me, engagement is very good. Start small The fact is that most organizations cant go from nothing to a detailed scorecard in one pass; It just doesnt happen. Start small by focusing on more innocuous data points that allow management to take action (training completion, third-party governance, etc.) As management becomes more comfortable with the reporting cycle, move to more sensitive areas, such as open audit issues, control failures, operational incidents, risk heat maps, etc. (The latter having more direct association with specific business areas.)
In the end, the goal is to create a compliance culture through dialog and engagement. Start small, being exceedingly clear and keep pressing. Eventually people will realize these topics are more approachable then they thought and that creating forums for discussion with a range of constituencies is healthy for the organization, ultimately creating a compliance culture that will serve an organization well.w
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
Eric Holmquist is a principal with consulting firm Holmquist Advisory. He has more than 25 years experience in the financial services industry and is a frequent industry author and speaker. As the former vice president and director of operations risk management for Advanta Bank Corp., he was responsible for the development and oversight of the banks operational risk management program and its information security strategy. In addition, Holmquist chaired the banks MIS council, an oversight group that provides governance with regard to standards, methods and production of financial and operational reports and the management of enterprise data.
27
PCI DSS 2.0
PCI Assessment Changes Explained

TABLE OF CONTENTS EDITORS DESK
The latest update to PCI is relatively minor, but that doesnt mean security and compliance managers can afford to slack. BY ED MOYLE
DATA PROTECTION
RISK METHODOLOGIES
VERSIONS 2.0 OF the Payment Card Industry Data Security Standard
PCI DSS 2.0
SPONSOR RESOURCES
(PCI DSS) and Payment Application Data Security Standard (PA DSS) made their debuts last fall. Since then, organizations have been trying to make sense of the updates, the new timetable for compliance and how this impacts established security and compliance programs. From a PCI assessment standpoint, there are two things to call out about the changes at a macro level before going into the details of the changes themselves: First, the changes are relatively minor. This wasnt entirely expected; a number of industry experts speculated that the standard would follow a major release/minor release paradigm (similar to what youd see in a software product). Following a point release of PCI DSS 1.2 in October 2008, many thought the PCI DSS 2.0 major revision last year could mean sweeping change, but this wasnt the way it turned out. The council cites maturity in the standard as the reason for the relatively small number of changes, which means companies can also expect a lesser volume of change in future revisions. For those that were hit hard by the (fairly significant) changes in the 1.x iterations during the past five years, this should be welcome news. Secondly, the enforcement timing of changes is beneficial: In other words, there is time to respond before organizations are called to task on how theyve implemented the changes. Merchants have a year to comply from the January launch date, meaning there is plenty of time to get environments in shape before enterprises actually have to go through an assessment based on the updates.
28
But these positive developments shouldnt encourage security and compliance managers to slack. Although most of the changes represent a reduction of the scope of controls, there could be a few that might have broader impact depending on your current processes, scope of compliance efforts, and how your company has interpreted the controls in the past. So starting now, look at the changes and update your compliance plan accordingly. It will be time well spent.
PCI 2.0: If anything, mostly a slight reduction of assessment impact

As outlined, most of the changes reflect a decrease in the effort associated with the PCI assessment process, changes that provide additional flexibility for the assessor or for you to generally decrease the scope of assessment effort because they allow interpretive latitudeboth for you and your QSA. That interpretive latitude means less time spent trying to force-fit what youve deployed into narrow parameters; in combination with clarifications about control scope means less time-consuming back-and-forth discussion between merchants/service providers and QSAs about intent and meaning. The chart (see p. XX) outlines areas where the changes have either no impact on PCI assessment effort or that decrease the effort associated with the assessment process: As you can see, with the exception of the two areas called out, the items in this list connote relatively little impact on an assessment. Its these other two areas that merchants and service providers may want to keep an eye out for.
TABLE OF CONTENTS
EDITORS DESK
Two areas to watch

DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
One of the most significant changes is the clarification of PCI assessment scope (item No. 2 in the change list in the chart). Its still unclear specifically how the scope change will be reflected in the final document, but what is there should be enough for anybody whos been through an assessment to take notice. Specifically, according to this, scope of cardholder data flow diagrams should include all locations and all areas. Thats an uh-oh for many firms; as it turns out, many organizations just arent where they need to be on this point. Producing up-to-date diagrams of cardholder data everywhere in the enterprise may seem negligible at first glance, but in a large retail environment with multiple business units, diagrams might cover only one business unit of many, or a subset of payment flows throughout the whole organization. So this change could very well mean a significant effort to share flow information between business units (since one process might intersect multiple business units) and to ensure all payment flows are accounted for in the documentation. Lack of appropriate documentation has always been one of the primary issues within an assessment context, so this change amps up what was already a known issue. Secondly, the update for virtualization on the surface seems relatively innocuous; after all, many of us have been asking for a long time how virtualization ties into requirements like one function per server (Requirement 2.2.1). However, under the surface, expansion of the definition of system components to include virtual components might have additional ramifications beyond just 2.2.1; it could affect other requirements as well. For example, some requirements and test procedures specifically refer to all system components (for example, Requirements 10.6, Review logs for all system components at least daily, and Requirement 2.2, Develop configuration standards for all system components). Requirements that address all system components now implicitly include the virtual enviI N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE
29
PCI 2.0 EXPLAINED

Requirement PCI DSS Intro Proposed Change Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Assessment Impact In most cases, minimal impact on assessment effort. Potential reduction in assessment scope of effort if you or your QSA interpreted 3.3. or 3.4 as applying to other cardholder data in past assessments. Potential area of impact (described below)
Scope of Assessment
Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of one primary function per server and use of virtualization. Provide clarification on secure boundaries between Internet and card holder data environment.
PCI DSS Intro and various requirements
Potential area of impact (described below)
TABLE OF CONTENTS
PCI DSS Requirement 1
EDITORS DESK
It isnt clear from the description what this clarification will be. However, since the controls around separation of the CDE from the Internet are relatively unambiguous currently, this is likely to be a minimal impact issue. The scope of an issuers business requirements has little bearing on an assessment at a merchant or service provider. Minimal impact to assessment effort. We dont have enough information to know from the change description how this will change. The intent of the change is to increase flexibility, which suggests reduction in assessment effort. This moves the requirement more in-line with what firms do; this change allows latitude to reflect that practice during an assessment. Consolidation in this area means reduced assessment effort as merchants and QSAs are no longer writing up results twice for the same controls.
DATA PROTECTION
PCI DSS Requirement 3.2
Recognize that issuers have a legitimate business need to store Sensitive Authentication Data.
Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge.
RISK METHODOLOGIES

Update requirement to allow vulnerabilities to be ranked and prioritized according to risk.

PCI DSS 2.0
Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. Update requirement to allow business justification for copy, move and storage of CHD during remote access.
SPONSOR RESOURCES
PCI DSS Requirement 12.3.10
This change recognizes that business may need to manipulate cardholder data during a remote access scenario. Therefore, businesses that required doing this will no longer have to write up compensating controls to do so.
30
ronment as well, as do the test procedures. So a test procedure like 2.2.a (Examine the organizations system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards) means that not only will an organization need to have a hardening standard for its virtual environment, but its assessor will also need to obtain and review that standard. This might not have been the case in prior assessments. So overall for merchants and service providers, this version of the standard represents a streamlining of the assessment process, which should help ease the PCI DSS compliance burden somewhat. But the expansion of system components to include virtualization and the updates to required documentation could make those elements of the assessment process more complex, so be sure to address each with your assessor when the time comes for your companys first assessment under PCI DSS 2.0; also, its a good idea to start the planning now for areas where your current control deployment may not address the entirety of the scope.w
Ed Moyle is currently a manager with CTGs Information Security Solutions practice, providing strategy, consulting, and solutions to clients worldwide as well as a founding partner of SecurityCurve.
TABLE OF CONTENTS
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
PCI DSS 2.0
SPONSOR RESOURCES
31
TECHTARGET SECURITY MEDIA GROUP
S ECURITY
EDITORIAL DIRECTOR Michael S. Mimoso SENIOR SITE EDITOR Eric Parizo EDITOR Marcia Savage MANAGING EDITOR Kara Gattine NEWS DIRECTOR Robert Westervelt SITE EDITOR Jane Wright ASSOCIATE EDITOR Carolyn Gibney ASSISTANT EDITOR Maggie Sullivan ASSISTANT EDITOR Greg Smith UK BUREAU CHIEF Ron Condon
I N F O R M A T I O N
VICE PRESIDENT/GROUP PUBLISHER Doug Olender PUBLISHER Josh Garland DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver DIRECTOR OF MARKETING Nick Dowd SALES DIRECTOR Tom Click CIRCULATION MANAGER Kate Sullivan PROJECT MANAGER Elizabeth Lareau PRODUCT MANAGEMENT & MARKETING
Kim Dugdale, Andrew McHugh, Karina Rousseau SALES REPRESENTATIVES Eric Belcher ebelcher@techtarget.com Patrick Eichmann peichmann@techtarget.com Sean Flynn seflynn@techtarget.com Jennifer Gebbie jgebbie@techtarget.com COLUMNISTS Marcus Ranum, Lee Kushner, Mike Murray CONTRIBUTING EDITORS Michael Cobb, Phillip Cox, Scott Crawford, Peter Giannoulis, Ernest N. Ernie Hayden, Robbie Higgins, Jennifer Jabbusch, David Jacobs, Diana Kelley, Nick Lewis, Richard E. Mackey Jr., Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ashley Podhradsky, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser USER ADVISORY BOARD Phil Agcaoili, Cox Communications Richard Bejtlich, GE Seth Bromberger, Energy Sector Consortium Chris Ipsen, State of Nevada Diana Kelley, Security Curve Nick Lewis, ACM Rich Mogull, Securosis Craig Shumard, CIGNA CISO Retired Marc Sokol, Guardian Life Gene Spafford, Purdue University Tony Spinelli, Equifax INFORMATION SECURITY DECISIONS
GENERAL MANAGER OF EVENTS
ART & DESIGN CREATIVE DIRECTOR Maureen Joyce
TABLE OF CONTENTS
Jaime Glynn jglynn@techtarget.com Leah Paikin lpaikin@techtarget.com Jeff Tonello jtonello@techtarget.com Vanessa Tonello vtonello@techtarget.com George Whetstone gwhetstone@techtarget.com Nikki Wise nwise@techtarget.com TECHTARGET INC.
CHIEF EXECUTIVE OFFICER Greg Strakosch PRESIDENT Don Hawk EXECUTIVE VICE PRESIDENT Kevin Beam CHIEF FINANCIAL OFFICER Jeff Wakely
EDITORS DESK
DATA PROTECTION
RISK METHODOLOGIES
EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 www.parkway.co.uk LIST RENTAL SERVICES Julie Brown Phone 781-657-1336 Fax 781-657-1100
Amy Cleary
PCI DSS 2.0
SPONSOR RESOURCES
Information Securitys Essential Guide to Compliance is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.
32
RESOURCES FROM OUR SPONSOR
See ad page 2
Dell SecureWorks Webcast: An Expert Approach to PCI compliance
About Dell SecureWorks: Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognised as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organisations of all sizes protect their IT assets, comply with regulations and reduce security costs Dell SecureWorks is positioned in the Leaders Quadrant of Gartner's Magic Quadrant for MSSPs and has been recognised by SC Magazine's readers with the Best Managed Security Service award for 2006, 2007, 2008, 2009 & 2011. Additionally, our experts frequently provide authoritative information security commentary in major media outlets including the New York Times, The Wall Street Journal, The Financial Times, USA Today, The Guardian and many others.

0511 ISM Eg Compliance v2

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

0511 ISM Eg Compliance v2

Încărcat de

Drepturi de autor:

Formate disponibile

I N F O R M A T I O N

6 DATA and You

Not surprisiNgly, the most powerful weapoN iN iNformatioN security is iNformatioN.

Contact us at UKenquiry@secureworks.com or call +44 (0)131 718 0600.

Navigating Data Privacy, Security and Management Across Border

KATHAR I NA A. WE I M E R AN D AMY M USHAHWAR

Hurdle Cultural Barriers to Compliance

PCI Assessment Changes Explained

Has Compliance Stifled Security Innovation?

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

Has Compliance Stifled Security Innovation?

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

DATA and You

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PERSONAL INFORMATION DEFINED

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

APPLICATION AND ENFORCEMENT

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

Information Brokers in the Crosshairs

PCI DSS 2.0

BREACH NOTIFICATION RULES

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

Navigating Data Privacy, Security and Management Across Borders

PCI DSS 2.0

WITH THE GLOBAL economic downturn, economies of

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

U.S. Privacy Framework Lagging

DATA INTEGRATION ISSUES TO WATCH OUT FOR

PCI DSS 2.0

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

EU EMPLOYEES ENJOY MORE PRIVACY PROTECTIONS

PCI DSS 2.0

USING WEBSITE ADVERTISING AND ANALYTICS IN THE EU

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

BY RICHARD E. MACKEY, JR.

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

RISK ASSESSMENT METHODOLOGY

PCI DSS 2.0

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GUIDE COMPLIANCE

PCI DSS 2.0

The Value of Formal Assessments

6. Calculate threat likelihood

PCI DSS 2.0

WHICH FRAMEWORK IS BEST?