Académique Documents
Professionnel Documents
Culture Documents
Data gathering (typically three weeks). Current state assessment (typically two weeks). Gap assessments (typically three weeks). Future state roadmap (typically two weeks).
The duration of the assessment phase can differ
9 10 11
Inventory of tools and utilities identified. Current state policies. Gap assessment matrix of PCI controls. Best practices followed (if applicable). Future state roadmap.
Remediation Phase During the remediation phase, our team evaluates the effort based on the gaps and the roadmap delivered during the assessment phase. Implementation duration depends on gaps found during the assessment phase. Typical activities during this phase include:
Figure 1
based on the size of the client infrastructure the number of devices in the cardholder data environment. Figure 1 shows an example for constructing an assessment-phase plan. PCI DSS is based on technical and operational requirements related to 12 different areas; data gathering is performed across six conceptual areas, covering the following:
Network infrastructure. Encryption and data protection. Vulnerability management. Access control. Network monitoring. Security policies management.
Data gathered is then assessed for gaps across each of these six areas. The gaps in the current as is state are then categorized as high, medium and low in each area relative to the goal of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating the discovered gaps in order to achieve future state PCI DSS 2.0 compliance for the cardholder data environment. The deliverables at this phase include, but are not limited to:
Planning (typically, four to six weeks). Designing (eight to 10 weeks). Building (12 to 15 weeks). Verifying (14 to 16 weeks). Deploying (varies). Reassessing for report on compliance
(eight to 10 weeks).
(ROC)
The reassessment (which includes any final remediation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to gain a report of compliance. Figure 2 illustrates a remediation-phase plan. During the planning phase, there are multiple workshops held with a core group of personnel that will include both company resources as well as our consultants.
Incomplete
awareness of the environment, and not understanding what is, and what is not, part of the credit card data environment (i.e., the target environment for compliance).
Figure 2
On-the-job, Our
Lack of both awareness of industry best practices and experience with relevant tools available that fit the requirements for the companys environment.
In our experience, we have found that companies end up investing in the wrong tools and wrong areas, and have no strategic direction when architecting solutions, due to a lack of awareness of the target environment or not having the skilled personnel to make key strategic security decisions. These shortcomings leave the target environment vulnerable, which has a direct impact on the business and the companys liabilities.
Delivery
The entire engagement was delivered in 11 months using a team of 21 professionals working with the clients 75-plus resources and another 35 vendors. We implemented more than 25 tools and services. Several hurdles were overcome during the remediation program. One key challenge was a late scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only addressed gaps implementing 290 PCI controls, but also incorporated the scope change working closely with the client. The program was delivered on time, and with significant cost savings to the client. Figure 3 (next page) shows the extent of work accomplished. Post-remediation, a QSA vendor assessed project performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week in pursuit of ROC readiness. Figure 5 (on page 5) shows how a tracker is used to reveal readiness to attain an ROC.
data environment, and can apply our recommendations and best practices to achieve and keep the environment secure and up-to-date. tional implementation of tools and inter-workings can be applied across multi-organizational design dimensions in ways that are scalable and extensible. its a first-time implementation or a project to maintain PCI compliance, the process is painless, as a result of our precision planning and program management expertise throughout the engagement.
Whether
Programs
Number of Modified Number of Proj Templates Created & Used 5 Number of Phased Out N/A 2
Processes
30 3 4 8 7
Systems
8 97 Number of 40 Operating Systems & DBs Touched Number of WCSs 850 Touched 9 1 Number of 1,071 Desktops Touched N/A 4 1,418 Number of Laptops Touched N/A 300
Network Devices
1,039 3 Number of Wireless Access Points Touched 89 Number of WLCs Touched 2 Number of Firewalls Touched N/A 6 Number of Content Switches Touched N/A 2
Number of Modems Number of VPN Touched 1,200 Concentrators Touched Number of Policies Created Number of Policies Modified
Others
Number of Stores Touched Number of Business Justifications Docs Created Number of Stores MPLS to Broadband Conversion 1,824 Number of Runbooks Created Number of People taken Security Awareness Training Number of New Vendor Contracts Created 10 37,000 Number of Service Imple1 mentations Modifications Number of Numberof Anti-Virus Upgrades Critical Security 300 1,718 Patches Applied devices 7 Number Scope Reduction Work Streams 7 Number Scope Increase Activities 4 Number of VA & PenTest (149, 6) Remediations Performed Number of Stores 1,110 Hardware Encryption N/A
885
282
16
Figure 3
Figure 6 (on page 6) highlights program tracking across the key conceptual areas within our framework, covering each of the 12 requirements defined by PCI DSS. The client was pleased with the results, noting that the engagement used realistic and achievable timelines where milestones, deliverables and resources were continuously fine-tuned to keep key activities on track. In fact, the CIO later told us: We were on schedule and under budget by $500K. It was an amazing achievement for the entire team.
and global payment brands. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety. PCI DSS 2.0 Requirements PCI DSS version 2.0 is the global data security standard that any business of any size must follow to accept payment cards, and to store, process and/or transmit cardholder data. It presents common-sense steps that mirror best security practices. Step 1: Assess
Appendix
PCI Background
3
Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. Remediate is the process of fixing those vulnerabilities. Report entails compiling records required by PCI DSS to validate remediation and submit compliance reports to the acquiring bank
all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored. Study the PCI DSS for detailed requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process,
100 75 49 22 4/26
40 41 29 5/9 5/11
41 24 20
43 22 13 5/15
43 13 5 5/18
43 0 5/22
Figure 4
including PCs and laptops that access critical systems and storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation. Note: Your liability for PCI compliance also extends to third parties involved with your process flow; therefore, your organization must also confirm that partner processes are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploitations and where to direct remediation.
Self-assessment
questionnaire (SAQ): The SAQ is a validation tool for merchants and service providers that are not required to do on-site assessments for PCI DSS compliance. Four SAQs are specified for various situations. assessors: The PCI Security Standards Council (PCI SSC) provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Visit https://www.pcisecuritystandards.org/approved_companies_ providers/index.php for details and links to qualified assessors.
Qualified
Figure 5
PCI Remediation:
3/11 98%
Apr
4/2 4/9 4/16 4/23
90%
Project Name Scope Scope Scope Scope Scope Start
6/1 6/1 1/9 2/27
9/6 7/13 8/8 7/13 10/19 11/8 10/3 8/19 7/18 7/25 10/3 6/1 9/19 9/1 9/28 28/E920 9/28 9/28 9/28 9/28 10/12 9/30 10/19 12/15 2/27 10/11 10/11 10/19 10/7 10/7 10/7 10/7 10/7 11/7
100%
-2%
A B C D
Proj #
Owner Joyce A J Michael A John G John G Anna P John G John G Pam A John G / Anna P John G / Anna P John G / Anna P Pam A Pam A Pam A Anna P Pam A John G Anna P Anna P Pam A John G / Pam A Peter K Peter K Peter K Anna P Pam A John G / Pam A Peter K Peter K Pam A John G Pam A Peter K Peter K Peter K Peter K Mike A Mike A
End
10/3 7/31 3/17 3/19
3/15 11/15 11/15 10/12 4/6 3/28 4/2 3/28 4/3 4/5 4/6 4/6 2/3 3/28 3/31 3/31 3/31 3/31 3/31 3/31 4/15 4/10 4/20 4/10 4/10 4/10 4/7 4/5 12/5 12/5 12/5 12/5 12/5 1/27
% Tasks
98%
% Tasks
100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
% Var
-2% -1% -1% -1% -
2/20
2/27
3/5
3/12
3/19
3/26
Network Infrastructure Firewall Configuration / Routers Vendor Defaults System Configurations Password Encryption Encryption and Data Protection Data Storage and Retention Data Transmission Encryption of Keys (PIN, PAN) Data Protection
Vulnerability Management Anti-virus Patch Management Vulnerability Management Software Life Cycle Management Web Application Firewalls Access Control Access Control Two Factor Authentication RADIUS Password Management Facility Management Physical User Access Storage Media
Network Monitoring Audit Logging Time Synchronization (NTP) Wireless Access Monitoring Internal / External Vulnerability Scanning Internal / External Penetration Intrusion Detection File Integrity Monitoring Securities Policies Management Security Policy Use Policy Information Security Policy Security Awareness HR Policy Vendor Policies Incident Response Planning
1.1 1.1.1 1.1.2 1.1.3 1.1.4 1.2 1.2.1 1.2.2 1.2.3 1.2.4 1.3 1.3.1 1.3.2 1.3.3 1.3.4 1.3.5 1.4 1.4.1 1.4.2 1.4.3 1.4.4 1.4.5 1.4.6 1.4.7 1.5 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 1.5.6 1.5.7 1.6 1.6.1 1.6.2 1.6.3 1.6.4 1.6.5 1.6.6 1.6.7
99%
94%
100%
95% 97% 93% 92% 99% 99% 71% 71% 71% 71% 71% 71% 82% 98% 79% 75% 76% 69% 69% 49% -
95%
100%
77%
100% 100% 100% 85% 85% 90% 90% 100% 100% 100% 100% 100% 100% 100%
100%
-1%
62%
100%
-1% -1% -1% -10% -10% -15% -15% -13% -6% -1% -10% -10% -17% -1% -1% -13% 0%
-1%
62%
Completed Completed Completed Completed Completed Completed Completed In Progress At Risk Not Started Late
In Progress (Variance <10%) At Risk (Variance 10-19%) Not Started Late (Variance >19%) Completed On-hold
Figure 6
Step 2: Remediate Remediation is the process of fixing vulnerabilities including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:
analyze infrastructure and spot known vulnerabilities. and remediating vulnerabilities found in on-site assessment (if applicable) or through the self-assessment questionnaire process. and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious. patches, fixes, work-arounds and changes to unsafe processes and workflows.
Classifying Applying
Footnotes
1
PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum; to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents. php?association=PCI-DSS. The time for each of the phases varies, based on the clients infrastructure footprint and current state of IT processes. This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php.
About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the worlds leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.
World Headquarters
500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com
European Headquarters
1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: infouk@cognizant.com
Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.