On the blog, we cover basic questions with Christopher D. Roberti, Senior Vice President for Cyber, Intelligence, and Security Policy at the U.S. Chamber of Commerce and PCI SSC SVP, Engagement Officer for Market Intelligence and Stakeholder Engagement Troy Leach, about this growing threat to businesses across the U.S. and how to better protect yourself from this dangerous threat.
Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the PCI DSS (Payment Card Industry Data Security Standard) instructs organisations to implement policies and procedures to help staff manage risks.
Employees introduce many risks into businesses that technology simply can’t prevent. Misconfigured databases, email attachments sent to the wrong person and records that are improperly disposed are common examples the ways staff compromise information.
These are the kinds of risks that a PCI DSS policy can help prevent.
What you should include in a PCI DSS policy
A PCI policy is a collection of written procedures and guides that state how an organisation manages its CDE (cardholder data environment). It should address:
- Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE.
- Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least once a year or whenever there is a security incident.
- Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.
Fast-track your documentation process
Policies and procedures only work if they are regularly reviewed and updated to ensure they work as intended. This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job.
This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements.
It contains all the information you need to ensure PCI DSS compliance; all you need to do is fill in the sections that are relevant to your organisation.
The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario. It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.
A version of this blog was originally published on 13 November 2017.
The post How to document PCI DSS-compliant policies and procedures – with template example appeared first on IT Governance UK Blog.
WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.
Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?
Driver of WAF adoption
In a research study by Computing, 62% of IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.
With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.
Other notable drivers of WAF adoption in the study found that:
- 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
- 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications.
- 18% stated that there was simply no other cost-effective way of securing legacy applications.
Role of WAF in data protection laws
In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100. In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly.
WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.
One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.
However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.
Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches.
Why compliance and protecting customer data matter
Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners.
By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.
Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.
Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation.
Take a look below at some of the laws around the world aimed at protecting user data.
|Europe||North America||Latin America|
|EU: GDPR (General Data Protection Regulation)||Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)||Brazil: Lei Geral de Proteção de Dados (LGPD)|
|UK: Data Protection Act 2018||US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA)||Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)|
|Sweden: Data Protection Act (DPA)||Argentina: Personal Data Protection Act 2000 (Law No. 25,326)|
|France: French Data Protection Act 2 (FDPA)|
|Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)|
|Israel: Privacy Protection Law (5741-1981)||South Africa: Protection of Personal Information Act 2013 (POPIA)||Singapore: The Personal Data Protection Act 2012|
|Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)|
|Australia: Privacy Act of 1988 and Telecommunications Act 1997|
|Malaysia: Personal Data Protection Act (PDPA)|
Is there a famous data privacy law we missed? Drop us a line!
The post Data Protection Laws & Compliance As Drivers of WAF Adoption appeared first on Cloudbric.
In an age where hosting infrastructure in a cloud environment becomes more and more attractive – whether for maintenance, price, availability, or scalability – several service providers offer different PCI-DSS (Payment Card Industry – Data Security Standard) compliant solutions for their customers’ need to deal with payment cards.
Many companies believe that when choosing a business partner already certified in PCI-DSS, no further action is required since this environment has already been evaluated. However, while a PCI-DSS compliant provider brings more security and reliability, only its certification is not enough for the contractor’s environment to be certified as well.
All certified service providers must offer their customers an array of services and responsibilities, where they clearly define what each party needs to do to achieve PCI compliance in the environment.
With this in mind, there are some important tips to take into account, mainly focusing on the first six PCI-DSS requirements, and also some important information for cloud service providers to take into account.
Requirement 1: Install and maintain a firewall configuration to protect the cardholder data
To protect cardholder data, you must implement and configure environmental targeting in accordance with PCI network requirements. It should be analyzed with tools the service provider offers to enable the contractor to achieve compliance. Some important services to consider:
- Network Groups: A tool that will be used to perform the logical segmentation of the cloud-hosted environment. Traditionally, communications are blocked, and rules must be created to release access between instances.
- Private Cloud: Should be used to isolate the provider’s networks in private networks, preventing the connection and access of other networks except those duly authorized by the targeting tool created in the same private cloud. This configuration facilitates the segmentation and logical management of accesses, reducing the exposure of the environment and card data.
- Elastic Computing: It allows the creation of an instance that is scalable, that is, after it is identified that the processing reaches a parameter pre-defined by the user, creates another instance identical to the first. This process repeats itself as there is a need for more processing power. With the reduction of processing, the instances are then deactivated.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
In the case of SaaS (Software as a Service) cloud services, the need to apply secure configuration controls rests with the provider, assuming that the service provider identifies the service as part of its environment accordingly.
Using PaaS (Platform as a Service) or IaaS (Infrastructure as a Service), when the configuration of the instance is made by the contracted company, it is very important to create the procedure of hardening to be used and to ensure that it is properly applied in the instance before creating the rules that grant access to the other environments.
Requirement 3: Protect stored data from cardholder
Secure storage of card data is one of the priorities of the standard. Natively, cloud environments do not protect data, so the company acquiring the service must identify how it can make the data secure during the process, as well as assess whether the provider provides the necessary tools.
For card data encryption, key management is another crucial point, as important encryption of the data itself. The documentation and secure management of the data encryption keys (DEK) and key-encryption key (KEK) must be done by the contractor and can use the resources offered by the providers.
Requirement 4: Encrypt the cardholder data transmission on open public networks
The implementation of secure communication channels must be planned by the contractor, either through the acquisition of a secure communication service or even through the implementation of communication certificates. Always use robust PCI-DSS-based encryption protocols, such as TLS 1.2, IPSec, SFTP, etc.
Requirement 5: Use and regularly update anti-virus software or programs
Another common mistake is to consider that the implementation of antivirus is the responsibility of the service provider, or even believe that their systems are not susceptible to malicious software.
Cloud services do not include the provision of this type of software by default in all scenarios. This means that those seeking PCI-DSS certification need to identify how to implement and define the use of an antivirus solution, ensuring its installation, management, logging, and monitoring.
Requirement 6: Develop and maintain secure systems and applications
By confirming the certified service offered by the cloud provider (Saas) in the responsibility matrix, the contracting company does not need to take any additional actions related to the management of the structure that maintains that environment.
In the case of a certified service offered by the cloud provider, the contracting company confirming this in the contractor’s responsibilities matrix does not need to take any additional actions related to the management of the structure that maintains that environment.
However, when acquiring IaaS or PaaS services, it is important to enable vulnerability identification procedures, security updates, change management, and secure development.
Speaking specifically of public-facing web applications, PCI-DSS requires the manual or automated validation of all code developed for the application. A recommended alternative is the implementation of a Web Application Firewall, which can also be used as a service acquired from the marketplace of these companies or as an application to be contracted (e.g. AWS WAF, Azure WAF, Google Virtual Web Application Firewall).