© atsec information security, 2010
Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment?
Fiona Pattinson, SHARE: Seattle 2010
About PCI assessment and FISMA accreditation Structure and requirements of the prgrams How to prepare Avoiding common pitfalls
© atsec information security, 2010 2
About This Presentation
FISMA=Federal Information SecurityManagementAct
PCI = Payment Card Industry
Accreditation and Certification–PCI SSC: accredit companies and individuals as competent to perform assessments–FISMA: certifies a system then it is accreditted to operate
Assessment vs Audit–Audit: somewhat jeaoulsly guared by the financial audit profession. –Some potential for confusion over auditors assessing the compliance to the standards, vs system audit (logging)
© atsec information security, 2010 3
Terminology
PCI SSC=PCI Security Standards Council
© atsec information security, 2010 4
PCI Assessment What: Compliance with the PCI DSS Why: Mandated by the major credit card brands Who:
– Any organization storing, processing or transmitting credit card data
When: Annually How:Depending on the level determined by the
card brand compliance is assessed by using an– SAQ– A QSA accreditted through the PCI SSC Goal: Report of Compliance (Passing!)
DSS=Data Security Standard
PCI SSC=PCI Security Standards Council
QSA=Qualified Security Assessor
SAQ=Self Assessment Questionnaire
© atsec information security, 2010 5
FISMA Certification Assessment What: Compliance standards and guidelines
developed by NIST Why: It is mandated through FISMA Who:
– U.S. Federal government executive agencies, – Their contractors and third parties processing
their data– excluding the DoD, CIA, and National Security
Systems. When: Annually How: Certification Goal: System Accreditation (to operate).
CIA=CentralIntelligenceAgency
DoD=Department of Defense
NIST= National Institute of Standards and Technology
If your operations include storing, transmitting or processing credit card data for, or on behalf of a US government agency then you will need to comply with both schemes.
What? Both PCI and FISMA!
© atsec information security, 2010 6
The PCI SSC was founded by five international payment card brands in 2004. – American Express, – Discover Financial Services, – JCB International, – MasterCard Worldwide, – Visa, Inc. The PCI SSC mission includes developing and
maintaining common security standards across the brands Mandated via each brands contractual agreements,
and card brand security programs
© atsec information security, 2010 7
PCI DSS Structure and Requirements
Security Program URL
The MasterCard Site Data Protection Program (SDP) http://www.mastercard.com/us/sdp/index.html
Visa Cardholder Information Security Program (CISP) http://usa.visa.com/merchants/risk_management/cisp_overview.html
American Express Data Security Operating Policy Compliance Program (DSOP)
https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=spinfo&ln=en&frm=US&tabbed=complienceRequirement
Discover Information Security & Compliance (DISC) http://www.discovernetwork.com/fraudsecurity/disc.html
JCB http://www.jcb-global.com/english/pci/
© atsec information security, 2010 8
Card Brands Security Programs
All use the current version of the PCI DSS (currently 1.2.1) which is available from https://www.pcisecuritystandards.org/index.shtml
The PCI SSC was founded by five international payment card brands in 2004 , – American Express – Discover Financial Services– JCB International– MasterCard Worldwide,– Visa, Inc. The PCI SSC mission includes developing and
maintaining common security standards for the card brands Compliance is mandated via each card brand’s
contractual agreement(s) and security program
© atsec information security, 2010 9
PCI DSS Structure and Requirements
The Twelve Key Requirements of PCI DSSBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data 3. Protect stored cardholder data.4. Encrypt transmission of cardholder
data across open, public networks.Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
© atsec information security, 2010 10
PCI DSS Structure and Requirements
The Twelve Key Requirements of PCI DSSImplement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security.
© atsec information security, 2010 11
PCI DSS Structure and Requirements
Card brand program requirements– Annual assessment of compliance with the PCI
DSS– Quarterly Requirement for external network
vulnerability scanning by an ASV– COTS Payment Applications must be from the
approved list
© atsec information security, 2010 12
PCI DSS Structure and Requirements
ASV =Approved Scanning Vendor
COTS=Commercial Off The Shelf
PCI DSS detailed requirements summary– Penetration testing and internal network
vulnerability scanning on major network changes– Full mapping from high level security policy
through configuration standards to implementation
– Secure programming standards– Organizational, process and HR policies
© atsec information security, 2010 13
PCI DSS Structure and Requirements
ASV =Approved Scanning Vendor
COTS=Commercial Off The Shelf
HR= Human Resource
FISMA – The Federal Information Security Management Act of 2002 (Public Law (P.L.) 107-347) Provides a comprehensive framework for ensuring
the effectiveness of information security controls over information resources that support Federal operations and assets. Gives NIST authority to produce standards (FIPS)
and guidance (SP) to support the FISMA objectives– FIPS are compulsory and binding for federal
agencies– SPs are recommendations and guidance
documents. Federal agencies must follow SPs mandated in a FIPS.
© atsec information security, 2010 14
FISMA Structure and Requirements
FIPS =Federal Information Security Processing Standard
SP=Special Publication
National Security Systems are excluded
Uses a Risk Management Framework Classifies systems as Low, Medium and High Apply a baseline set of controls according to the
system classification May augment and improve the baseline control set
© atsec information security, 2010 15
FISMA Structure and Requirements
© atsec information security, 2010 16
FISMA Structure and Requirements
From http://csrc.nist.gov/
RMF =Risk Based Framework
1. Initiation(i) preparation(ii) notification and resource
identification(iii) system security plan analysis,
update, and acceptance
2. Security Certification(i) security control assessment; (ii) security certification
documentation.
C&A phases
© atsec information security, 2010 17
3. Security Accreditation(i) security accreditation decision(ii) security accreditation
documentation.
4. Continuous Monitoring(i) configuration management and
control; (ii) security control monitoring; (iii) status reporting and
documentation.
The first time is always the hardest. Build security measurement, and assess-ability into
the business processes. Always be ready for an assessment
– A properly prepared organization shouldn’t need to do much preparation. They should be ready at ANY time.
– Be aware of changes in the standards. Keep up to date with them. Reviewing for changes once a year a month before the assessment leads to problems.
© atsec information security, 2010 18
An Approach for Compliance
Understand the assessment requirements and how z/Series supports you in meeting them. There may be differences in how controls can be
met or interpretations needed for your environment. E.g.:– Malware requirements in PCI DSS– File Integrity Checking for PCI Have a GOOD and effective risk management
process.– That matches YOUR organization Specify compensating controls wisely
– Too many are a red flag: but they are probably necessary!
© atsec information security, 2010 19
An Approach for Compliance
Reuse other assessment results PCI DSS, FISMA, ISO/IEC 27001, SAS/70, SOX,
EuroSOX etc all provide (independent) controls assessments. Do not reinvent the wheel! Check for assurance given by product certifications
including Common Criteria, FIPS 140-2 etc. Vendors spend a lot of resource and money giving you this assurance. Use it! Integrate security management systems: Each
assessor needs to make his or her own determination, but you can be smart! Awareness training, HR processes, internal audit of
organizational processes and others can, with a little organizational agility, be shared.
© atsec information security, 2010 20
An Approach for Compliance
Risk Management – Both PCI and FISMA take a baseline approach to
cover the industry-level risks– Both require that you perform your own risk
process too. To include organization specific risks Many of the controls are the same or very similar
– Too much detail for THIS presentation– Several commercial tools provide mapping Training and Awareness Internal audit
– Especially process and management controls Document and Record control
Doing both. What is in Common?
© atsec information security, 2010 21
© atsec information security, 2010 22
An Approach for Compliance
This approach can be used for combining almost any set of management systems compliance schemes
Those who want to do security because it’s the right thing to do are invariably more successful and suffer less incidents than those who just want to pass the assessment to allow them to continue to operate. Management Commitment to the intentions of the
scheme helps a lot.
Pitfalls: Passion
© atsec information security, 2010 23
“I need a RoC in three weeks or I can’t do business”– Know your deadlines– Know the critical path If it is the first time through invest in a gap analysis
by someone who knows the standards & your technology well.– Allow plenty of time for remediation
© atsec information security, 2010 24
Pitfalls: Time!
Scoping: Not too big nor too small
It is worth spending a lot of effort on getting this right.– Keep sensitive data to a minimum and reduce
scope creep.– Use what you can to reduce scope: Know the
rules and know your technology!
© atsec information security, 2010 25
Pitfalls: Scoping
Benefits of Large Computer Systems Better physical protection Better logical separation (via PR/SM and z/VM) Higher reliability Better isolation of development and production Better separation of operation and configuration /
maintenance Better separation of duties More automated processing Extensive monitoring and auditing capabilities
Large, complex environment Tons of security critical configuration options Requires careful use and assignment of access
rights and privileges High reliability implies high redundancy – also of
critical data Customer developed system exits, SVCs and
authorized programs often introduce critical vulnerabilities– Developers are often not aware of the
precautions they need to take– This is often also true for third-party software
© atsec information security, 2010 27
Pitfalls of Large Computing Systems
Choosing you assessor (skills and competency)– Have they experience with mainframes– Do they understand the additional security built in to
such systems, or do they try and map it to more common paradigms?
Conflict of Interest– Don’t choose assessor that tries to sell you their
product, a partners product, or consultancy Transfer of Risk!
– Your assessor assumes risk when they make statements about your systems. Are they mature enough to realise this?
© atsec information security, 2010 28
Pitfalls: Choosing Your Assessor
Unfortunately there are no – Silver bullets– Magic tools– Wonderous applications
© atsec information security, 2010 29
Pitfalls: Snake Oil & Silver Bullets
© atsec information security, 2010 30
Summary
PCI Security Standards Council– https://www.pcisecuritystandards.org/index.shtml
NIST FISMA Program– http://csrc.nist.gov/groups/SMA/fisma/index.html
PCI compliance for Large Computer Systems– http://www.atsec.com/us/pci-lcs.html
Comparison of Common Criteria Functionality and FISMA 800-53 controls– http://www.atsec.com/downloads/pdf/FISMA%20Control-
Comparision-with-atsec-evaluated-Linux-OS.pdf 'Strategies for the Integration of Management Systems and
Standards', The TQM Magazine, vol. 14, no. 1, pp. 61-67. Karapetrovic, S. 2002,
© atsec information security, 2010 31
Bibliography