June 2008

Assessing PCI Compliance — World’s Biggest Standard

Posted on June 27, 2008 9:11 pm by Caroline Ramsey-Hamilton Comment

Everyone has a credit card these days. Ever take it out and take a good look at that little magnetic strip on the back of a credit card? It’s only about 2 1/2 inches long and quite thin. That little strip contains all the personal information about you — your name, address, password, mother’s maiden name, perhaps your social security number and your financial account number and even more information about your account.

Who wrote the program that ended up on that magnetic strip? Are there copies of that magnetic strip information stored somewhere? And this is only ONE card; you probably have a wallet full of them.

These payment cards (PC= Payment Card Industry) are the biggest deal in information security these days because of a new standard call the PCI-DSS standard (Payment Card Industry- Data Security Standard). The PCI Security Standards Council, which created the standard, was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Credit card companies want you to charge it and they know that concerns about identity theft might possibly slow down your card use — so it is in their best interests to make sure that a solid security standard is in place to protect you. The standard has turned into a requirement for everyone who takes a credit card and that turns out to be literally millions of grocers, retailers, online retail outlets, government agencies, convenience stores, utilities — almost everyone. So the PCI-DSS standard may be the most widely applied information (data) security standard in the world.

With such a widespread and critical standard, there is confusion about how to meet the standard because just doing a self-assessment isn’t enough — you are also required to do penetration tests on your systems that handle and transmit this electronic customer information and ATTEST that you use the standard in your information systems.

This includes having strong firewalls that protect cardholder data and making sure to remove
the generic vendor-supplied passwords; using good storage devices for sensitive customer information and encrypting data that flows over your network. In addition, the card manager has to use anti-virus software, and also build secure systems. Once proper controls are in place, these controls need to be monitored and tested.

Doing a full compliance and vulnerability assessment annually is the best way to make sure that you can prove you have done all the specific activities required in the PCI-DSS standard. The assessment actually breaks the entire standard down into smaller, manageable chunks and then each one is monitored, or validated, with an audit trail, so that is easy to prove that you have evaluated your organization’s compliance with the PCI-DSS standard.

The PCI-DSS standard is actually mild, as information security standards go, and not as far-reaching or intrusive as, for example, the HIPAA standard (Healthcare Insurance Portability and Accountability Act) which has completely revised the way healthcare organizations do business. Nor is it as complicated as the BSA (Bank Secrecy Act) or the International Standards Organization’s 27001 standard (ISO 27001 and 27002).

After the infamous TJMAXX identify theft incident — consumers should welcome the PCI standard and retailers and others affected by it should be grateful that is just another way of encouraging good information security practices.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Categories:
Identity Theft
PCI
Red Flag FACT
Risk
Risk Assessment & Compliance

Tags:
Identity Theft
PCI compliance
PCI-DSS
Red Flag FACT

Fear of Risk Assessment!

Posted on June 17, 2008 2:45 am by Caroline Ramsey-Hamilton Comment

Why are people INTIMIDATED by risk assessments? Is it because they seem overwhelming with their arrays of lists and categories? (At last count – I categorized over 1.572 million combinations of the 44 asset categories, 58 threat categories, 55 vulnerability categories, 7 loss categories and 160 control categories)!

Part of the trepidation of manager tasked with a risk assessment seems to be that they are anxious about making key assumptions and assigning importance to different areas of the business or agency. Of course, part of this is political – the risk analyst has the power to build up the importance of one part of an organization and reduce the stature of another – or EVEN AFFECT THEIR BUDGETS!!

In practice however, it seems like the exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results. Using the compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager and distributes it throughout the organization where it belongs.

Besides – how can one person know enough to do the entire risk assessment by their self? They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center. And the inclusion of a variety of individuals adds weight and power to the risk assessment.

While the analysts may be accountable for the report of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board. In fact, in the FFIEC IT Handbook, they spell out, “The Board is responsible for holding senior management accountable”. Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

The analyst should not be afraid of making assumptions in the risk assessment; auditors make assumptions all the time. One could say that the world runs on assumptions. So making an assumption about how long it would take to replace the personnel or web applications of a specific part of the organization is not too difficult. Always remember that each component of the risk assessment can be vetted before with relevant management so that senior management does take the responsibility for validating the choices the analyst makes.

Personally, I advocate getting management to sign off, in writing, on the assumptions they accept, in the course of completing the risk assessment – and of course, on the final reports. There’s nothing like a signature on piece of paper to foster a climate of accountability.

Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.

Categories:
Managing the Risk Assessment
risk assessment
Risk Assessment & Compliance
Risk Assumptions

Threat Assessments & the Maryland Storms

Posted on June 5, 2008 5:18 pm by Caroline Ramsey-Hamilton Comment

June 4, 2008, Annapolis, Maryland

Threat Assessments are one of the key areas of a security risk assessment. Whether it’s information technology or physical security — having good threat information is a major component of any risk assessment.

Threat data is also very difficult to get and to keep updated. Part of the problem is that if you look at ‘current’ threat data — you will find that this year, for example, we have had an unusual amount of rain and an unusually high number of storms and ‘conditions that are favorable for tornado (tornadic sp?) activity in Maryland.

Take yesterday for example. I had to take one of my beagles to the vet. As I got into my car, my son called to say there was a very severe storm with a possible tornado heading toward us. (He is in Virginia so he gets the storms first). I actually saw the storm in my rear view mirror as I headed across the 4 mile Bay Bridge and rode out the storm in the vet’s office. All my power was out when I finally got home and hundreds of trees were down. There was so much flooding that I had to take off my shoes and pull up my dress to get to my car in the parking lot of the vet’s office.

So with these storms, tornados, rain and flooding, should I increase my threat of storms, flooding and water damage? NO. In this case, as in others (like hurricanes), as a risk analyst, you are looking at long term trends. Remember 2005? It was the busiest hurricane season on record, with 27 named storms and 11 federal disaster declarations and the unforgettable trio – Katrina, Wilma and Rita? Everyone thought this was the signal of a new problem with hurricanes, but 2006 was quiet. In fact, no hurricanes made landfall in the U.S. in 2006; and in 2007 there was only 15 named storms.

What insurance companies have known for years is that these things occur in cycles, and if you change your disaster plans to focus on hurricanes, next year you may instead get wind, or wildfires. So the smart risk assessor will look at 20 or even 50 year cycles, and will normalize those cycles into an annual number and that annual number will be a better predictor of what actually happens year by year.

For a risk assessment, I always look at what is called an “All-Hazards” threat approach. Even for an IT risk assessment, you need to look at the statistics for natural disasters, and related crime stats, as well as IT threats such as disclosure, viruses, malware, phishing, etc. The impact of a hurricane or flood on a data center is just as damaging, if not more damaging, than a virus brought in by an employee.

There are several threat sources you can refer to, if you are attempting to create your own threat matrix for a risk assessment. In the U.S., the National Weather Service (www.noaa.gov), has good threat data for natural phenomena, and the FBI publishes good crime data — the uniform crime reports (http://www.fbi.gov/ucr/ucr.htm). For looking at IT threat data, there is a wide variety of sources including the CERT at Carnegie Mellon (www.cert.org).

Of course, the best, and most localized is either from your internal data, or from industry data. This includes incident response tracking, incident reports, penetration and scanning test results which can be combined to give a good overall threat profile for your organization to in the risk assessment. The threat assessment probabilities are going to contribute to the risk calculation by seeing what level of protection different assets need according the threats that can impact them.

Categories:
risk assessment
Risk Assessment & Compliance
Threat Assessment
Threat Sources

Return On Investment (ROI) Risk Assessment Relationship

Posted on June 3, 2008 7:02 pm by Caroline Ramsey-Hamilton Comment

The relationship between the Risk Assessment and the Return On Investment for good security is very important to management because it creates a business case for further investment and “appropriate investment” in the IT security program. Return On Investment is that ratio that tells you if you invest so much, you’ll get so much back in return.

IT security directors should also be interested in Return On Investment because it has the side benefit of cost justifying the security budget and making sure you get the controls you need to support your infrastructure.

Cost justification based on the results of the risk assessment is a requirement for financial institutions and the healthcare industry — especially with the FFIEC and the DHS’ HIPAA requirement. For example, for banks, the FFIEC Examiner’s Handbook for IT Security says, “A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls.”

The selection of the appropriate security controls for an organization is based on several factors:

1. The percent of the control that is currently in place.

2. The cost of increasing the implementation of the control to 100%.

3. The cost of maintaining and auditing the control over time.

Again, the idea of the Return on Investment is that the most needed controls are funded by the organization first, so that money is not applied to less critical areas, leaving the very sensitive areas, like protection of customer information, exposed. The main components of calculating a Return On Investment are the value of the assets, and that includes not only the replacement value, but also the sensitivity and confidentiality of the information — especially the potential loss to the asset of an incident. For example, the reputation cost of a high profile identity theft could be devastating to a bank or credit union.

To estimate asset value, the confidentiality, integrity and availability (CIA) are values that have to be included in the risk assessment because these can all cause a devastating loss to a organization. Adding identify theft to the already long list of other threats (which also have to be factored into the ROI equation), has been addressed by the FDIC and NCUA with the new Red Flag (FACT) CFR (Federal Registry).

Take a look at the controls your organization is planning to add to your IT infrastructure and see if they pass the ROI test.

Categories:
return on investment