Maintaining your vehicle
Modern day information security can be likened to vehicle maintenance; with a business being the vehicle and the various lubricants and fluids being the different forms of data and regulations. The Payment Card Industry Data Security Standard (PCI DSS), is just one example of these data types.
What happens if these different types of data are not maintained?
A simple ball exercise, with the different coloured balls represents different types of data, and the people represent the different processes required to move this data around a business. No rules = ANARCHY!
Okay, so PCI DSS v3.2 is much like your annual MOT (roadworthiness) test, with specific terminology for their testing criteria, for example:
1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all:
• Network connections
• Changes to firewall and router configurations
Identify the document(s) reviewed to verify procedures define the formal processes for:
• Testing and approval of all network connections
• Testing and approval of all changes to firewall and router configurations
This is all somewhat confusing....
It is a given that most QSAs would expect every organisation that processes, stores or transmits cardholder data (or who it might impact) will fully understand the intent of all these specific controls.
However, the Information Security Consultancy (ISC) team at Nettitude takes a slightly different viewpoint and understands that not all companies can afford to employ the expertise of a master mechanic and may have more inexperienced apprentices who are running their information security departments. However, no matter what their expertise, the thing that these information security professionals have in common, is that ‘want’ to do their jobs to the best of their abilities and to ensure that the environments they support are as secure as possible.
Hence, Nettitude’s ISC team has been forged from members with wide-ranging skills and experience but that also have a commonality:
“To meet and maintain a minimum standard of skills, experience and expertise and the pursue excellence as standard”
In order to achieve these goals, the team is consistently scouring the web, white papers, industry standards and more to ensure that all of our knowledge is current and accurate.
As a result, we are able to impart this knowledge and provide myriad supporting references, enabling our clients to attempt to safely service and maintain their own motor vehicles.
More importantly, clients are empowered with the knowledge and can deal with regulators, auditors and their banks with confidence.
Creating your own service manual
Much like the motor industry today, there are resources available to assist you in creating your own ‘Haynes Manual’. For example, if I were needing to create a chapter, in support of 1.1.1.a, where might someone look?
How about in para 5.3, page 5-6, of NIST SP-800 ‘Guidelines on Firewalls and Firewalls Policy’?
New firewalls should be tested and evaluated before deployment to ensure that they are working properly. Testing should be completed on a test network without connectivity to the production network. This test network should attempt to replicate the production network as faithfully as possible, including the network topology and network traffic that would travel through the firewall. Aspects of the solution to evaluate include the following:”
How easy might it be to turn that paragraph into a policy statement, just through the use of the words MUST or SHALL?
Remember, PCI DSS is designed to provide a minimum baseline (defense in depth) for the protection of your card payment (or supporting) operations and uses industry guidance, such as NIST.
If you are struggling to understand the specifics of PCI DSS v3.2 (brake fluid) and how to effectively and efficiently maintain it within your company (VW Beetle, Porsche 911, etc.), why not have a professional come in and give your vehicle a well-earned service, by seasoned professionals?
Imagine the scene:
“You’re driving down the highway, at 70 mph, and you see the traffic in front is stopped. You apply the brake and NOTHING HAPPENS! At the time you need the brake fluid to operate as it is intended, it has been contaminated (integrity) or the brake reservoir is empty (availability)”.
It may turn out to be one of your best information security investments of 2017.
Authored by Jim Seaman, CISM, CRISC, QSA - Security Consultants Team Lead, Nettitude.
To contact Nettitude's editor, please email firstname.lastname@example.org.