Payment Card Industry Compliance Tool Reporting | Compliance assessment | Auditor’s view | monitoring www.riesgoriskmanagement.com PCI DPA info@riesgoriskmanagement.com SOX IS027001 Riesgo Risk Management : PCI compliance tool Our solution is designed to assist QSAs, PCI related companies to achieve their goals by deploying a solution that captures the 12 PCI DSS requirements and embeds itself within your organisation. Riesgo Risk management solution covers: 1. 2. 3. 4. 5. 6. Maintaining an information security policy Building and maintaining a secure network Regularly monitoring and test networks Implementing strong access control Maintaining vulnerability management program Protecting cardholder data Our services to QSAs Secure network DMZ FW QSA DB layer Middle tier FW QSA Vulnerability management program: our solution implements VMP for all assets and also reports on non compliance in real time. Access control encryption Cardholder DB QSA Regularly test and monitor secure network: we provide QSA access to review the compliance to PCI for projects & assets point of view QSA Creating & maintaining an Information security policy: we have read built adaptable templates Building a secure network: we have the expertise to help your organisation or client to build a 3 tier network Implement strong access control – based on the IS policy we provide the facility to create a strong access control policy that is evinced in your organisation’s day to day practices QSA Riesgo Risk management PCI compliance tool allows QSAs to easily extract the information required for their audit, facilitate provision an improved service to their clients plus add on value service QSA PCI Solution Solution overview 1 QSA Maintain an information security policy Build & maintain a secure network QSA Protect cardholder data QSA Secure network DMZ DMZ hardening Security Policies & project baselines FW Middle tier FW Policies for middle tier & baselines Middle tier monitoring DB layer DB security Policies & baselines DB monitoring DPA Encryption policy Project & asset assessment results IS manager is setup Creates IS management forum & business units Uploads IS Draft policy for forum to review DMZ monitoring PCI alerts 20 2 9 8 4 1 0 3 14 9 2 3 Once draft Policy is approved by the forum it is disseminated to the business units PCI Solution Solution overview 2 Implement strong access control measures QSA Implement strong access control measures QSA Monitor & test networks QSA Maintain information security policy QSA Secure network Assets Projects Assets Projects DMZ DMZ hardening Security Policies & project baselines FW IS manager Middle tier FW Policies for middle tier & baselines Middle tier monitoring DB layer DB security Policies & baselines DB monitoring IS management forum Ant—virus software & security baseline Business impact assessment Access controls policies & procedures Business impact assessment Business Units Business Units DMZ monitoring Assets Projects PCI alerts 20 2 9 8 4 1 0 3 14 9 2 3 14 9 2 3 QSA Opportunity for Managed service PCI requirements mapping Build & maintain a secure network • Requirement 1 – install & maintain a firewall configuration • Requirement 2 – do not use vendor-supplied defaults Protect cardholder data • Protect stored cardholder data • Encrypt transmission of cardholder data across open & public networks Maintain a vulnerable management program • Use and regularly update anti-virus software • Develop & maintain secure systems & applications Implement strong access control • Restrict access to cardholder data by business need-toknow • Assign a unique ID to each person with computer access • Restrict physical access to card holder data Regularly monitor and test networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes Access control to cardholder assets Unique ID policy Asset vs. AV status System & application security Project & Asset compliance Encryption policy Access control policy Logs from firewalls Project & asset BIA IS policies & procedures IS Manager PCI coordinator Access control breaches to cardholder assets Security systems & processes assessment Maintain an information security policy • Maintain a policy that addresses information security ISMS forum Maintenance of information security policy Monitoring facilities Secure network DMZ FW Middle tier FW DB layer DMZ -Policies - procedures - baselines FW logs FW logs -Policies - procedures - baselines DB Layer -Policies - procedures - baselines Risk Management and Assessment Projects & Assets The solution provides QSAs will the ability to review how projects and assets interact with the network tiers and their compliance. Monitoring points Build & maintain a secure network Implement strong access control measures Protect cardholder data Maintain a vulnerability management program Regularly monitor & test networks Maintain information security policy 3 tier architecture Segregation Of data Segregation Of duties Restricted access Data Storage policy Automated Anti-virus process IDS ISO 7799 Deny all unless required User name Policy password policy Physical Access policy IPS Encryption policy SLA with all Vendors for Maintenance & support ISO 27000 Unauthorised Access alert Unauthorised Configuration Change alert policies Network Security baseline Access control guidelines Confidential Data Retention policy Monitoring Of The successes & failures Of the AV updates procedures Software Management policy DPA Monitoring activation Authentication control Security policy applies to every stream Maintaining a secure network Restricted & controlled access to and from, limited by ports & services Security hardened servers firewall security configuration Services with encryption (OWASP/VPN/SSL/IPSEC) Segregated domain Secure room with restricted access Access only from the BLG and from services generated from the BLG – segregated domain I N T E R N E T F I R E W A L L VPN Internet Facing servers DMZ Internet Facing servers F I R E W A L L Business Logic Layer (BLG) F I R E W A L L Clients Database layer (DL) F/W will only allow services initiated from BLG to access the DL, all transactions monitored, audit Trailed and logged with timestamp Build and maintain a secure network - 3 tier Architecture Risk management & audit Risk assessment and mitigation Threats, vulnerability & Countermeasure ================== Risks vs. countermeasures Minimum security policy Risk ratings (Low, medium, high) Solution implementation with Mitigation. Non compliance will be listed as High or medium or low New project Or merchant Risk Register H M Business impact assessment Confidentiality Integrity Availability Regulations - PCI | DPA | RIPA | 7799 L Merchant Review or Internal assessment Feeds into the audit report Audit report On compliance Minimum security requirements Servers | workstations | routers | firewalls | security policy Feeds into the solution implementation Cost & implementation • Pilot – £1,500 – Five licenses • Solution development and customisation – £140, 000 • Intellectual property rights transfer – £250,000 + license • license – £12,000 per year, • Implementation and integration – 5 month implementation contract at £3,500 per day Contact details • • • • Ben Oguntala Email – info@riesgoriskmanagement.com www.riesgoriskmanagement.com Tel – 07812 039 867