2008 Corporate Governance: QSA PCI compliance tool Ben Oguntala, LLB Hons (London) PCI DSS compliance Architect 6/21/2008 Contents Introduction ........................................................................................................................................ 3 Enabling QSAs to do more .................................................................................................................. 4 Potential opportunities for QSAs ........................................................................................................ 5 Outsourcing opportunities from the client ..................................................................................... 5 In-sourcing PCI compliance projects ............................................................................................... 5 Policies and procedures .................................................................................................................. 5 Zero day detection of PCI attacks ................................................................................................... 5 Due diligence checks ....................................................................................................................... 6 Data security Audits & checks ......................................................................................................... 6 Awareness training ......................................................................................................................... 6 Services to the Insurance industry .................................................................................................. 6 QSA’s view........................................................................................................................................... 7 The implementation plan.................................................................................................................... 8 The PCI compliance module................................................................................................................ 9 The compliance module (2) .............................................................................................................. 10 The maintaining an Information security policy ............................................................................... 11 Audit compliance dashboard ............................................................................................................ 12 The Monitoring facilities ................................................................................................................... 13 The monitoring points....................................................................................................................... 14 Reference: www.aqa.org.uk ............................................................................................................. 16 Getting started .................................................................................................................................. 17 Contact us ......................................................................................................................................... 17 Page 2 Introduction This document provides a walkthrough of Riesgo Risk Management PCI compliance tool for QSAs. Undoubtedly, you are often challenged with juxtaposing the Audit tasks and creating value add. The essence of this tool is to allow you as an auditor to detect early signs of non compliance and be able to inform your clients of areas of non compliance prior to the issue becoming a culpable act. Many firms inadvertently breach PCI and will therefore welcome efforts to reduce their financial losses by providing an early warning system for the solution and other reporting mechanisms that simultaneously notifies the affect data owner and at the same time stores the various streams of work, communication that contributed to the results. The solution architecture is based on an intranet solution that communicates with business units and stakeholders using SMTP, login credentials are based on email addresses and allow the unique identification of users. We also have the option module of enabling Single sign that integrates with your client’s windows environment allowing for seamless integration. Page 3 Enabling QSAs to do more There are several opportunities available for QSAs depending on the stage in which your clients is in, this solutions QSAs to generate more revenue streams from the client that generates value for money for the end client. Riesgo Risk Management solution PC I compliance provides you an end to end electronic view of the organisation; it also has facilities for other stakeholders to participate and benefit from the knowledge that can be acquired. Information security manager, Compliance manager, Internal Auditors will all have an account to log on and they are also alerted on their areas of concern. As a QSA your main concern is to ensure that the 12 PCI requirements upheld and that end to end picture is what Riesgo Risk Management PCI compliance tool gives you. The business units and their points of contact are linked with the Information security or management forum which the Data protection officer, IS Manager, IT manager and Auditors will be members of. Page 4 Potential opportunities for QSAs There are several opportunities that Riesgo Risk Management PCI compliance tool can enable you to offer your clients, some of them include: Outsourcing opportunities from the client More and more clients are beginning to manage the risks associated with PCI by outsourcing to professional outfits that manage PCI compliance. Riesgo Risk Management PCI compliance tool allows QSAs to be able to bid for such outsourcing contracts worldwide and evince the capability to handle such a project adequately and efficiently. As PCI requirements are universally applicable, purchase the enterprise edition of Riesgo Risk management PCI compliance tool, you will be able to capture the return on investment in a very short period of time and capitalise on the other benefits. In-sourcing PCI compliance projects Once you are setup to cater for outsourcing projects, you will be equally positioned to in-source PCI compliance project, this allows you to generate more revenue by being able to provide add on service for your clients in a piecemeal fashion or holistically as a framework. The flexibility will allow you to fit various purposes thereby poised for a recurring revenue generation scheme. Policies and procedures One of the biggest challenges for complying with PCI is the introduction/adaptation/integration of policies and procedures for their organisation. This task often involves gap analysis, implantation strategies and integration projects. Riesgo Risk Management PCI compliance tool allows you to be able detect these potential improvement areas as well as provide documented evidence of the impact from the reports. Zero day detection of PCI attacks There are several threats to the assets involved in the PCI compliance both from the internal as well as external, many organisations are unable identify these potential threats until they materialise and quite often will be too late. Riesgo Risk Management PCI compliance solution will allow you to provide services to your clients including: Internal and external attacks to any of the end to end entities involved in PCI Unauthorised Database access Process Unauthorised attempts to download data Attempts to store CVV numbers Process interference Deviation from policies Page 5 - Breaches of integrity Breaches of confidentiality Breaches availability Attempts to access unauthorised sections of the PCI entity. Due diligence checks Where a PCI client engages the services of a 3rd party, due diligence checks are supposed to be carried out, this is often outsourced by clients and QSA can be poised to provide the services seamlessly. You can use the due diligence check to build a robust relationship with your client by providing objective opinion into the relationship they are looking to engage in as well as ensure simultaneously that there are adequate SLAs in place to ensure compliance with the PCI requirements. Furthermore, you will be able to monitor how compliant the 3rd party supplier is. Riesgo Risk Management PCI compliance tool allows you to be able to carry out this function and build upon the current services to currently provide to your clients. Data security Audits & checks 3rd party engagement requires Data Security audits and checks against the ISo27001 and for insurance purposes. Riesgo Risk Management not only allows you to be able to carry out the audits and checks but also to be able to report the finding back to the client simultaneously, mitigations can be raised on site and the feedback sent to the client in the different continent. Awareness training PCI compliance require certain changes to both technical and business practices, both of which require awareness and training on how their areas are affected and the dissemination of PCI compliance best practice guides. Riesgo Risk Management will be able provide detailed information about the Business units that would require the awareness training. Services to the Insurance industry Insurance companies that handle Payment card liability insurance stipulate the exercise due diligence in handling PCI activities, being able to provide this level of solution will provide an assurance to the insurers that pragmatic measures are in place for the protection of card holder data. Riesgo Risk Management provides you the capability to serve this industry. Page 6 QSA’s view Riesgo risk management PCI solution provides QSAs with a unique view of the entire PCI compliance stream within the organisation. It allows QSAs to have a light touch approach or a fully engage approach in the PCI compliance stream. Page 7 The implementation plan The implementation plan gives you an idea of how we embed the solution into your client’s intranet network whilst allowing the flexibility for engaging 3rd parties like QSA via their extranet. The solution comes with all the elements you desire for PCI compliance and is the first solution that issues a real time certificate based solution and auto updates itself should there be a breach of the condition of the certificate for example a retention policy. We can assist you to develop your policies and guidelines based on our templates and also provide an automated engine which the solution utilises in its operation. Page 8 The PCI compliance module The module is designed to give the QSA all the knowledge that ordinarily he or she would have taken ages to achieve, allowing you to be able to get on with the possibility to generate more revenue. Page 9 The compliance module (2) The module covers the 12 requirements of PCI and allows for the capture and analysis of the information acquired. The system setup starts with the development of the organisational chart and management framework, enrolling the key players within your organisation. Secondly, we create the database of policies, procedures, guidelines and algorithm for the principles. It then continues to set up the 12 requirements with the appropriate measures. As new projects or assessments take place they are automatically assessment based on the algorithm and results are presented to the appropriate stakeholders. Page 10 The maintaining an Information security policy The architecture of Riesgo Risk management is structured to ensure collaboration and duty segregation as well as consolidation of resources via the intranet portal. The diagram above shows the integration of the business departments into the tool, it also shows how we integrate procedures & processes into the management visibility thereby ensuring that the policies manifest themselves in the form of accepted procedures. Page 11 Audit compliance dashboard The audit compliance dashboard is a novel concept that creates visual representation of problems or compliance to internal auditors and generates a report that allows you to focus on the core areas of concerns. As the revenue streams for Riesgo Risk Management PCI compliance tool is may require your organisation to monitor for clients, this dashboard allows you the visibility to see priority problems. Security policy • [+] expand Organisation information security • [+] expand Asset management • [+] expand Human resources security • [+] expand Physical and environmental security • [+] expand Communications and operations management • [+] expand Access control • [+] expand IS acquisition, development and maintenance • [+] expand Information security incident management • [+] expand Business continuity management • [+] expand Compliance • [+] expand Page 12 The Monitoring facilities One of the unique advantages of Riesgo Risk Management PCI compliance tool is its ability to monitor and interpret from several sources Page 13 The monitoring points The wide range of monitoring points provide Riesgo Risk Management PCI compliance tool with the ability to detect across the PCI lifecycle, from project inception to live implementation. Page 14 Internal audit has the tool to be able to communicate to the ISMS forum as well as to the Divisions in the organisation, ISMS forum, access to Asset lists, asset registers and risk registers. Page 15 Reference: www.aqa.org.uk Riesgo risk management is currently being used by www.aqa.org.uk and it has provided the internal audit and Information security department a wealth of information to use in the risk management lifecycle process. Page 16 Getting started To get started we invite you to participate in our pilot that will allow you to see how the process works for the first two modules, the license fee is £150 and lasts for 2 months: The pilot will allow you to perform the following activities:               Create an organisation Create an IS manager Create an ISMS forum Send invitation and log on credentials to your ISMS forum members Create a Departmental Point of contact Create an IS policy in review (Draft policy) Send the draft policy for review Your ISMS forum members will be able to log on and review, feedback and approve IS manager will be able to promote the IS Policy in review to live The document will have a review frequency set and date for next review automatically set Notification emails will be sent to all your ISMS members and Departmental point of contact ISMS manager will be able to disseminate the Policy to the organisation. Auditor will be able to log on and see all the transcript to support the controls Auditor will be able to provide feedback to the ISMS forum directly. In following these steps with our approved templates, your organisation would have demonstrated compliance with IS security policy document and Information security organisation. You will also be able to print out a number of the reports that can be used to demonstrate the activities carried or export to other tools as part of compliance. Contact us Ben Oguntala Riesgo Risk Management | No. 14, 100 Westminster bridge road, London SE1 7XA, England, United Kingdom Email - info@riesgoriskmanagement.com Telephone - 07812 039 867 Website – www.riesgoriskmanagement.com Page 17 Page 18