Breaches in network security—particularly those that threaten customer credit card data—have impacted organizations of all sizes and types, from some of the world’s most recognized brands to small, regional businesses, and these security breaches have made national, and international, headlines. An escalation in the number of security breaches did not come about because the companies affected didn’t have solid network security controls in place; most of them did. The fact is that security, and what needs to be secured, is more complex than ever before. It is no longer effective to secure just the enterprise perimeter. Today’s organizations must secure the entire infrastructure, and they must control the people and processes that interact with the infrastructure as well. Neglecting security efforts in any one of these areas can leave an organization vulnerable to a security breach. In fact, in today’s business environment, focusing on IT security alone isn’t enough. Organizations must broaden their thinking to encompass overall information risk. Information risk management is a business function and encompasses regulatory compliance as well as issues of intellectual property protection, insider abuse, and privacy. With a focus on information risk management, an organization will ensure a successful security program and a successful compliance program.
Security and Compliance through PCI-DSS
The Payment Card Industry Data Security Standard or PCI-DSS ensures that cardholder data is protected in the event of a security breach by requiring merchants and service providers that store, process, or transmit cardholder data to meet specific security requirements. When organizations work toward and achieve PCI compliance, they will have also implemented a number of key initiatives that improve overall information security.
According to Forrester Research, an audit for compliance with the PCI standard focuses on three primary areas reflecting the “processes,” “technology infrastructure,” and “people” that are critical to both compliance and security.
1. Identification of sensitive data within your environment such as electronic protected health information, social security numbers, cardholder data, and other confidential data.
2. Identification of areas where data may be transmitted or stored, including routers, switches, firewalls, IDS/IPS, and wireless; servers, PCs, mainframes, and PDAs; hard disks, printouts, backup tapes, audio recordings, vendors and third parties and their sub-servicers; load balancer(s), click tracker, middleware, SSL accelerators, TOE cards, web servers, application servers, and database servers; IVRs and call center “OB” capture systems; and temp files, C:\drives, flash drives, and file server with “everyone” access.
3. Identification of all consumers of sensitive data, including local staff, remote staff, consultants, business partners, and regulators.
Developing an Automated PCI Compliance Process
The most common challenges to PCI compliance center on protecting and managing data, controlling change, and auditing and enforcing policies. These challenges also link directly to the most commonly cited PCI violations. According to Forrester, the five most common PCI DSS violations include:
- Storage of prohibited data (e.g., full track, CVV2, PIN)
- Systems on which patches are not kept up to date
- Use of vendor default settings and passwords, such as with unsecured wireless - SQL injection from poorly coded web-facing applications
- Unnecessary and vulnerable services on servers
The most effective way to address these challenges and to avoid any type of violation is through automation. In fact, the effective use of automation, combined with ongoing employee education and the adoption of effective policies, can help ensure compliance and security.
Founded in 1973, Johnny’s Selected Seeds is a mail-order seed producer and merchant headquartered in Albion and Winslow, Maine. The company sells more than 1,500 varieties of vegetable, flower, and herb seeds to specialty commercial growers and home gardeners worldwide. The company also designs and manufactures garden hand tools and has an active plant breeding program. Like many companies of this type, Johnny’s Selected Seeds operated multiple servers dedicated to specific applications and housed behind a firewall.
To further ensure security, the company looked to anti-virus and anti-spyware software to protect its infrastructure. According to Bill Gallagher, the company’s director of operations, chief financial officer, and now chief security officer, the company felt confident that security access settings on its firewall were tight, allowing only minimal traffic, and that their general security was good overall.
