ESSENTIAL GUIDE TO Compliance - Bitpipedocs.media.bitpipe.com/.../0511_ISM_EG_Compliance.pdf · Compliance Vulnerability Are you Compliant or Not? SOX DS 5.4 - Maintain user access

ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N

®

INFOSECURITYMAG.COM

I N F O R M A T I O N

Q

ComplianceE S S E NT I A L G U I D E TO

I N S I D E8 DATA and You

15 Navigating Data Privacy, Security and Management Across Borders

22 Sizing Up Risk

31 Culturally Boost Infosec Compliance and Risk Management

34 PCI DSS 2.0: PCI Assessment Changes Explained

40 Enterprise Protection for Web Add-Ons

You need to be nimble and proactive about compliance efforts in order to build a comprehensive program. That means learning more about risk assessment frameworks and global regulations whilemaintaining your established privacy andPCI programs.

www.infosecuritymag.com

www.techtarget.com


The UlTimaTe enTerprise ThreaT and risk managemenT plaTform.The ArcSight ETRM Platform is the world’s most advanced system for safeguarding

your company against data theft, complying with policies and minimizing internal

and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight

ETRM Platform gives you better visibility of real-time events and better context for

risk assessment, resulting in reduced response time and costs.

ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved.

Learn more at www.arcsight.com/etrm

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • COMPLIANCE33

F E AT UR E SDATA and You8 DATA PROTECTION The Data Accountability and Trust Act,

if passed into law, would create a national standard for privacy and data protection. BY RICHARD E. MACKEY JR.

Navigating Data Privacy, Security and Management Across Borders15 INTERNATIONAL REGULATIONS Companies should revisit

streamlined global data operations with an eye toward revamping compliance. BY CYNTHIA O’DONOGHUE, KATHARINA A. WEIMER AND AMY MUSHAHWAR

Sizing Up Risk22 RISK METHODOLOGIES There are a lot of risk assessment

frameworks out there. Here’s what you need to know in order to pick the right one. BY RICHARD E. MACKEY JR.

Hurdle Cultural Barriers to Compliance31 BUSINESS INTEGRATION Engage stakeholders frequently

about their role in compliance and reducing risk inside your organization. BY ERIC HOLMQUIST

PCI Assessment Changes Explained34 PCI DSS 2.0 The latest update to PCI is relatively minor, but

that doesn’t mean security and compliance managers can afford to slack. BY ED MOYLE

contents

A L S OHas Compliance Stifled Security Innovation?5 EDITOR’S DESK Enterprises,

driven by regulations, continue to shoot for a bare minimum set of security controls. That approach is impacting innovation. BY MICHAEL S. MIMOSO

40 SPONSOR RESOURCES

Compliance VulnerabilityAre you Compliant or Not?

SOX DS 5.4 - Maintain user access rights in a central repository; ensure that rights are enforced

PCI-DSS 7,8, and 10 - Restrict access rights of privileged users; do not use shared passwords

HIPAA 4.14 and 4.16 - Ensure that system activity can be traced to a specific user

Enterprise Access Management

FoxT provides Enterprise Access Management solutions that will enable you to control access to privileged accounts and data across your diverse servers and business applications.

In addition to enabling you to achieve compliance with HIPAA, SOX, PCI, NERC-CIP and other regulations, centralized access management will also protect corporate value by reducing the risk of insider fraud.

FOR MORE INFORMATION: www.foxt.com


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION

INTERNATIONAL REGULATIONS

RISK METHODOLOGIES

BUSINESS INTEGRATION

PCI DSS 2.0

SPONSOR RESOURCES

iHas Compliance Stifled Security Innovation?

Enterprises, driven by regulations, continue to shoot for a bare minimum set of security controls.

That approach is impacting innovation. BY MICHAEL S. MIMOSO

IF YOU PITCH your boss for the latest and greatest security technology, is your boss’ firstquestion whether you’ll incur a fine if you don’t? Does your IT decision maker fear an auditor more than an attacker?

This is the influence compliance, PCI DSS compliance in particular, has inside enterprisesand bigger picture, on innovation. Companies invest more in protecting custodial data thancorporate secrets, despite the balance of value between the two leaning toward corporatesecrets. Sure it’s costly if you lose PCI data in a breach, but if your trade secrets are in theclear, does your business have long to live?

Yet it’s the checkmark that gets the pretty girl at the dance. And some think concurrently thatPCI is turning innovation into a wallflower.

Security observers and experts don’t put all the blame on PCI; security is a bloated marketwith dozens of products addressing dozens ofthreats in dozens of ways. Complexity and a still unsteady economy forces people to look for a crutch to lean on. PCI is a convenient onebecause it mandates controls more than mostother industry and federal regulations.

“It’s tough to spend on innovative solutionsthat aren’t required,” says 451 Group analyst JoshuaCorman.

Blame the vendors too. Blame them for still selling based on fear, uncertainty and doubt—FUD doesn’t hold up when there’s no money to spend on something that might happen.Sure you might get attacked, but you will get fined. So whatever satisfies the auditor getsthe resources.

“What we’re left with is instead of doing the best we could, now we’re doing what doingwhat’s mandatory,” Corman says. “We do that and not a whole lot more.”

Regulations, in theory, are supposed to be the bare minimum set of controls you have tomanage. They’re not the end game, yet most companies shoot for just the bare minimum,which isn’t good enough. That’s why firewalls, antivirus, encryption, vulnerability manage-ment, log management and IDS remain top-of-mind security technologies. Nothing wrongwith that list, but most organizations’ arsenals don’t go much deeper. And if they do, as in

EDITOR’S DESK

“What we’re left with is instead of doing thebest we could, nowwe’re doing what’smandatory. We do that and not a whole lot more.”

—JOSHUA CORMAN, analyst, 451 Group

the case of Web application firewalls, it’s only because they’re specifically called out by PCI6.6, for example.

If you look at this issue of innovation vs. compliance from a business point of view, vendorswill tell you that compliance, by setting that minimum standard, influences spending andstimulates certain markets. Vendors actually are competitive in those markets, productsimprove in a relatively short period of time and prices go down.

Paul Judge, chief research officer and VP at Barracuda Networks, founded Purewire andwas in on the ground floor at SecureComputing and CipherTrust. He’s a VC too. He sayscompliance is about enforcing best practices for a class of constituents, be they consumersor health care patients, for example.

“When you enforce best practices, you do influence spending,” Judge says. “When youcompete on those fronts, it creates better products for the market and you’re creating inno-vation on one of those fronts. If a problem is real and [a control is] mandated by legislation,you have a beautiful thing where everyone benefits from the vast improvements in shortamount of time versus a market that is stagnant without motivation.”

Judge’s best example is that of the Web application firewalls. WAF appliances can be hadfor relatively cheap today, compared to five years ago when he says the price was as much as10 times more. WAFs are built into proxy appliances today, or can even be integrated into aload balancer. Because of the mandates in PCI 6.6, WAF has evolved into a technology that’swithin reach of most of the market—more of a commodity.

“This frees budget for more,” Judge says. “You can stop hitting your head against the wallfor some problems.”

Compliance is a complex monster that governs the direction of most IT security organi-zations. You’re still a cost center, yet you understand threats and risks better than anyoneelse. And you understand the shortcomings are shooting for a bare minimum standard.Keep making your case to management that innovative solutions have merit beyond acheckbox. Prove your business case for these defensive technologies, because if you don’tinfluence spending, the market won’t innovate and when new threats arrive, your holster is going to be empty.w

Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on thiscolumn to [email protected].


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

s

Malware Protection

Data Protection

Business Productivity

IT Efficiency

Compliance

Hospital food

worry less. accomplish more. www.sophos.com

DATA PROTECTION

DATA and YouThe DataAccountabilityand Trust Act,if passed into law, would create a national standard for privacy and data protection.

BY RICHARD E. MACKEY, JR.

tTHERE ARE CURRENTLY more than 40 different state and territorial laws that require organi-zations entrusted with personally identifiable information to notify individuals whentheir information has been exposed to unauthorized parties. These laws range from thoseonly requiring notification to those that mandate full security programs designed to pre-vent breaches in the first place. They define personally identifiable information differently,require different notification processes and force organizations to deal not only with thevictims of the breach, but also the attorneys general of all the states where victims reside.The complexity and cost of notification, let alone the difficulty of ensuring compliancewith security program requirements, is daunting.

Still, breaches that lead to identity theft happen regularly and people expect organizationsto be held accountable for the security of their personal information. Politicians have heardthe public outcry and have recognized that there is a need for more uniform protection of


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

personal data and more manageable and predictable notification processes. Consequently, everyyear there seem to be a handful of new proposed federal laws to address the growing problem ofsloppy handling of personal information and breaches.

At the end of 2009, the U.S. House of Representatives passed the Data Accountability and TrustAct of 2009 (DATA). If passed by the Senate and signed into law, DATA would supersede existingstate laws and thereby eliminate the complex array ofnotification procedures and the myriad protectionmechanisms required by the states. The proposed lawwould also provide a universal definition of personallyidentifiable information, appoint the Federal TradeCommission to specify regulations and enforce compli-ance, and require organizations to implement formalsecurity programs to prevent unauthorized access topersonally identifiable information. Compared to otherdata protection legislative efforts, DATA’s passage inthe House makes it the only bill to gather the necessary support in either chamber. Its impact is potentially farreaching, and organizations should understand how itmight affect them.

PERSONAL INFORMATION DEFINEDAt the heart of DATA, or any data protection law, is the definition of personally identifiableinformation. The definition is critical because it not only spells out what types of informationneed to be protected, but also helps organizations strip out elements of data sets to avoid havingto protect them. This practice, known as scrubbing, is commonly used to protect credit cardnumbers and Social Security numbers by masking all but the last four digits.

DATA defines personal information as an individual’s first name or initial and last name, oraddress, or phone number, in combination with any one or more of the following data elementsfor that person:

• Social Security number;• Driver’s license number, passport number, military identification number, or other similar

number issued on a government document used to verify identity;• Financial account number, or credit or debit card number, and any required security code,

access code, or password that is necessary to permit access to an individual’s financial account.

This definition is similar to most state breach laws with some notable differences: It does notconsider a financial account number alone (without a PIN or password) sensitive. In addition,unlike another proposed federal law—S. 1490, the Personal Data Privacy and Security Act—DATA makes no mention of mother’s maiden name as sensitive (even though it is often used toauthenticate an individual’s identity).

If passed by the Senateand signed into law, DATAwould supersede existingstate laws and therebyeliminate the complexarray of notification pro-cedures and the myriadprotection mechanismsrequired by the states.

http://thomas.loc.gov/cgi-bin/bdquery/z?d111:SN01490:@@@D&summ2=m

http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1506685,00.html

http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1506685,00.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

The law would provide room for the FTC to modify the definition of personal informationas necessary to accomplish the goals of the act as long as these changes do not unreasonablyimpede interstate commerce.

APPLICATION AND ENFORCEMENTAs proposed, DATA will be regulated and enforced bythe FTC. Consequently, the legislation applies only tothose entities over which the FTC has jurisdiction. Eventhough DATA states that it applies to persons, partner-ships, or corporations engaged in interstate commerce,it does not apply to all organizations. One of the mostsignificant repercussions of the appointment of theFTC is the limit of the legislation’s jurisdiction; theFTC does not regulate banks, savings and loans, orcommon carriers such as airlines and railroads.

However, the FTC is not the only enforcer of thelaw. DATA also carves out room for state attorneys general to take action against violators. They areempowered to enjoin further violation, compel compliance, or obtain civil penalties. In otherwords, state attorneys general have about the same power they have under the current state laws.The FTC or U.S. Attorney General, though, could intervene and limit state prosecution whilefederal actions are pending.

PREVENTATIVE CONTROLSOne of the ways DATA distinguishes itself from state laws that simply deal with breach notificationis that it requires organizations to implement a security program designed to prevent compromiseof the information. Organizations need to:

• Appoint a person as a point of contact who is responsible for overseeing the program;• Document a security policy for the collection, use, sale, dissemination, and maintenance

of personal information;• Establish contracts with third parties with access to the information to establish controls

meeting the requirements of the act;• Establish a process to identify risks and vulnerabilities and implement administrative and

technical controls to mitigate the risk of compromise of the information;• Define and implement a process for securely disposing of both digital and paper records

including personal information.

The security controls required by DATA are similar to those required by state regulationssuch as Massachusetts 201 CMR 17; they include a risk assessment, a vulnerability assessment,testing, remediation, and secure destruction and disposal of personal information. One

One of the most signifi-cant repercussions of theappointment of the FTC is the limit of the legisla-tion’s jurisdiction; theFTC does not regulatebanks, savings and loans,or common carriers suchas airlines and railroads.

http://whatis.techtarget.com/definition/massachusetts-data-protection-law.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

notable exception is that DATA only requires organizations to establish contracts with thirdparties to protect personal information; it does not require definition of the policy and procedurefor vetting the security practices of these organizations. Some state and federal regulations, mostnotably 201 CMR 17 and HIPAA, provide more in-depth requirements for dealing with businessassociates and service providers. This may be an area that the FTC will spell out more clearly ifDATA becomes law.

The legislation also does not provide requirements for where encryption is required. State lawsand regulations from Massachusetts and Nevada require encryption of personal informationwhen it is transmitted over public networks or stored on removable devices. This may also be an area eventually addressed by FTC regulations or guidance.

A MAJOR DIFFERENCE between statelaws and DATA is the set of specialrequirements for information brokers. DATArequires information brokers to implementadditional controls and program elements tothose required by data owners. This provision islikely an attempt to avoid another breach like the oneinvolving Choice Point in 2005 by making data brokersaccountable to the information they collect and sell.

The legislation defines information brokers as acommercial entity whose business is to collect, assem-ble, or maintain personal information concerning indi-viduals who are not current or former customers.Information brokers collect such data in order to sell it or provide third party access to it for a fee; they may either collect information themselves or contractothers to collect and maintain the information. The def-inition specifically excludes entities that maintaininformation about employees, customers, or formercustomers.

Under DATA, information brokers must establish“reasonable procedures” to assure the accuracy of per-sonal information they collect, assemble, or maintain.In addition to striving to maintain accuracy, they mustsupport a program to respond to individuals’ writtenrequests to provide information assembled about themonce per year. These responses must be provided at no

cost to the individual and the method forsubmitting requests must be conspicu-ously advertised on the organization’swebsite. Individuals must also be able to

use this method for expressing a prefer-ence as to how their information might be

used for marketing purposes.If someone finds inaccuracies, the information bro-

ker must provide a mechanism for the individual torequest changes to correct the inaccuracies. If the bro-ker is not the source of the information (e.g., the datawas harvested from public records), the brokers mustprovide the person the source of the information and amethod for correcting the inaccuracy at the sourceorganization. The individual may provide proof that thepublic record has been corrected and require the infor-mation broker to correct its version of the information.Someone may also require a broker to mark the infor-mation as disputed if it hasn’t been corrected.

As proposed by DATA, when an information broker hasa breach, it must follow the same reporting procedures asother businesses. However, these organizations must alsosubmit the policies governing their personal data protec-tion program to the FTC as part of the notification andmay be required to undergo an FTC security audit. TheFTC has the right to request an information broker’s pol-icy at any time.w

—R ICHARD E . MACKEY, JR.

Information Brokers in the Crosshairs Companies that collect personal data face extra requirements under DATA.

http://www.ftc.gov/opa/2006/01/choicepoint.shtm

http://leg.state.nv.us/NRS/NRS-603A.html

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1380364,00.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

BREACH NOTIFICATION RULESAny organization that has gone through the process of breach notification according to multiplestate laws would likely welcome the single set of rules that would come from a federal law.

DATA defines “breach of security” as the unauthorized access to or acquisition of data inelectronic form containing personal information. However, the legislation allows the data ownerto avoid the process of notification if the data owner determines that there is a no reasonablerisk of identity theft, fraud, or unlawful activity. While this is a rather broad statement, it means,at a minimum, that information that was encrypted and exposed to unauthorized parties wouldnot be considered breached.

In the event of a breach, DATA requires data owners to notify the FTC and directly notifyeach individual throughout the U.S. whose data has been exposed. This notification must takeplace within 60 days of discovery of the breach.

The data owner may send notice in writing or electronically. However, electronic notificationis only acceptable if the individual has consented to receiving official communications in thatmanner. In cases where the data owner does not havecomplete contact information for all individuals, thedata owner may use email to the full extent possible,publish a notice on its website, and issue notification in print and broadcast media for areas where the victims reside.

The notification must include a description of theinformation breached and a toll-free number to inquireabout the breach. The letter must also include an offerto receive free quarterly credit reports for two years or a credit monitoring service. The individual must also begiven toll-free numbers for credit reporting agencies andcontact information for the FTC to learn about identitytheft.

PENALTIESDATA sets out steep penalties for violations, which come in two types: failure to comply withsecurity program requirements, and failure to follow the breach notification rules.

The two types of penalties are calculated differently. The amount for security programpenalties is based on the number of days the organization is found to be non-compliant multiplied by a maximum of $11,000 per day. Notification penalties are calculated by multiply-ing the number of violations—individuals they failed to notify—by an $11,000 maximum.Each failure to send notification is considered a separate violation. The Act sets the maximumcivil penalty for violations of each type to $5 million, making it possible for a single organi-zation to pay up to $10 million for a combination of security program and notification vio-lations.

The Act sets the maximumcivil penalty for violationsof each type to $5 million,making it possible for asingle organization to payup to $10 million for acombination of securityprogram and notificationviolations.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

LOOKING AHEADThe biggest difference between existing state laws and the proposed federal laws (both DATA andother similar bills) is the inclusion of special requirements for information brokers (see p. 25). Thisspecial treatment will not be taken well by the large organizations in the information brokerbusiness as it increases cost substantially.

It will be interesting to see how information brokers and businesses in general react to thesebills as they are debated in the Senate. Maplight.org, a nonprofit, nonpartisan research organiza-tion that tracks money and influence in the U. S. Congress, shows that the backers of the billreceive campaign contributions from finance companies and credit agencies. This makes senseas both these groups would benefit from stronger identity controls. Maplight.org shows nomoney associated with opposition to the bill–at least not as yet.

DATA clearly has benefits for the general population and, whether they want to admit it ornot, businesses that will need to notify people when breaches occur. The overall approach ofensuring that organizations formally protect information, implement sound technical controlsthat include risk assessment and treatment, and follow a uniform set of notification and supportprocedures promises to reduce the incidence of identity compromise and create incentives toimprove overall security.w

Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to [email protected].

mailto:[email protected]

©2011 Dell Inc. All rights reserved.

At Dell SecureWorks, we turn raw security data into actionable security information. With the massive

volume of relevant incidents we collect and analyse every day, we are able to better understand the threat

landscape across the globe. We use that information to identify threats sooner and better protect our

customers. Discover what makes us different, and learn how our information can help keep yours safer.

security is all we do

Not surprisiNgly, the most powerful weapoN iN iNformatioN security is iNformatioN.

Contact us at [email protected] or call +44 (0)131 718 0600.

See how one leading analyst rates the top MSSPs at secureworks.com/magic

20,000 malware specimens Daily

13 Billion events every Day

3,000 customers in 70 countries

85 of the fortune 500®

http://www.secureworks.com/magic


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

Navigating Data Privacy, Security

and Management Across Borders

Companies should revisit streamlined global data operations with an eye

toward revamping compliance.

BY CYNTHIA O’DONOGHUE, KATHARINA A. WE IMER AND AMY MUSHAHWAR

wWITH THE GLOBAL economic downturn, economies of scale are of increasing importance,and to achieve cost synergies, many companies have shed their geographic silos in favorof a streamlined centralized data infrastructure. Far more multinational companieswith offices on all continents and production facilities in multiple countries sharecentralized databases, processing capabilities and even IT support teams that makeintegrated production possible on a 24/7 basis.

While we have seen many industries such as life sciences, real estate and entertainmentstreamline their IT operations, all have one item in common—they store personalemployee, customer, supplier and website visitor data. With the myriad data privacy,security and management laws that exist in the U.S. and abroad, data privacy compliancecan be a difficult area to navigate.



TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

By now, most companies understand that U.S.federal, state and local governments have weaved an intricate web of laws protecting many aspects ofAmericans’ privacy (i.e., banking, telecom services,higher education, health care, financial services).Even with all of its privacy laws, the U.S. leaves someareas of personal data-processing largely unregulated.Unlike the U.S. sectoral approach, the EU views privacy as a fundamental human right and has anomnibus data protection law that regulates the collection and handling of information related toidentifiable individuals: “European Union Directiveon the Protection of Individuals with Regard to theProcessing of Personal Data and on the Free Move-ment of Such Data” (the EU Directive).

Bear in mind that the legislative tool the EUselected for privacy law—a “directive”—requireseach EU member state to enact its own local lawadopting (or transposing) the directive into nation-al legislation. Therefore, the text of the EU DataProtection Directive offers only a blueprint orframework for data privacy laws across Europe.National legislation implementing the directive hasresulted in variations among EU member states.

Over the years, we have witnessed the compliance issues and various legal conflicts of lawthat spring from this cross-border culture clash. We will identify a few typical scenarios thatrequire some international data privacy, security and management issue-spotting.

DATA INTEGRATION ISSUES TO WATCH OUT FORBefore we begin, we would like you to imagine a midsized company, Doggie’s Night Out(DNO, Inc.), a high-end manufacturer of canine retractable leashes with built-in flash lights,treats and waste disposal bags headquartered in the US. DNO, Inc. already has several officesacross the U.S., a manufacturing site in China, and subsidiaries across South America, and itintends to acquire a German manufacturer of designer cat collars called Feline Fun AG, withnearly 100 local employees. This little gem is for sale at a bargain-basement price and DNO,after some due diligence, proceeds with the acquisition.

Following the purchase, DNO’s general counsel would like to know everything aboutFeline Fun, including all information about the employees. DNO wishes to maintain ongoingdata flows about the general business operations and activities of Feline Fun to fully integrateit and leverage its data capture and analytics tools globally (i.e., such as those for employees,job applicants, customer data, suppliers, third-party partners, purchased data, conferences,

U.S. PrivacyFramework

LaggingThere are efforts underway by theFederal Trade Commission and theDepartment of Commerce to develop a comprehensive and uniform privacypolicy for the U.S.

But these uniformity proposals arelikely to take years to fully implementand there does not appear to be a con-sensus as to whether either agency’sefforts alone can assist with closing thesectoral privacy gaps. It is safe to saythat the U.S. is several years away from a fully comprehensive privacyframework.w


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

and market research). Such data integration would necessitate the transfer of personal dataof European citizens to the U.S. headquarters of DNO, Inc. Not surprisingly, the internaldata protection officer of Feline Fun has some objections.

Immediately upon hearing the data integration plans, the internal German data protectionofficer reminds the U.S.-based general counsel that the EU Directive regulates the processingof individuals’ personal data, a much broader concept than what is referred to in the U.S. aspersonally identifiable information. He explains that the broad definition covers nearly allinformation that DNO, Inc. would like to integrate for example, DNO, Inc. knew that certaininformation fields (or combinations of information fields) were protected under US law. Forexample items such as a name and account number could be protected personal financialinformation under the U.S. Graham Leach Bliley Act. Presently, however, there is little U.S.regulation governing the collection of information. For instance, while the EU Directiveregulates the mere independent collection of an individual’s name, email address, or IPAddress, the U.S. does not unless an individual’s name is collected in conjunction with other information, such as an individual’s social security number.

The German data protection officer made DNO, Inc. aware that such limited informationfields are only starting to be by U.S. federal regulators as part of the FTC privacy proceeding.Practically speaking, the broad concept of personal data under the EU Directive requiresFeline Fun to examine two items for nearly all individual information it wishes to transfer to DNO, Inc.: (1) the legal basis for transferring the data, and (2) whether the transfer wasto a country with data protection laws sufficiently similar to those in the EU, such that thoselaws provide adequate protection to the data, or a legal transfer method.

Local Compliance with Data Transfer Requirements: According to EU and German law, before anyprocessing of personal data may be undertaken (including transfer), there must be a legalbasis to do so. The legal basis for transfer is satisfied if the transfer is necessary for the fulfill-ment of a contract or a contractual relationship with the data subject, i.e., the person whosedata shall be transferred.

For instance, personnel data can be transferred if and to the extent such transfer is neces-sary for the fulfillment of the employment contract. We must emphasize “necessary,” whichis more than plain usefulness, for example, the transfer must be required for the employmentrelationship. Data transfer of customer data can sometimes be based on the contract with thecustomer; for instance, if the contract will be fulfilled out of another site and the other siterequires the customer information for its performance.

While these two examples tend to be the most common, other legal bases exist. As a lastresort, the data controller can always try and obtain the individual’s consent to the processing,but any such consent must be voluntary (already disputable in an employment relationship),informed and revocable; it should therefore not be the No. 1 choice for establishing a legallysecure way of transferring personal data.

Transferring Data to a Country with Adequate Protection or an Appropriate Legal Process Alternative: Anyrecipient of personal data located outside the European Economic Area (EEA) must generally


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

provide an adequate level of protection to personal data. Data transfers to companies locatedin countries with adequate privacy laws akin to those in the EU/European Economic Areainclude Switzerland, Canada, Argentina, the Isle of Man, Guernsey, Jersey, Israel and Andorra.Transfer is also permissible to U.S. companies that participate in the Department of CommerceSafe Harbor Program. U.S. companies must self certify that their data privacy, security andmanagement practices provide adequate protection (then, these companies must re-certifyto the Department of Commerce annually thereafter), always provided that this processingstep as such, i.e., the transfer, is permissible as described above. To be eligible to submit aU.S.-EU Safe Harbor program self certification, an organization can (1) join a self-regulatoryprivacy program that adheres to the U.S.-EU Safe Harbor Framework’s requirements; or (2)develop its own self-regulatory privacy policy that conforms to the U.S.-EU Safe HarborFramework.

The Feline Fun data protection officer learns that all data will be transferred from Germanyto the U.S. and DNO, Inc. has not self-certified under the Safe Harbor Program. But an adequate level of protection may be achieved by other means: (1) Feline Fun and DNO,Inc. could enter into a set of contractual clauses approved by the European Commission as establishing an adequate level of protection (“Model Clauses”), or (2) DNO, Inc. couldestablish Binding Corporate Rules (“BCRs”) for its entire group that are approved by a leaddata protection authority in Europe.

Approximately 50 U.S. companies per month file initial self-certifications to the SafeHarbor program, and approximately 150 companies submit annual re-certifications. Morethan 50 percent of the companies in Safe Harbor have joined during the past two years.Currently, more than 2,100 companies are on the Safe Harbor list. Placed in context, thismeans that more companies join Safe Harbor in a single month than the total number ofcompanies that have obtained approval for BCRs to date. This trend is counter-intuitive,given the recent statements of the Düsseldorfer Kreis (a body formed by the German dataprotection authorities) and other EU member state bodies issuing critical opinions regardingthe Safe Harbor program.

Practitioners point to the following items as a potential reason for Safe Harbor’sincreased popularity at the moment:

• Greater control for the U.S. company. Safe Harbor primarily requires the U.S. company to undertake relevant compliance steps, and requires little to no significant local affiliate involvement.

• Enhanced brand reputation for outsourcing providers and satisfaction of EU customer requirements.

• The Swiss Federal Data Protection and Information Commission (Swiss DPA) has recently established the U.S.-Swiss Safe Harbor Framework with the United States.

• Streamlining of local filing procedures. In a number of EU member states, cross-bordertransfers of EU personal data trigger registration requirements with the data protection authorities. In some of these countries, the Safe Harbor facilitates the local registration process by avoiding procedural approvals that apply to the use of Model Contracts and


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

the “substantive” approvals for BCRs.• Avoiding administrative burdens of maintaining several versions of Model Contracts.

However, there are as many good reasons to join Safe Harbor, or use Safe Harbor as abaseline to authorize certain data transfers, as there are good reasons why Safe Harbor maynot be sufficient for all data transfers. Some negative aspects of Safe Harbor include:

• FTC enforcement. The promise to comply with Safe Harbor is ultimately subject to the enforcement authority of the FTC.

• Some data transfers are not eligible for coverage by Safe Harbor. U.S. companies are only eligible to join the Safe Harbor to protect certain transfers of EU Personal Data to the United States. Other transfers within a global enterprise, such as transfers from the EU to Asia or Latin America, are not covered by Safe Harbor. Likewise, financial insti-tutions and other organizations that fall outside the scope of FTC and DOT authority are not eligible to join Safe Harbor, even if the organizations are located in the United States.

Likewise, even in the context of e-discovery, attorneys must address whether cross-bor-der data transfers are permissible under local EU law, and this is typically viewed as a primearea of conflict, and transfers of data for purposes of litigation may expose the EU affiliateto liability. With this general data transfer background, we also identify a few other issue-spotting items that we have seen reoccur over the years.

EU EMPLOYEES ENJOY MORE PRIVACY PROTECTIONSImplementing data integration measures along those proposed by DNO, Inc. may be com-mon sense to any U.S. company, but integrating the data of European affiliates may trigger a variety of issues, such as whistleblower protections. A person whose behavior is reportedthrough an employer-provided hotline retains his or her data privacy rights. Yet his/her personal details have been communicated to a third party in a country without adequateprotection and without his/her knowledge.

Employee monitoring, for example, is a sensitive topic in Europe; every country has different rules and, generally speaking, employees have a rightful expectation of privacy even in the work environment. The employee’s (potentially private) use of the telecommuni-cations infrastructure provided by the employer may trigger obligations of secrecy vis-à-visthe employee—the employer may not be able to access the employee’s communication oreven Internet history.

USING WEBSITE ADVERTISING AND ANALYTICS IN THE EUIf DNO, Inc. were to integrate website advertising and analytics operations, there may alsobe issues. Recently, German data protection authorities have been in discussions withGoogle about the legitimacy of its analytics programs under German data protection law


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

and came to the conclusion that analytics currently does not provide adequate safeguards tothe consumer. The authorities objected to the use of IP addresses, considered personal databy the data protection authorities.

Court decisions differ in this aspect. Some consider an IP address to be personal data, othersdo not. While it is ultimately up to a court to decide, the initial assessment will be carried out bythe data protection authorities and their opinion should be carefully considered. It should alsobe noted that the U.S. FTC has made recent statements that an IP address may be included inthe definition of protected personally identifiable information.

While Google demonstrated goodwill and allowed an anonymization tool to be built intothe software, and additionally built a plug-in for Internet users with which they can set theirbrowser to object to the collection of the IP address, this did not satisfy the data protectionauthorities’ requirements: The anonymization is in the discretion of the website operatorand the plug-in does not work for all browsers. As the issue has yet to be resolved, there is a risk that the authorities may proceed against website operators that use analytics withoutconsumer opt-in.

IT MAY BE RAINING CATS AND DOGS BUT THERE ARE TOOLS TO WEATHER THE STORMDecisions by multinationals to centralize data should not be taken lightly. The complexity of the EU data protection law poses special problems and must be considered fully as part of any data centralization initiative. Recently, the U.S. has made attempts to move closer toEU-style data protection, but these efforts will not come into fruition for some time. Thedata compliance scramble should not stop U.S. companies from wading out into the stormto access the wide variety of personal data available from EU entities. Rather, the philosophicaland jurisprudential gap can be bridged by relying on the number of tools available to organ-izations that allows them to transfer data, while being mindful that the EU takes its obligationto safeguard its citizens’ privacy very seriously.w

Cynthia O’Donoghue is a partner and co-practice leader of Reed Smith LLP’s Data Privacy, Security and Manage-ment group and is based in London. Katharina A. Weimer is an associate in the Munich office of Reed Smith LLPwith a focus on Media law and Data Protection. Amy Mushahwar is an associate in the Data Privacy, Security andManagement practice in the Washington D.C. law office of Reed Smith LLP. Send comments on this column to [email protected].

Access time-saving technical tips, independent expert advice, checklists andtutorials, along with webcasts, white papers, newsletters and more - all for free!

We also have half-day and full-day seminars, multi-day conferences, and dinnerevents coming to a city near you, as well as virtual shows you can view from thecomfort of your desktop. Topics covered include: unified communications, WANoptimization, network management and more. View our full 2010-2011 scheduleat: events.techtarget.com

Your One Stop Shop for All Things Networking

Nowhere else will you find such ahighly targeted combination ofresources specifically dedicated to thesuccess of today’s IT-networking andservice provider professionals. Free.

www.events.techtarget.com


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

RISK METHODOLOGIES

mSizing Up Risk

BY RICHARD E. MACKEY, JR.

MANY REGULATIONS and virtually all security frameworks require some objectiveassessment of risks. The reason is simple: Security controls should be selected basedon real risks to an organization’s assets and operations. The alternative—selectingcontrols without a methodical analysis of threats and controls—is likely to result inimplementation of security controls in the wrong places, wasting resources while atthe same time leaving an organization vulnerable to unanticipated threats.

A risk assessment framework establishes the rules for what is assessed, who needsto be involved, the terminology used in discussing risk, the criteria for quantifying,qualifying, and comparing degrees of risk, and the documentation that must becollected and produced as a result of assessments and follow-on activities. The

There are a lot of risk assessmentframeworks out there.Here’s what you need toknow in orderto pick the right one.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

goal of a framework is to establish an objective measurement of risk that will allow an organi-zation to understand business risk to critical information and assets both qualitatively andquantitatively. In the end, the risk assessment framework provides the tools necessary to makebusiness decisions regarding investments in people, processes, and technology to bring risk toacceptable level.

Two of the most popular risk frameworks in usetoday are OCTAVE (Operationally Critical Threat,Asset, and Vulnerability Evaluation), developed atCarnegie Mellon University, and the NIST riskassessment framework documented in NIST SpecialPublication 800-30. Other risk frameworks that havea substantial following are ISACA’s RISK IT (part ofCOBIT), and ISO 27005:2008 (part of the ISO 27000series that includes ISO 27001 and 27002). All theframeworks have similar approaches but differ intheir high level goals. OCTAVE, NIST, and ISO27005 focus on security risk assessments, whereasRISK IT applies to the broader IT risk management space.

How does a company know which framework is the best fit for its needs? We’ll providean overview of the general structure and approach to risk assessment, draw a comparison ofthe frameworks, and offer some guidance for experimentation and selection of an appropriateframework.

ASSET-BASED ASSESSMENTSAll risk assessment methods require organizations to select an asset as the object of theassessment. Generally speaking, assets can be people, information, processes, systems, appli-cations, or systems. However frameworks differ in how strict they are in requiring organizationsto follow a particular discipline in identifying what constitutes an asset. For example CMU’soriginal OCTAVE framework allowed an organization to select any item previously described asthe asset to be assessed, where the most recent methodology in the OCTAVE series, Allegro,requires assets to be information.

There are advantages and disadvantages associated with any definition of asset. Forexample, if an asset is a system or application, the assessment team will need to include allinformation owners affected by the system. On the other hand, if the asset is information,the scope of the assessment would need to include all systems and applications that affectthe information. Practically speaking, it is important to define the asset precisely so thescope of the assessment is clear. It is also useful to be consistent in how assets are definedfrom assessment to assessment to facilitate comparisons of results.

A critical component of a risk assessment framework is that it establishes a common set of terminology so organizations can discuss risk effectively. See p. 30 for a list of terms used in most frameworks.

OCTAVE, NIST, and ISO27005 focus on securityrisk assessments, where-as RISK IT applies to thebroader IT risk manage-ment space.

http://www.27000.org/

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1201039,00.html

http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

http://www.cert.org/octave/methodintro.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

Framework TerminologyRisk assessment frameworks establish the meaning of

terms to get everyone on the same page. Here are terms used in most frameworks.

glossary

Actors, motives, access: These describe who is responsible for the threat, what might motivate the actor orattacker to carry out an attack, and the access that is necessary to perpetrate an attack or carry out the threat.Actors may be a disgruntled employee, a hacker from the Internet, or simply a well meaning administrator whoaccidently damages an asset. The access required to carry out an attack is important in determining how largea group may be able to realize a threat. The larger the attacking community (e.g., all users on the Internet ver-sus a few trusted administrators), the more likely an attack can be attempted.

Asset owners: Owners have the authority to accept risk. Owners must participate in risk assessment and man-agement as they are ultimately responsible for allocating funding for controls or accepting the risk resultingfrom a decision not to implement controls.

Asset custodians: A person or group responsible for implementing and maintaining the systems and securitycontrols that protect an asset. This is typically an IT entity.

Impact: The business ramifications of an asset being compromised. The risk assessment team needs to under-stand and document the degree of damage that would result if the confidentiality, integrity, or availability ofan asset is lost. The terms impact, business impact, and inherent risk are usually used to describe, in eitherrelative or monetary terms, how the business would be affected by the loss. It’s important to note that impactassumes the threat has been realized; impact is irrespective of the likelihood of compromise.

Information asset: An abstract logical grouping of information that is, as a unit, valuable to an organization.Assets have owners that are responsible for protecting value of the asset.

Risk magnitude or risk measurement criteria: The product of likelihood and the impact described above. Ifwe consider likelihood a probability value (less than 1) and impact a value of high, medium, or low, the riskmagnitude can be “calculated” and compared to risks of various threats on particular assets.

Security requirements: The qualities of an asset that must be protected to retain its value. Depending on theasset, different degrees of confidentiality, integrity, and availability must be protected. For example, confiden-tiality and integrity of personal identifying information may be critical for a given environment while availabil-ity may be less of a concern.

Threats, threat scenarios or vectors: According to OCTAVE, threats are conditions or situations that mayadversely affect an asset. Threats and threat scenarios involve particular classes of actors (attackers or users)and methods or vectors by which an attack or threat may be carried out.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

RISK ASSESSMENT METHODOLOGYThe heart of a risk assessment framework is an objective, repeatable methodology that gathersinput regarding business risks, threats, vulnerabilities, and controls and produces a risk magnitude that can be discussed, reasoned about, and treated. The various risk frameworksfollow similar structures, but differ in the description and details of the steps. However, theyall follow the general pattern of identifying assets and stakeholders, understanding securityrequirements, enumerating threats, identifying and assessing the effectiveness of controls,and calculating the risk based on the inherent risk of compromise and the likelihood thatthe threat will be realized. The following is a basic methodology, largely derived from theOCTAVE and NIST frameworks.

1. Identify assets and stakeholdersAll risk assessment methods require a risk assessment team to clearly define the scope of theasset, the business owner of the asset, and those people responsible for the technology andparticularly the security controls for the asset. The asset defines the scope of the assessmentand the owners and custodians define the members of the risk assessment team.

NIST’s approach allows the asset to be a system, application, or information, whileOCTAVE is more biased toward information and OCTAVE Allegro requires the asset to beinformation. Regardless of what method you choose, this step must define the boundariesand contents of the asset to be assessed.

2. Analyze impactThe next step is to understand both the dimensionsand magnitude of the business impact to the organi-zation, assuming the asset was compromised. Thedimensions of compromise are confidentiality,integrity, and availability while the magnitude is typically described as low, medium, or high corre-sponding to the financial impact of the compromise.

It’s important to consider the business impact of a compromise in absence of controls to avoid thecommon mistake of assuming that a compromise could not take place because the controlsare assumed to be effective. The exercise of analyzing the value or impact of asset loss can helpdetermine which assets should undergo risk assessment. This step is mostly the responsibility of the business team, but technical representatives can profit by hearing the value judgments of the business.

The output of this step is a document (typically a form) that describes the business impact inmonetary terms or, more often, a graded scale for compromise of the confidentiality, integrity,and availability of the asset.

3. Identify threatsIdentify the various ways an asset could be compromised that would have an impact on the

The exercise of analyzingthe value or impact ofasset loss can helpdetermine which assetsshould undergo riskassessment.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

business. Threats involve people exploiting weaknesses or vulnerabilities intentionally or unin-tentionally that result in a compromise. This process typically starts at a high level, looking atgeneral areas of concern (e.g., a competitor gaining access to proprietary plans stored in a data-base) and progressing to more detailed analysis (e.g., gaining unauthorized access through aremote access method). The idea is to list the most common combinations of actors or perpe-trators and paths that might lead to the compromise an asset (e.g., application interfaces,storage systems, remote access, etc.). These combinations are called threat scenarios.

The assessment team uses this list later in the process to determine whether these threatsare effectively defended against by technical and process controls. The output of this step isthe list of threats described in terms of actors, access path or vector, and the associated impactof the compromise.

4. Investigate vulnerabilitiesUse the list of threats and analyze the technical components and business processes for flawsthat might facilitate the success of a threat. The vulnerabilities may have been discovered inseparate design and architecture reviews, penetration testing, or control process reviews. Usethese vulnerabilities to assemble or inform the threat scenarios described above. For example,a general threat scenario may be defined as a skilled attacker from the Internet motivated byfinancial reward gains access to an account withdrawal function; a known vulnerability in aWeb application may make that threat more likely.This information is used in the later stage of likeli-hood determination.

This step is designed to allow the assessment teamto determine the likelihood that a vulnerability canbe exploited by the actor identified in the threat sce-nario. The team considers factors such as the techni-cal skills and access necessary to exploit the vulnera-bility in rating the vulnerability exploit likelihoodfrom low to high. This will be used in the likelihoodcalculation later to determine the magnitude of risk.

5. Analyze controlsLook at the technical and process controls surrounding an asset and consider their effectiveness indefending against the threats defined earlier. Technical controls like authentication and authori-zation, intrusion detection, network filtering and routing, and encryption are considered in thisphase of the assessment. It’s important, however, not to stop there. Business controls likereconciliation of multiple paths of transactions, manual review and approval of activities,and audits can often be more effective in preventing or detecting attacks or errors than tech-nical controls. The multi-disciplinary risk assessment team is designed to bring both typesof controls into consideration when determining the effectiveness of controls.

At the conclusion of this step, the assessment team documents the controls associated withthe asset and their effectiveness in defending against the particular threats.

The exercise of analyzingthe value or impact of asset loss can helpdetermine which assetsshould undergo riskassessment.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

6. Calculate threat likelihood After identifying a particular threat, developing scenarios describing how the threat may berealized, and judging the effectiveness of controls in preventing exploitation of a vulnerability,use a “formula” to determine the likelihood of an actor successfully exploiting a vulnerabilityand circumventing known business and technical controls to compromise an asset.

The team needs to consider the motivation of the actor, the likelihood of being caught(captured in control effectiveness), and the ease with which the asset may be compromised,then come up with a measure of overall likelihood, from low to high.

7. Calculate risk magnitudeThe calculation of risk magnitude or residual risk combines the business impact of compromiseof the asset (considered at the start of the assessment), taking into consideration the diminishingeffect of the particular threat scenario under consideration (e.g., the particular attack mayonly affect confidentiality and not integrity) with the likelihood of the threat succeeding. Theresult is a measure of the risk to the business of a particular threat. This is typically expressedas one of three or four values (low, medium, high, and sometimes severe).

This measure of risk is the whole point of the risk assessment. It serves as a guide to thebusiness as to the importance of addressing the vulnerabilities or control weaknesses thatallow the threat to be realized. Ultimately, the risk assessment forces a business decision totreat or accept risk.

Anyone reading a risk assessment method for the first time will probably get the impressionthat it describes a clean and orderly process that can be sequentially executed. However, you’llfind that you need to repeatedly return to earlier steps when information in later steps helpsto clarify the real definition of the asset, which actors may be realistically considered in a

strategy

Formal, methodical risk analysis allowsorganizations to reason about the mag-nitude of business risk given the valueof the system or information at risk, aset of threats, and a set of securitycontrols like authentication, firewalls,and monitoring. The magnitude of therisk is a function of the degree of damage or loss thatwould occur if the threat is realized and the likelihoodof the realization of the threat. This kind of thoughtfuland objective approach not only helps to meet regula-tory requirements, but also provides a practical way tomanage security expenditures.

The value of assessing risk in this manner is that ittransforms risk discussion from a conversation among

technical people into a one relatingtechnical vulnerabilities and controls tobusiness impact. The process requirestechnical and business representativesto come to an understanding of whatthe business risk is and how it relatesto technical risk. It also facilitates the

economic discussion of whether investments in tech-nology and processes are justified by the damage thatmay result from an attack or incident and the likelihoodof the event. In short, it steers organizations away frombeing held hostage by the fear mongers or beingstarved for security investment by business people whodo not appreciate the dangers posed by insufficientsecurity controls.w —R ICHARD E . MACKEY, JR.

The Value of Formal AssessmentsA thorough analysis of risk helps justify security spending


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

threat scenario, or what the sensitivity of a particular asset is. It often takes an organizationseveral attempts to get used to the idea that circling back to earlier steps is a necessary andimportant part of the process.

WHICH FRAMEWORK IS BEST?Over the years, many risk frameworks have been developed and each has its own advantagesand disadvantages. In general, they all require organizational discipline to convene a multi-disciplinary team, define assets, list threats, evaluatecontrols, and conclude with an estimate of the riskmagnitude.

OCTAVE, probably the most well known of therisk frameworks, comes in three sizes. The original,full-featured version is a heavyweight process withsubstantial documentation meant for large organiza-tions. OCTAVE-S is designed for smaller organiza-tions where the multi-disciplinary group may be represented by fewer people, sometimes exclusivelytechnical folks with knowledge of the business. Thedocumentation burden is lower and the process islighter weight.

The latest product in the OCTAVE series is Alle-gro, which has more of a lightweight feel and takes amore focused approach than its predecessors. Allegrorequires the assets to be information, requiring addi-tional discipline at the start of the process, and viewssystems, applications, and environments as containers.The scope of the assessment needs to be based on the information abstraction (e.g., protectedhealth information) and identify and assess risk across the containers in which the informationis stored, processed, or transmitted.

One of the benefits of the OCTAVE series is that each of the frameworks provides templatesfor worksheets to document each step in the process. These can either be used directly orcustomized for a particular organization.

The NIST framework, described in NIST Special Publication 800-30, is a general one that canbe applied to any asset. It uses slightly different terminology than OCTAVE, but follows a similarstructure. It doesn’t provide the wealth of forms that OCTAVE does, but is relatively straightfor-ward to follow. Its brevity and focus on more concrete components (e.g., systems) makes it agood candidate for organizations new to risk assessment. Furthermore, because it’s defined byNIST, it’s approved for use by government agencies and organizations that work with them.

ISACA’s COBIT and the ISO 27001 and 27002 are IT management and security frame-works that require organizations to have a risk management program. Both offer but don’trequire their own versions of risk assessment frameworks: COBIT has RISK IT and ISO has

Business controls likereconciliation of multiplepaths of transactions,manual review andapproval of activities, and audits can often be more effective in preventing or detectingattacks or errors thantechnical controls.


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

ISO 27005:2008. They recommend repeatable methodologies and specify when risk assess-ments should take place. The ISO 27000 series is designed to deal with security, while COBITencompasses all of IT; consequently, the risk assessments required by each correspond tothose scopes. In other words, risk assessment in COBIT—described in RISK IT—goes beyondsecurity risks and includes development, business continuity and other types of operationalrisk in IT, whereas ISO 27005 concentrates on security exclusively.

ISO 27005 follows a similar structure to NIST but defines terms differently. The frame-work includes steps called context establishment, risk identification and estimation, in whichthreats, vulnerabilities and controls are considered, and a risk analysis step that discusses anddocuments threat likelihood and business impact. ISO 27005 includes annexes with formsand examples, but like other risk frameworks, it’s up to the organization implementing it toevaluate or quantify risk in ways that are relevant to its particular business.

Organizations that do not have a formal risk assessment methodology would do well toreview the risk assessment requirements in ISO 27001 and 27002 and consider the 27005 orNIST approach. The ISO standards provide a good justification for formal risk assessmentsand outline requirements, while the NIST document provides a good introduction to a riskassessment framework.

With practice, an organization can establish amethodology based on this approach. However, it isworthwhile to review the OCTAVE family and, inparticular, the Allegro framework. Its focus on infor-mation, its forms and relatively lightweight approach(when compared to other OCTAVE methods) pro-vides a good alternative to NIST and will allow anorganization to build a customized method thatmeets its own requirements.

CONSISTENCY IS KEYIn the end, the most important aspect of choosing a framework is ensuring that the organizationwill use it. Auditors will seldom inspect the details of your risk assessment method, but will lookat whether you have a systematic method and apply it regularly. It’s an organization’s prerogativeto accept risks that are too difficult or expensive to mitigate. However, one can only accept risksthat one understands. Consistent and repeatable risk assessments provide the mechanism to notonly understand risk, but also to demonstrate to auditors and regulators that the organizationunderstands risk.

Whether your goal is to simply achieve good security or also meet regulatory requirements,creating a risk assessment method based on a well-known framework is a good place to start.w

Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Sendcomments on this article to [email protected].

One of the benefits of the OCTAVE series is thateach of the frameworksprovides templates forworksheets to documenteach step in the process.

[email protected]

It’s Time to Recognize the Industry’sBest Security Professionals

Information Security magazine and SearchSecurity.comannounce that nominations are open for the seventh annualSecurity 7 Awards. Find the nomination form at:http://www.surveygizmo.com/s3/462797/Security-7

Prestigious Industry AccoladesThe honor roll of past Security 7 Award winners is a prestigious listof distinguished security practitioners and dignitaries, includingDorothy Denning, Gene Spafford, Michael Assante and ChristoferHoff. Since 2005, we’ve recognized the most innovative and stalwartsecurity practitioners in the industry. It’s time to do it again.

Seven Industries, Seven WinnersThe Security 7 Award honors innovative security practitioners in seven vertical markets. We recognize the achievements and contributions of practitioners in the financial services, telecom-munications, manufacturing, retail, government/public sector/non-profit, education and healthcare/pharmaceutical industries.

How to Nominate Your PeersDo you know someone worthy of recognition? Nominate them by filling out the form. A panel of editors and industry experts will review the nominees and select our winners.

Information Security magazine

CALL FOR NOMINATIONS

7SECUR ITY

2 0 1 1

—MARK WEATHERFORD

2008 Security 7 Government winner

Former CISO for the states of California andColorado and current CSO at the North American

Electric Reliability Corporation (NERC)

Recognize the Security Industry’s Best Today!

For more information, please visit our website: www.searchsecurity.com

ECURITYSI N F O R M A T I O N

®

www.searchsecurity.com


http://www.surveygizmo.com/s3/462797/Security-7






TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

wWHEN LOOKING TO create or expand information security reporting to senior management, thebiggest challenge is often not technical but cultural.

Business managers can be hesitant to have areas of risk highlighted for fear that they will beperceived as not doing their jobs. Lawyers are often nervous that putting vulnerabilities in writingcould ultimately be used against the organization. And managers are sometimes hesitant to tellsenior management too much, fearing the managers won’t understand the information they aregiven, but recognizing that it represents a significant risk, will feel obligated to give arbitrarydirectives in a misguided attempt to solve problems they don’t fully understand.

While these are all realities that we as security and compliance managers live with, they areones that mature organizations must push past if they are to holistically manage informationsecurity risk and compliance.

Contrary to what many believe, when seeking to address security and compliance weaknesses,knowledge is power and transparency is good. However, to successfully evolve beyond culturalbarriers to effective information security reporting, a strategy is required. The following aresome time-tested solutions to address these cultural barriers that often stifle effective informationsecurity risk and compliance management.

Tips for fostering a compliance cultureEnglish only please – Unquestionably, the most critical make-or-break factor in information

security reporting is language. Simply put, any report, whether in scorecard or narrative, mustbe limited to basic business terminology. No IT terms, no obscure acronyms, no exceptions—ever. An IDS system or other gateway device may produce a wonderfully detailed 20-page techni-cal report, and while that may be helpful to technical staff, they should never see the light of dayin an executive report. Instead, require these data owners to summarize their reports as succinctly

Hurdle CulturalBarriers toCompliance

Engage stakeholders frequently about their role in complianceand reducing risk inside your organization. BY ERIC HOLMQUIST



TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

as possible using language that someone who has no familiarity with technology would understand.

Make disclosure safe – The second most critical factor is to create an environment where disclosure

is safe. Meaning people must be allowed to express both their observations of potential risk as well asoperational failures without being persecuted, and managers must foster an environment where suchdisclosures are encouraged. For observed risks, the focus must be on an assessment of the risk and ananalysis of response options. For failures, the focus of the reporting needs to be 1) what happened, 2)what is being doing about it, and 3) what could be done so that it doesn’t happen again. Blame is themortal enemy of collaboration, so any disciplinary action must be done privately. Once people begin to realize that risk and failure can be brought up for healthy discussion, more and more risks will suddenly come out of the woodwork and that is a healthy thing.

Focus on solutions – Simply put, make sure any material risk that is reported to management

includes a management-level assessment of that risk and a plan of action (or, at minimum, a series ofoptions). Highlighting a risk in isolation can be paralyzing and is often interpreted that people aren’tdoing their jobs. But presenting risks with a variety of solutions is empowering and reinforces the factthat people are on the job.

Let them make decisions – When presenting information on the state of the information security

program and compliance, give management the opportunity not only to provide input, but also tomake decisions. Even if this means simply submitting a menu of choices for a given area of concern,this engages them in the process and builds ownership. This may seem risky (Who wants “pointy-haired bosses” actually making decisions?), but it really does work to build engagement if risks areexplained clearly and options area detailed out. Trust me, engagement is very good.

Start small – The fact is that most organizations can’t go from nothing to a detailed scorecard in one

pass; It just doesn’t happen. Start small by focusing on more innocuous data points that allow manage-ment to take action (training completion, third-party governance, etc.) As management becomes morecomfortable with the reporting cycle, move to more sensitive areas, such as open audit issues, controlfailures, operational incidents, risk heat maps, etc. (The latter having more direct association with specific business areas.)

In the end, the goal is to create a compliance culture through dialog and engagement. Start small,being exceedingly clear and keep pressing. Eventually people will realize these topics are more approach-able then they thought and that creating forums for discussion with a range of constituencies is healthyfor the organization, ultimately creating a compliance culture that will serve an organization well.w

Eric Holmquist is a principal with consulting firm Holmquist Advisory. He has more than 25 years experience in thefinancial services industry and is a frequent industry author and speaker. As the former vice president and director ofoperations risk management for Advanta Bank Corp., he was responsible for the development and oversight of thebank’s operational risk management program and its information security strategy. In addition, Holmquist chairedthe bank’s MIS council, an oversight group that provides governance with regard to standards, methods and produc-tion of financial and operational reports and the management of enterprise data.

®

The Web’s best information resource for security pros in the financial sector.

Now there’s an online resource tailored specifically tothe distinct challenges faced by security pros inthe financial sector. Information Security magazine’ssister site is the Web’s most targeted informationresource to feature FREE access to unbiased productreviews, webcasts, white papers, breaking industrynews updated daily, targeted search engine poweredby Google, and so much more.

Activate your FREE membership today and benefitfrom security-specific financial expertise focused on:• Regulations and compliance• Management strategies• Business process security• Security-financial technologies• And more

www.SearchFinancialSecurity.com


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

v

PCI AssessmentChanges ExplainedThe latest update to PCI is relatively minor,but that doesn’t mean security and compliance managers can afford to slack. BY ED MOYLE

VERSIONS 2.0 OF the Payment Card Industry Data Security Standard(PCI DSS) and Payment Application Data Security Standard (PA DSS) madetheir debuts last fall. Since then, organizations have been trying to make sense of theupdates, the new timetable for compliance and how this impacts established security and com-pliance programs.

From a PCI assessment standpoint, there are two things to call out about the changes at amacro level before going into the details of the changes themselves: First, the changes are relativelyminor. This wasn’t entirely expected; a number of industry experts speculated that the standardwould follow a “major release/minor release” paradigm (similar to what you’d see in a softwareproduct). Following a “point” release of PCI DSS 1.2 in October 2008, many thought the PCI DSS2.0 “major revision” last year could mean sweeping change, but this wasn’t the way it turned out.The council cites maturity in the standard as the reason for the relatively small number ofchanges, which means companies can also expect a lesser volume of change in future revisions.For those that were hit hard by the (fairly significant) changes in the 1.x iterations during the pastfive years, this should be welcome news.

Secondly, the enforcement timing of changes is beneficial: In other words, there is time to respond before organizations are called to task on how they’ve implemented the changes.Merchants have a year to comply from the January launch date, meaning there is plenty oftime to get environments in shape before enterprises actually have to go through an assessmentbased on the updates.

PCI DSS 2.0

https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2_summary_of_changes#pci_dss_v2_summary_of_changes

http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1522739,00.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

But these positive developments shouldn’t encourage security and compliance managers toslack. Although most of the changes represent a reduction of the scope of controls, there could bea few that might have broader impact depending on your current processes, scope of complianceefforts, and how your company has interpreted the controls in the past. So starting now, look atthe changes and update your compliance plan accordingly. It will be time well spent.

PCI 2.0: If anything, mostly a slight reduction of assessment impactAs outlined, most of the changes reflect a decrease in the effort associated with the PCI assess-ment process, changes that provide additional flexibility for the assessor or for you to generallydecrease the scope of assessment effort because they allow interpretive latitude—both for youand your QSA. That interpretive latitude means less time spent trying to force-fit what you’vedeployed into narrow parameters; in combination with clarifications about control scopemeans less time-consuming back-and-forth discussion between merchants/service providersand QSAs about intent and meaning. The chart (see p. 36) outlines areas where the changeshave either no impact on PCI assessment effort or that decrease the effort associated with theassessment process:

As you can see, with the exception of the two areas called out, the items in this list connoterelatively little impact on an assessment. It’s these other two areas that merchants and serviceproviders may want to keep an eye out for.

Two areas to watchOne of the most significant changes is the clarification of PCI assessment scope (item No. 2 inthe change list in the chart). It’s still unclear specifically how the scope change will be reflectedin the final document, but what is there should be enough for anybody who’s been through anassessment to take notice. Specifically, according to this, scope of cardholder data flow dia-grams should include all locations and all areas.

That’s an “uh-oh” for many firms; as it turns out, many organizations just aren’t where theyneed to be on this point. Producing up-to-date diagrams of cardholder data everywhere in theenterprise may seem negligible at first glance, but in a large retail environment with multiplebusiness units, diagrams might cover only one business unit of many, or a subset of paymentflows throughout the whole organization. So this change could very well mean a significanteffort to share flow information between business units (since one process might intersect multiple business units) and to ensure all payment flows are accounted for in the documenta-tion. Lack of appropriate documentation has always been one of the primary issues within anassessment context, so this change amps up what was already a known issue.

Secondly, the update for virtualization on the surface seems relatively innocuous; after all,many of us have been asking for a long time how virtualization ties into requirements like “onefunction per server” (Requirement 2.2.1). However, under the surface, expansion of the defini-tion of “system components” to include virtual components might have additional ramificationsbeyond just 2.2.1; it could affect other requirements as well. For example, some requirements andtest procedures specifically refer to “all system components” (for example, Requirements 10.6,“Review logs for all system components at least daily…”, and Requirement 2.2, “Develop con-figuration standards for all system components…”).

Requirements that address “all system components” now implicitly include the virtual envi-


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

Requirement

PCI DSS Intro

Scope ofAssessment

PCI DSS Intro and variousrequirements

PCI DSSRequirement 1

PCI DSSRequirement 3.2




PCI DSSRequirement12.3.10

Proposed Change

Clarify that PCI DSS Requirements 3.3 and 3.4apply only to PAN. Align language with PTSSecure Reading and Exchange of Data (SRED)module.

Clarify that all locations and flows of cardholderdata should be identified and documented toensure accurate scoping of cardholder dataenvironment.

Expanded definition of system components toinclude virtual components. Updated require-ment 2.2.1 to clarify intent of “one primaryfunction per server” and use of virtualization.

Provide clarification on secure boundariesbetween Internet and card holder data environment.

Recognize that issuers have a legitimate business need to store Sensitive AuthenticationData.

Clarify processes and increase flexibility forcryptographic key changes, retired or replacedkeys, and use of split control and dual knowledge.

Update requirement to allow vulnerabilities tobe ranked and prioritized according to risk.

Merge requirement 6.3.1 into 6.5 to eliminateredundancy for secure coding for internal andWeb-facing applications. Include examples ofadditional secure coding standards, such asCWE and CERT.

Update requirement to allow business justifica-tion for copy, move and storage of CHD duringremote access.

Assessment Impact

In most cases, minimal impact on assessmenteffort. Potential reduction in assessment scopeof effort if you or your QSA interpreted 3.3. or3.4 as applying to other cardholder data in pastassessments.

Potential area of impact (described below)

Potential area of impact (described below)

It isn’t clear from the description what thisclarification will be. However, since the controlsaround separation of the CDE from the Internetare relatively unambiguous currently, this islikely to be a minimal impact issue.

The scope of an issuer’s business requirementshas little bearing on an assessment at a merchant or service provider. Minimal impact to assessment effort.

We don’t have enough information to knowfrom the change description how this willchange. The intent of the change is to increaseflexibility, which suggests reduction in assess-ment effort.

This moves the requirement more in-line withwhat firms do; this change allows latitude toreflect that practice during an assessment.

Consolidation in this area means reducedassessment effort as merchants and QSA’s areno longer writing up results twice for the samecontrols.

This change recognizes that business may needto manipulate cardholder data during a remoteaccess scenario. Therefore, businesses thatrequired doing this will no longer have to writeup compensating controls to do so.

PCI 2.0 EXPLAINED


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

ronment as well, as do the test procedures. So a test procedure like 2.2.a (“Examine the organi-zation’s system configuration standards for all types of system components and verify the systemconfiguration standards are consistent with industry accepted hardening standards”) means thatnot only will an organization need to have a hardening standard for its virtual environment,but its assessor will also need to obtain and review that standard. This might not have been thecase in prior assessments.

So overall for merchants and service providers, this version of the standard represents astreamlining of the assessment process, which should help ease the PCI DSS compliance burdensomewhat. But the expansion of system components to include virtualization and the updatesto required documentation could make those elements of the assessment process more com-plex, so be sure to address each with your assessor when the time comes for your company’sfirst assessment under PCI DSS 2.0; also, it’s a good idea to start the planning now for areaswhere your current control deployment may not address the entirety of the scope.w

Ed Moyle is currently a manager with CTG’s Information Security Solutions practice, providing strategy,consulting, and solutions to clients worldwide as well as a founding partner of SecurityCurve.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1518393_mem1,00.html


TABLE OF CONTENTS

EDITOR’S DESK

DATA PROTECTION


RISK METHODOLOGIES


PCI DSS 2.0

SPONSOR RESOURCES

ECURITYSI N F O R M A T I O N

®

EDITORIAL DIRECTOR Michael S. Mimoso

SENIOR SITE EDITOR Eric Parizo

EDITOR Marcia Savage

MANAGING EDITOR Kara Gattine

NEWS DIRECTOR Robert Westervelt

SITE EDITOR Jane Wright

ASSOCIATE EDITOR Carolyn Gibney

ASSISTANT EDITOR Maggie Sullivan

ASSISTANT EDITOR Greg Smith

UK BUREAU CHIEF Ron Condon

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

COLUMNISTSMarcus Ranum, Lee Kushner, Mike Murray

CONTRIBUTING EDITORSMichael Cobb, Phillip Cox, Scott Crawford, Peter Giannoulis,

Ernest N. “Ernie” Hayden, Robbie Higgins, Jennifer Jabbusch, David Jacobs, Diana Kelley, Nick Lewis, Richard E. Mackey Jr.,

Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ashley Podhradsky,Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser

USER ADVISORY BOARDPhil Agcaoili, Cox Communications

Richard Bejtlich, GESeth Bromberger,

Energy Sector ConsortiumChris Ipsen, State of Nevada Diana Kelley, Security Curve

Nick Lewis, ACMRich Mogull, Securosis

Craig Shumard, CIGNA CISO RetiredMarc Sokol, Guardian Life

Gene Spafford, Purdue UniversityTony Spinelli, Equifax

INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS

Amy Cleary

VICE PRESIDENT/GROUP PUBLISHER Doug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver

DIRECTOR OF MARKETING Nick Dowd

SALES DIRECTOR Tom Click

CIRCULATION MANAGER Kate Sullivan

PROJECT MANAGER Elizabeth Lareau

PRODUCT MANAGEMENT & MARKETINGKim Dugdale, Andrew McHugh, Karina Rousseau

SALES REPRESENTATIVESEric Belcher [email protected]

Patrick Eichmann [email protected]

Sean Flynn [email protected]

Jennifer Gebbie [email protected]

Jaime Glynn [email protected]

Leah Paikin [email protected]

Jeff Tonello [email protected]

Vanessa Tonello [email protected]

George Whetstone [email protected]

Nikki Wise [email protected]

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Jeff Wakely

EUROPEAN DISTRIBUTIONParkway Gordon

Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie Brown

Phone 781-657-1336 Fax 781-657-1100

Information Security’s Essential Guide to Compliance is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111;Phone 617-431-9200; Fax 617-431-9201.

All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by anymeans without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.

TECHTARGET SECURITY MEDIA GROUP

www.techtarget.com


SPONSOR RESOURCES

See ad page 2

• ArcSight Customer Success

• First Annual Cost of Cyber Crime Study - Benchmark Study of U.S. Companies

• Using Advanced Event Correlation to Improve Enterprise Security, Compliance andBusiness Posture

See ad page 4

• FoxT Demonstration on Privileged Access Management

• FoxT Compliance Report Packs for SOX, PCI, HIPAA, NERC-CIPs

• Solving Key Compliance Audit Issues with Enterprise Access Management

• Choosing a Cloud Provider with Confidence

• Stop Phishing: A Guide to Protecting YourWeb Site Against Phishing Scams

• GeoTrust SSL Solutions

http://www.arcsight.com/

http://www.bitpipe.com/detail/RES/1300393270_701.html

http://www.arcsight.com/collateral/whitepapers/Ponemon_Cost_of_Cyber_Crime_study_2010.pdf

http://www.arcsight.com/collateral/whitepapers/Using-Advanced-Event-Correlation.pdf

http://www.foxt.com/

http://www.foxt.com/company/library/demo.html

http://www.foxt.com/solutions/itaudit.html

http://www.foxt.com/solutions/itaudit.html

http://www.geotrust.com/



http://www.geotrust.com/solutions/

SPONSOR RESOURCES

See ad page 14

• Dell SecureWorks Webcast: An Expert Approach to PCI compliance

See ad page 7

• Compliance for Dummies Book from Sophos

• 8 Steps to Protecting PII (Personally Identifiable Information)

• Learn how to implement a data loss prevention strategy

• Webinar: Managed DNS - Using Hybrid Routing to Optimize DNS Performance

• Webinar: DDoS Defense - Augmenting your Business Continuity Practices in the Faceof the Growing Threat

• Benchmark your Company's Infrastructure Protection: Take the Executive ThreatAssessment

http://uk.secureworks.com/uk/

http://www.verisigninc.com

http://www.sophos.com

http://eta.verisign.com/?toc=VIDN-WS-ETA_VRSNCOM-20101019

http://forms.verisigninc.com/forms/ddosbusinesscontinuitywebinartt

http://forms.verisigninc.com/forms/ddosbusinesscontinuitywebinartt

http://forms.verisigninc.com/forms/mdnsauproductwebinartt

http://www.sophos.com/security/topic/data-loss-prevention.html

http://www.sophos.com/security/topic/protecting-pii.html

http://www.sophos.com/lp/compliancefordummies/

http://www.brighttalk.com/webcast/23234

Documents

ESSENTIAL GUIDE TO Compliance - Bitpipedocs.media.bitpipe.com/.../0511_ISM_EG_Compliance.pdf · Compliance Vulnerability Are you Compliant or Not? SOX DS 5.4 - Maintain user access