PCI Update: Do You Know Where Your Data is?
See Also: CISO Coffee Talks: Visibility
Current Protection Practices May Put Information at Risk
While financial institutions are doing a "better job" than other businesses grappling with the Payment Card Industry's Data Security Standards, there are still compliance questions that need closer examination, according to David Taylor, president and CEO of the Payment Card Industry Security Vendor Alliance (PCI SVA).
"[Don't] be smug or complacent when it comes to PCI," Taylor warns.
The difference between large and small institutions is not in internal information security. "The majority of institutions we've seen have good perimeter security, and run anti-virus with a strong firewall protecting networks," Taylor says. The deployment and use of data encryption also is consistently variable, he says.
The real question is: "Where is the data at your institution?"
"If you ask 100 people where the data is in your institution, you'll find at least a few places that data resides where you didn't think it did," he says.
Data exists in log files, transaction files, back up emails, at the remote location where an institution would resume business in case of an emergency.
At one organization (which will remain unnamed) that Taylor visited, he saw a data disaster in the making. A major piece of the business's information was stored at the remote business continuity site. "Part of it had to do with the business's continuity plan, and there were a lot of backups of information," he says "The business would be able to restore critical information in a flexible way, in case of a disaster." The business planners were proud of their accomplishment, "They told me: 'We have copies of critical information in a variety of locations to do a restore.' You'd be very impressed with that -- except if you were an information security professional."
Financial institutions need to ask: What is the level of control wehave on our far-flung network of information? "It may be more or less than you'd like," Taylor says. "There are always copies of data in a lot of places, and many times no centralized knowledge where the data resides."
Financial institutions need to ask hard questions, and have a critical view of the overall strategies, he notes. While most hacks occur outside of financial institutions, and they are harder to crack than say, educational institutions, "... The far flung network information means it's easier for a hack to occur."
There are still plenty of people out there who can get around access controls, he points out, and enforcement of access controls leaves something to be desired.
Taylor and other security pros look at this challenge and point to the need to know where your data is -- and protect it.
When it comes to being compliant with PCI's Data Security Standards, Taylor asks "What does compliance mean? Credit card companies want to see the rate of compliance going up, but there is absoluteness to PCI -- if you're 90% completed toward PCI's 12 requirements, you fail."
Taylor believes that anyone who is trying to be in compliance -- and is, say, 90% compliant -- should be judged as "nearing compliance."
"Are you better than the one that has only 20% done?," he asks. "Absolutely. The percentage level doesn't jibe with risk mitigation, and risk compliance."
Businesses that must be compliant with PCI, cannot treat PCI's "digital dozen" as equal, Taylor says. Each of the 12 represents different levels of risk. "It is hard to achieve compliance. Statistically, you don't do it tomorrow, or the day after," he notes.
Taylor recommends that institutions rate the levels based on risk, and on the nature of the business, and point compliance projects toward those and other key regulations (GLBA, HIPAA, and SOX.)
For more information: https://www.pcisecuritystandards.org/tech/