Information Security Management ResourceKit

A Public Service of SecureTheVillage

noah

PCI DSS High Level Overview

Your Boss comes to you and says “we need to be PCI compliant by tomorrow and I’m assigning you as the compliance manager.”

Your first thought might be, “what is PCI compliance?” or “why has god forsaken me?” Both are reasonable responses. But neither will get you compliant.

Well fear not. Below is a very high-level idea of what you can expect along with links to further resources:

  1. Get familiar with what PCI is all about. High level: PCI-DSS is a security framework the major credit card brands created to ensure businesses that store, process and/or transmit credit card data are meeting a baseline of security controls.
  2. Check out the PCI website https://www.pcisecuritystandards.org/ . Here you will find all the resources you might need in your compliance journey. Specifically, the documents library will be your best friend https://www.pcisecuritystandards.org/document_library
  3. Once you’ve gotten an idea about PCI and the requirements, the next step is to determine what level you are. There are 4 levels, with level 1 being a company that stores, processes and/or transmits large numbers of credit cards. If you are a merchant, you should contact your acquiring bank to determine your level. If you are a service provider you need to determine how many credit cards you store, process and/or transmit annually. If it’s more than 300,000, you are considered a level 1 service provider.
  4. If you determine that your company/organization is a level 1 merchant and/or service provider, you must have a PCI Qualified Security Assessor (QSA) come on-site and perform a PCI-DSS assessment. Depending on your environment setup though, you may be eligible for a self assessment questionnaire (SAQ). These forms can be filled out by an authorized individual at your company and submitted as proof of compliance. The “Understanding SAQs for PCI DSS” document within https://www.pcisecuritystandards.org/document_library?category=saqs#results outlines PCI SAQs.
  5. If you have any other questions it is advised to reach out to a QSA firm or other information security management company to discuss what your options are and to clarify any questions you might have about how PCI-DSS applies to your specific environment.

If you do decide to contact a QSA firm, here are some tips to save you time and money:

  • Take inventory of every system in your network. This is critical as it will be used by yourself and a QSA to determine what is “in-scope” vs. “out-of-scope”.
  • Create a credit card data-flow diagram. This diagram is not only required for PCI-DSS compliance, but will assist you and the QSA in determining where credit card data is being stored, processes and/or transmitted.
  • Stay patient. Undergoing a PCI-DSS assessment can be very stressful, especially if it is your first time. Your QSA will ask a lot of questions that you may or may not know the answer to. You need to keep in mind that it is not an attack or criticism, it only means that the QSA has no idea of how your network is setup and needs you to show them.

Contributed by Silent Storm Security, LLC © Copyright 2018. Silent Storm Security, LLC. All Rights Reserved.

Team Mission, Goals, and Objectives

Team Mission

The Information Security Management & Leadership Team is responsible for managing the organization’s risk-based Information Security Management Program, designed to protect the confidentiality, integrity, and availability of the organization’s information.

The Information Security Management & Leadership Team is also responsible for organizational leadership in creating a cybersecurity culture.

Team Goals

The Information Security Management & Leadership Team has seven goals.

  1. Ethical Responsibility: Manage the security of Information with the recognition that it is the lives and fortunes of our clients and customers, our people, and our community.
  2. Proportionate Risk: Manage the security of Information proportionate to the harm that its loss of confidentiality, integrity, or availability could cause the organization, its clients and customers, its people, and the community.
  3. Commercial Reasonableness: Manage the security of information in a manner that is commercially reasonable for the organization’s particular circumstances: industry, size, nature of information at risk, etc.
  4. Organizational Completeness: Manage information risk across the entire organization, to also include 3rd-parties and vendors.
  5. Minimize Operational Impact: Manage the security of Information in ways that minimize the impact on operations and staff productivity.
  6. Cost-Effectiveness: Manage the security of information to minimize the organization’s Total Cost of Information Security. SM
  7. Continuous Improvement: Continuously improve the organization’s ability identify and respond to (i) changes in the organization’s risk profile resulting from changes in the threat environment, laws and regulations, and contracts; (ii) the availability of new and improved countermeasures; and (iii) discovered weaknesses in existing countermeasures.

Team Objectives

The Information Security Management & Leadership Team is to

  1. Establish and maintain Information Security Policies and Standards to guide the organization in securing information.
  2. Ensure staff are provided awareness training, education and organizational leadership in creating a cybersecurity culture.
  3. Ensure IT security management conforms to organizational standards and commercially-reasonable practices.
  4. Maintain commercially reasonable assurance that vendors and 3rd-parties with whom information is shared properly protect that information.
  5. Ensure information resilience: the organization’s ability to detect and recover from security incidents and interruptions, and its ability to restore normal operations.
  6. Provide staff with information security tools (e.g., password management tools).
  7. Work with the Finance Department to manage the risk of online bank fraud.
  8. Ensure the organization is in compliance with laws, regulations and contractual agreements.
  9. Coordinate the organization’s use of cyber-insurance as a risk management vehicle.
  10. Support business development, primarily in response to inquiries from prospects and clients about our information security management program.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

 

The Objective of Information Security Management

The Objective of Information Security Management is to Manage Information Risk

  • Cyber Fraud
  • Business Email Compromise
  • Information Theft
  • Ransomware
  • Denial of Service Attack
  • Regulatory compliance
  • Disaster

Information Risk Impacts Business Risk

  • Loss of Money
  • Loss of Brand Value
  • Loss of Competitive Advantage

Information Risk Measures

  • Thirty percent (30%) of cybercrime victims are smaller organizations
  • Sixty percent (60%) of these victims are out of business within 6 months
  • Eighty percent (80%) of these breaches are preventable with basic security management

Managing information risk means ensuring four things

  1. The confidentiality and privacy of sensitive information
  2. The integrity of information and data
  3. The availability of critical information
  4. The authenticity of communications

The Context of Information Security Management

Information security management augments insurance and other forms of risk transfer. It also takes place in the legal context of commercial reasonableness.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Information Security Management — Seven Critical Success Strategies

 

Information Security Success Strategies — The Critical Seven

The following seven critical success strategies are vital in implementing a successful formal risk-driven Information Security Management Program.

  1. Put someone in-charge. Establish leadership. Information Security Manager / Chief Information Security Officer.
    1. C-Suite and Board Governance
    2. Independent Perspective from CIO or Technology Director
    3. Supported by Cross-Functional Leadership Team
    4. Supported with Subject-Matter Expertise
  2. Implement formal risk-driven information security policies and standards.
  3. Identify, document and control sensitive information.
  4. Train and educate personnel. Change culture.
  5. Manage 3rd-party security.
  6. Manage IT Infrastructure from an “information security point of view” in accordance with standards at least as strong as SecureTheVillage’s Code of Basic Information Security Management Practices.
  7. Be prepared. Incident response. Business continuity planning.

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

The Vital Role Played by Information Security Management Policies and Standards

Information Security Management Policies and Standards are the key strategic management framework supporting commercially-reasonable information security management practices for organizations of all kinds.

An organization’s Information Security Management Policies and Standards serve to:

  1. Establish management’s commitment to securing critical information assets
  2. Establish uniform organizational standards for securing critical information assets
  3. Provide guidance to managers and other employees as to their information security responsibilities, obligations and duties
  4. Provide standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure
  5. Provide an information security baseline for establishing adequate protection of an organization’s intellectual property, trade secrets and other proprietary firm information
  6. Be aspirational, providing actionable guidance to an organization as it evolves its own unique information security management program
  7. Support the all-important objective of creating an information security-aware culture

Information Security Policies also meet emerging information security laws, regulations and contractual requirements for information security policies. Information security policies are required, for example, by the following:

  1. Federal laws, such as HIPAA and Gramm-Leach-Bliley which require the protection of personal health and financial information
  2. Payment Card Industry Data Security Standard requiring the protection of card information
  3. California Civil Code 1798.81.5 requiring California business to implement reasonable information security measures to protect personal information belonging to California citizens
  4. The Federal Trade Commission (FTC) security and privacy regulations
  5. Breach disclosure laws in several states

Citadel’s Information Security Management Policies and Standards are based upon industry standard frameworks such as ISO 27001 and ISO 27002, the National Institute of Standards Information Security Management Framework, the Payment Card Industry’s Data Security Standard, as well as HIPAA HITECH, GLB and other applicable Federal and State laws and regulations.

Information Security Management Standards

Information Security Management Standards, in contrast to Policies, are designed to be specific actionable requirements to be implemented by management, users and IT. And, unlike policies which are obligatory, standards are aspirational.

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!