Your company was certified as PCI compliant by a bona-fide PCI Compliance Company, and security was breached anyway. You paid the big bucks to go with a highly recommended company with a price tag to prove it. How could this happen? It’s simple really.

There’s no such thing as total security. I don’t care what you pay for it or who you hire to assess the security of your infrastructure; security is not a sure thing.

As a security professional and practitioner, I can tell you that all it takes is one mistake by one person to open a gaping hole in your defense structure. However, there are things you can do to be proactive and aid your existing staff in becoming compliant and maintaining compliance.

Automate the security assessment and compliance process with sophisticated tools. If you don’t, you will have to beef up your security staff to keep a watchful eye on every part of your infrastructure. While you can’t replace the human brain and security experience, you can help yourself by employing the right toolset.

Consider the issues:

· Email and messaging encryption

· Encryption for data at rest

· Knowledge of where all the data resides

· Segregation of duties

· Access controls

· Network segregation (isolation of PCI networks)

· Myriad firewall rules with no business justification

· Undocumented policies and procedures

· Un-patched systems

· Storing sensitive data on tape

These issues are not just an IT problem. They are a people and process problem to boot. Where to begin?

The Payment Card Industry Data Security Standard (PCI DSS) requirements, “the digital dozen”, must be met annually to maintain PCI compliance.

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security

You understand the issues and you understand the requirements. You have capable staff, or maybe you are under-staffed. But, in every case, the security environment is complex and essentially you can’t hire enough people to cover all the bases. You must automate what you can.

You may be thinking, “That’s going to cost the big bucks!” Yes it is. But, consider for every tool you employ, you will hire less people to ensure the security and safety of your network and data. That is, if you want to have the absolute best security possible. What’s it worth to your business?

There’s no going back. We live in a highly mobile, networked world. It is what it is.

So, you must do something to get things under control, and that something is about finding the right technologies and processes to put in place. Too bad there’s not a one-stop shop to go to. There hasn’t been until now. IBM is now the leader in Security. And trust me; they don’t pay me to say that. Let me explain.

IBM has a five-phased approach to achieving PCI compliance:

1. Assessment

2. Design

3. Deployment

4. Management and Support

5. Education

IBM offers software, hardware, managed services and professional services to meet the requirements of the PCI DSS “digital dozen”. PROVISTA, as an IBM Premier Business Partner, can offer all that IBM has to offer at a reduced cost combined with the personal and dedicated attention you need.

What we have to offer to meet the “digital dozen” requirements:

1. Firewall

• IBM Proventia Server Intrusion Prevention System (IPS)
• IBM Proventia Network IPS

2. No default passwords or security parameters

• Tivoli Access Manager
• IBM Proventia Network Multi-Function Security (MFS)

3. Protect stored cardholder data

• Tivoli Storage Manager
• Proventia Server IPS
• IBM PKI services
• Guardium database activity monitoring

4. Encrypt transmission

• IBM data encryption for IMS and DB2

5. Anti-virus software

• IBM Proventia desktop endpoint security
• IBM Proventia network enterprise scanner

6. Secure systems and applications

• IBM software development platform
• Tivoli CCMBD
• IBM Rational AppScan

7. Restrict Access

• IBM Tivoli Access Manager
• Tivoli zSecure Admin
• Tivoli Compliance Insight Manager

8. Unique IDs

• Tivoli Identity Manager
• Tivoli Federated Identity Manager

9. Restrict physical access

• IBM digital video surveillance
• IBM biometric access control

10. Monitor access

• Tivoli Compliance Insight Manager
• Tivoli Security Operations Manager
• IBM Proventia Server IPS

11. Test security systems and process

• IBM ISS products and services
• Tivoli Security Compliance Manager
• IBM Proventia Network Anomaly Detection System (ADS)

12. Security policy

• PROVISTA/IBM services
• IBM software automated compliance reporting

Even if you deployed all of the above, how can you be assured that there will actually be a return on investment? Stay tuned and email me at cjkelly@provista.com.