You hear it almost every week throughout the airwaves and read it on the Internet: Another security breach that seems to unnerve yet more people.
From stolen credit card numbers to hacked databases holding private consumer medical information, it seems businesses can do almost nothing to protect confidential and sensitive information. More challenging is that society is growing ever more dependent on the information age in facilitating our daily lives.
In short, technology is everywhere. We're dependent on it. Thieves and criminals are preying on it, and businesses must take action to protect information, especially credit card data.
Whether you agree or not with the overall intent and rigor of the provisions outlined in the Payment Card Industry Data Security Standard, one aspect is certain: They are here to stay. Furthermore, PCI is without question one of the most far-reaching and comprehensive regulatory-compliance requirements ever unveiled.
From small, street-corner merchants to large multinational corporations, PCI compliance is alive and well and affecting everyone. Want to secure your data, prevent thieves from causing a catastrophic financial, legal and public relations nightmare from occurring, while also being able to comply with the ever-growing list of compliance mandates? Then implement your Security 101 action plan today by following these essential guidelines and best practices.
PROTECT YOUR PERIMETER
From PCI compliance to a number of other far-reaching regulatory assessments, your organization's network-security infrastructure is a critical platform that must be secure at all times. Securing the firewalls that permit traffic to the routers, switches and other network devices that form your local and wide area networks is essential.
Configure, provision and effectively "harden" all your network systems with best-of-breed practices. Many devices are shipped with vendor default settings, and that poses a significant security threat unless they are changed. Thus removing various functionalities, services and protocols is essential.
Use industry-leading security "hardening" standards for all your network devices. Look to Carnegie Mellon University's CERT, a computer- security organization; the Open Web Application Security Project; the National Institute of Standards and Technology; the SANS Institute and the Cloud Security Alliance; among others, for their hardening and provisioning guidelines, checklists, technical white papers and online forums.
The Open Web Application Security Project is a not-for-profit worldwide charitable organization formed to improve the security of application software. CERT studies Internet security vulnerabilities and develops research and training for improving security. And SANS provides free policies and research on security issues.
Use free, open-source tools if financial constraints limit your ability to protect your network. Look for a Web application firewall, a two-factor authentication system for remote access or a proven intrusion-detection system.
A growing number of cost-effective, open-source tools are available for your organization to use. They include:
* Firewalls: Iptables, which is a network firewall, and Modsecurity.org, a Web application firewall that protects a company's Web server from attack, can establish a secure border around a company's network.
* Two-factor authentication: Secure remote access is steadily growing in demand, so try Phonefactor.com. This software calls a person's cell phone and requests a passcode, constituting two-factor authentication for access to a network. The passcode is something the user knows, and the phone is something the user has. At last check, it is free for up to 20 users.
* Intrusion-detection systems: Snort, which is open source software designed to help prevent unauthorized network access, still provides an entry-level system that essentially is free.
* Systems logging: The ability to log network activity has become a must-have. Try Kiwisyslog, an open-source tool that tracks network activity, with a very inexpensive one-time user fee of $249.
* Ticketing Systems: From documenting changes made to a network and the devices connected to it to providing essential help-desk support, your organization needs a ticketing system to track software development. I suggest trying Bugzilla.com, Jira or even Redmine.
Have you been through PCI compliance lately or looked to conquer the PCI DSS mandate for your company? You'll need to develop literally dozens of documented policies and procedures for ensuring compliance with all 12 requirements in PCI version 1.2.1. That can be easier said than done, as most organizations simply lack the time, skill sets, or patience to write effective policies and procedures.
The goal is to find free or cost-effective templates, such as those found at SANS, which provides research documents, or by utilizing National Institute of Standards and Technology standards. And remember, aside from the PCI DSS requirement itself, a large and growing number of other regulatory-compliance initiatives also mandate them.
Just as vital as securing the data itself is securing who has access to it. Rein in database-access rights and apply effective, role-based access controls while also putting in place measures for protecting data.
These role-based access controls, which should be effectively applied throughout all of your information-technology systems, essentially permit access to resources based on groups or profiles that have well-established permissions. Databases, notorious for having a few select personnel who share generic passwords, should strive to segregate duties and grant access to the minimum data needed for performing one's function. Additionally, data need to be adequately protected, and the most viable method should be encryption.
Lastly, remember those antiquated hard drives and library tapes full of data that are stacked in your server room or in some remote storage room? It is time to effectively destroy that confidential information, either by secure swipe methods, physical destruction or some other type of approved data-disposal technique. You don't need it, so get rid of it.
Many notable data-security breaches make front-page news, but internal theft, misappropriation and misuse of assets are regularly buried and swept under the rug. The sad fact is that businesses essentially want to hide their failure of internal controls and other supposed safeguards. The number of security breaches that occur because of careless or malicious internal employees is simply staggering. What's needed to mitigate this growing problem is for businesses to embrace awareness and accountability.
Awareness properly will educate employees on best practices for data security and other operational guidelines, and accountability ensures that they are fully aware of the penalties, such as suspension or being fired, for violating company policies. Thus it behooves a company to implement a comprehensive security awareness-training program. After all, this is a requirement for PCI. Properly vet new hires with background checks, and maintain a culture that embraces awareness and accountability.
A large and growing number of industry publications and online forums are available to help you stay abreast of technology and security issues. The key is not to overwhelm yourself by subscribing to dozens of these resources. Choose a few that interest you, follow them diligently, and practice what they preach.
Has your organization installed the latest security patches for your computer's operating system? Are your databases secure against growing malicious software threats? How about news on the latest hacking techniques? You can find this and much, much more by subscribing to any number of resources.
Charles Denyer is PCI-qualified security assessor and a member of NDB LLP, an Atlanta-based accounting and consulting firm. He can be reached at email@example.com.