SlideShare une entreprise Scribd logo

Sask 3.0 Summit Pci dss presentation Bashir Fancy

S
SaskSummit
TechnologieÉconomie & finance
1  sur  33
Télécharger pour lire hors ligne
Corporate Solutions & Services Inc. How do you achieve security for your enterprise and in turn achieve effective Compliance? Saskatchewan Summit 3.0 Payment Card Industry “Compliance does not equal to security” Bashir Fancy, MD, Corporate Solutions & Services Inc. Special Advisor, Grant Thornton LLP April 25, 2012 © 2010 Grant Thornton International. All rights reserved. 1 Corporate Solutions & Services
Objectives This session will focus on: 1. A quick review of what the problem was and is 2. How we are approaching the PCI Compliance standard in the last few years 1. The reason for limited success 3. How to approach PCI Compliance as part of your overall security compliance effectively and achieve sustainability 2
Challenges that Organizations face Without an effective data protection policy/process in place, your Organization runs the potential risk of sensitive data loss, which can impact: – Brand reputation – Fraud Losses and financial impact – Breach notification costs – Costs to manage fraud – Possible fines from credit card companies – Loss of customer confidence – Undesired regulatory attention Your Organization may not be taking advantage of the opportunity to improve efficiency, cost savings and improved bottom-line PCI compliance would not have been required in the first place, if all the Organization had been doing the right thing to protect the sensitive information 3
Background to the development of PCI Significant Fraud losses have been occurring in Canada & Globally in both card present (swiped) & card not present (online) environment • Stored data not protected by acquirers/merchants/3rd Party Processors • Sensitive data easily accessible, was not protected by processors • Transmission of credit card data in clear text, making it easy to compromise • Organized crime infiltrated major organizations and continue to do so today • High proportion of compromise had a major internal component • Lot more information continues to be stored than needed to conduct business Brand impact can be significant with loss of confidence by consumers being impacted by the compromise. Significant costs to handle customer service issues including card replacement costs, credit monitoring fraud losses and eventually resulting in loss of business Visa was concerned that fraud losses were becoming acceptable as “cost of doing business” 4 Grant Thornton LLP - Achieving compliance and security Corporate Solutions & Services Inc.
Data: asset and liability Data is both an asset and a liability. As organizations grow, the volume and complexity of data increases to support the business. Sensitive data within the enterprise must be protected against theft, loss, and misuse, assuming there are legitimate reasons to store it in the first place. Without an effective method to: This data includes: • Discover data, it is difficult to apply the appropriate security controls to protect it • customer's information • Classify data, it is difficult to understand the importance • patent or trade secrets and sensitivity of the data and what should be protected • corporate information • Control data, it is difficult to restrict access to data, • personally identifiable information prevent misuse of it, and secure it at rest and in transit • credit card data • Audit data and its usage, it is difficult to enforce the security controls As a result, it is difficult to adequately protect data throughout its life cycle across the Organization 5
Challenges that Organizations face • Initially there was a lack of support from the corner suite as not all Organizations truly understand the value of PCI standards • Today many Organizations adopt it as a compliance issue, primarily to achieve the certification paper • Organizational silos prevent a holistic view to the magnitude of the problem that create subsequent losses and costs • Worse, these costs and inefficiencies have become part of our infrastructure • Fraud is seen by many organizations as a “cost of doing business” and these losses have been normalized • Organizations track only the dollars they write off on the books and NOT costs to manage fraud that are distributed across the organization 6
Lessons Learnt (Observations) • Organizations are doing the bare minimum to comply- putting their brand at risk • PCI is NOT part of broad regulatory/audit/compliance with no ongoing oversight or program/strategy in place to sustain compliance • Remediation efforts have been undertaken using the letter of law. No “enterprise wide owner” – lack of stakeholder involvement • Widespread access to critical data – “grandfather rights” -reluctance to change • PCI still seen as a “Credit Card” mandate only • Lack of effective access controls, including the Point of Sale • Communication and awareness has been lacking or has been selective • There are a lot of make work projects that neither produce security or enhance the operations! • We still see misunderstanding of the requirements and/or collusion 7
Lessons Learnt (Observations) • Organizations continue to store data that is not required to conduct the business. • Some Organizations have opted for tokenization, but the benefits of this approach have been minimized because the whole project was not thought through. • For example the ability to translate exists in many parts of the Organization. • Some credit card processing has been outsourced without due diligence to whether the outsourced organization is in fact PCI compliant or secure. Outsourcers do outsource some of the work further down the stream compounding the problem • Lack of an enterprise-wide owner and done on a one time effort – NOT SUSTAINABLE • Organization have not done the mapping and as such duplicate the work instead of “do it once and satisfy many” • Some Organizations have embarked upon remediation without first doing data classification/discovery - Lack of Strategy 8
Going Forward • Contracts managing third parties have not keep pace with changing business needs and in some instances, have not stipulated the right to audit the third parties – need to review contracts • Many of the processes have been derived from the paper based business and do not necessarily reflect the current environment or need • Utilize “compensating controls”. This has significant impact where legacy systems are involved or where organizations may have invested in a different approach/technology to secure themselves • The road to PCI compliance crosses many departments - Must have buy-in from the top; otherwise organizations risk failure and/or continued exposure • Take into account the original problem (fraud, data loss, data breaches, brand impact) that the PCI-DSS standard was developed to address, thereby taking a broader perspective, so that organizations can get a return on their investment 9
Going Forward • A carefully thought through, holistic and risk-based approach is required to take advantage of the synergies that exist between PCI-DSS, SOX, AML etc.) – “Do Once and Satisfy Many” • Take a “risk based approach” – not all risks have to addressed, but they must be understood • First and foremost understand the data flows fully. Review, justify and rationalize what you really need to conduct your business. There will be resistance but Organizations must enforce the discipline of streamlining and managing who has access to what, why with proper oversight. • This approach will help reduce the overall effort, optimize operations and produce a “return on investment” • Review access controls and limit access • Build a value proposition beyond just compliance • Technology, Process and People must be aligned 10
COSO - Overview © 2010 Grant Thornton International. All rights reserved. 11
COSO Objectives and Components 12
COSO Principles © 2010 Grant Thornton International. All rights reserved. 13
Frameworks for IT 'GRC' Various IT Internal Control/Process Models Exist ITIL CobiT IT Infrastructure Library – collection of Control Objectives for Information and best practices in IT service related Technology management IT processes defined ISO 27001/ ISO27002 controls framework Code of practice for Information Security stresses linking IT to business Management requirements Guidelines for the Management of IT layered Security • orientation NIST 800 series • detail Generally Accepted Principles and • can be mapped to the other standards Practices for Securing IT Systems and practices © 2010 Grant Thornton International. All rights reserved. 14
IT Governance in COBIT in COBIT IT Governance • IT delivery must enable the 1. Planning organization to achieve its 2. Acquisition & objectives. Implementation • Promotes process focus and process ownership. 3. Delivery & Support • Looks at fiduciary, quality and 4. Monitoring security needs of enterprises. • 7 information criteria to define 1. Effectiveness business requirements. 2. Efficiency 3. Availability • Supported by 300+ control 4. Integrity objectives. 5. Confidentiality 6. Reliability 15 7. Compliance © 2010 Grant Thornton International. All rights reserved. Corporate Solutions & Services
Going Forward • Making PCI an integral part of the compliance building blocks throughout the organization, PCI should be a subset of your overall Security Strategy • Making Education & Awareness corner stone of this strategy, not just as one time but ongoing and part of performance review • Adopt best practices • Hold accountable employees that violate/breach the process • Ensuring that a dynamic security policy exists, or is developed to complement your technology and operational efforts – Ensure that the staff understand the policies and that the communication is very clear • Technology/Process and People must be aligned 16
Addressing Compliance The Sustainable Approach Step 1: Identify, review and assess all of your security requirements (including the PCI of course). Rationalize your requirements into a single enterprise security “framework” and manage as part of your overall security program. Key Factors: • The framework should be built on industry standards (e.g. ISO17799, 27001, NIST, OWASP, etc.) and incorporate relevant requirements (PCI, etc.). • Track the source of the requirement! • Use the framework as the basis for measuring and monitoring security for your enterprise. 17
Addressing Compliance The Sustainable Approach Step 2: Embed your security framework (requirements) into relevant business processes. Key Factors: • Not all of these processes will be owned by IT or Information Security. • Your framework must be practical in order to succeed. • Use the framework as the basis for measuring and monitoring security for your enterprise. 18
Addressing Compliance The Sustainable Approach Step 3: Conduct a data flow analysis and system ‘inventory’ effort to understand the complete lifecycle of the (cardholder) data you wish to protect. That includes: • Acquisition • Processing • Storage • Usage • Destruction Key Factors: • Do not assume you know where the data is – many of the issues we have seen involve data that was not supposed to “be there”. Be systematic, don’t accept the easy answer. • Data is an asset and a liability – if you don’t need it, get rid of it! • Do not store full track, CVV2, etc. post authorization – challenge the teams that tell you it is necessary. 19
Addressing Compliance The Sustainable Approach Step 4: Conduct a security risk assessment. Prioritize (risk rank) systems, applications and infrastructure components. Key Factors: • Work with relevant stakeholders to define the risk factors/criteria. • This is a risk based approach – it does not need to be an exercise in mathematics. • Not all systems present significant risk. • For most companies, protecting everything perfectly is not a realistic goal. Make risk based, strategic choices about where to apply your investment. 20
Addressing Compliance The Sustainable Approach Step 5: Systematically assess the critical systems, applications and components in your environment using your security framework. Identify gaps, develop solutions appropriate to the risk and remediate. Key Factors: • Look beyond the individual requirements and across the environment. Address issues from a enterprise security perspective where appropriate. • Leverage other functions where possible (e.g. Internal Audit) • Automate assessment tasks where possible. Sample where appropriate. • Use the framework as the basis for measuring and monitoring security for your enterprise. 21
Addressing Compliance The Sustainable Approach Step 6: Make this an ongoing process. Repeat. Key Factors: • This should be an ongoing process. The initial effort will be the most significant but it should greatly reduce the effort going forward. • The data flow analysis and system inventory should return value across multiple initiatives. It should be incrementally updated on a regular basis. • As new requirements are devised, add them to your framework and continue moving forward. • Use the framework as the basis for measuring and monitoring security for your enterprise. 22
Addressing Compliance Benefits of The Sustainable Approach • Reduced Effort - One program as opposed to multiple programs - Streamline compliance validation going forward - Leverage technology and process improvements to meet multiple requirements • Improved Security - Risk based approach allows for investment in the most critical areas - Systematic, consistent assessment against the enterprise security framework allows for a holistic approach to security 23
Addressing Compliance Level 3 and 4 Merchants The same process should work for you: • Simplified framework • Fewer systems to inventory, risk rank, assess, etc. Other Factors to consider: • Focus on security when dealing with key service providers: web design and hosting companies, payment processors, POS systems integrators, etc. - Ask about their security strategy and design as it relates to the product/service they offer. - Are they are PCI compliant? Do they store track data? What safeguards do they have in place to protect your customers? • To the extent possible, understand your entire payment chain. • Ensure you legal contracts reflects your needs and protects you. • You don’t have to be big to be a target. Criminals are opportunistic. 24
Remediation I Approach Compensating Controls Common Compliance Issues Scope Reduction Other Items to Consider Tactical Fraud Prevention Be Prepared - Incident Response What To Do If Compromised 25
Remediation Approach As a general framework to approaching remediation of compliance issues, an organization should consider the following: • What constitutes compliance (i.e., mandatory versus addressable requirements)? • Is the issue isolated or pervasive? • What is the priority of the issue? • Is the issue already being addressed? If not, can it be incorporated into an existing effort? • Can you do it now, how much will it cost and what is the impact? - Solve it now, or - Interim solution plus long-term strategy • What is the complexity of remediation? • What retroactive remediation needs to be done? • What are the on-going operational costs and resource requirements required to sustain the solution in the long-term? • What governance and controls are needed? - How do you manage compliance? - Not just PCI problem - Managing compliance across the organization 26
Remediation Compensating Controls • The PCI DSS allows for compensating controls “…when an entity cannot meet a technical specification of a requirement, but has significantly mitigated the associated risk.” • Compensating controls must: 1. Meet the intent and rigor of the original stated PCI DSS requirement 2. Repel a compromise attempt with similar force 3. Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements) and 4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement • Compensating controls may be considered for all requirements EXCEPT storage of prohibited data (i.e., full track data, CVV2, PIN) post-authorization (Requirement 3.2). 27
How data leaves production (Data discovery) Data leaves Organization’s production environments through many Channels. Outlined below are some of the ways data does leave production. Production data directly Production data “pushed” without 1 produced (“pulled”) using a Technology Intermediary Production data “pushed” using Production data restored to the non- 2 4 a Technology Intermediary production technology environment 28
PCI remediation & compliance methodology Risk Development Data Assessment of Remediation Discovery & Certification & Remediation & Testing Analysis Prioritization Strategy & Solutions 29
Leverage Example 1: Establishing common controls/ processes PCI Data CobIT 4.1 Security Standard General ISO 17799 / Computer ISO 27001 Controls 30
Corporate Solutions & Services Inc. Achieving compliance does not necessarily mean becoming secure. However, achieving security does translate into compliance.
Corporate Solutions & Services Inc. Questions
Corporate Solutions & Services Inc. Thank You Bashir Fancy, Special Advisor Grant Thornton LLP E bashir.fancy@ca.gt.com bsfancy@rogers.com T: 905 232 9191 C (416) 716-3418

Recommandé

A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identitiesMatthew Zielinski, CISSP, CBCP
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Where Is Your Sensitive Data Wp
Where Is Your Sensitive Data WpWhere Is Your Sensitive Data Wp
Where Is Your Sensitive Data Wptbeckwith
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionCapgemini
 
Access governance en
Access governance enAccess governance en
Access governance enMaurizio Milazzo
 
Data Governance, understand what you already know (IBM Global Business Services)
Data Governance, understand what you already know (IBM Global Business Services)Data Governance, understand what you already know (IBM Global Business Services)
Data Governance, understand what you already know (IBM Global Business Services)IBM Danmark
 
Information governance presentation
Information governance presentationInformation governance presentation
Information governance presentationIgor Swann
 

Recommandé

A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identitiesMatthew Zielinski, CISSP, CBCP
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Where Is Your Sensitive Data Wp
Where Is Your Sensitive Data WpWhere Is Your Sensitive Data Wp
Where Is Your Sensitive Data Wptbeckwith
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionCapgemini
 
Access governance en
Access governance enAccess governance en
Access governance enMaurizio Milazzo
 
Data Governance, understand what you already know (IBM Global Business Services)
Data Governance, understand what you already know (IBM Global Business Services)Data Governance, understand what you already know (IBM Global Business Services)
Data Governance, understand what you already know (IBM Global Business Services)IBM Danmark
 
Information governance presentation
Information governance presentationInformation governance presentation
Information governance presentationIgor Swann
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Nick Inglis
 
Lessons in Information Governance
Lessons in Information GovernanceLessons in Information Governance
Lessons in Information GovernanceJohn Newton
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceAtle Skjekkeland
 
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...Greg Clark
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
15. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 201015. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 2010Brian Bailey
 
Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Dawn Simpson
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceLorne Rogers, ECM-M, PMP [Open Networker]
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Winston & Strawn LLP
 
Concept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePointConcept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePointmartingarland
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery Prof. Jacques Folon (Ph.D)
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessRich Medina
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Roger Bottum
 
Isa 2
Isa 2 Isa 2
Isa 2 Darshan Kumar
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018jadams6
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 

Contenu connexe

Tendances

Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Nick Inglis
 
Lessons in Information Governance
Lessons in Information GovernanceLessons in Information Governance
Lessons in Information GovernanceJohn Newton
 
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...Greg Clark
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
15. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 201015. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 2010Brian Bailey
 
Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Dawn Simpson
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Winston & Strawn LLP
 
Concept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePointConcept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePointmartingarland
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessRich Medina
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Roger Bottum
 

Tendances (19)

Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
 
Lessons in Information Governance
Lessons in Information GovernanceLessons in Information Governance
Lessons in Information Governance
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
ARMA Canada 2012 - Govern Yourselves Accordingly - Practical Information Gove...
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
 
15. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 201015. Brian Bailey presentation 2 DQ Asia Pacific 2010
15. Brian Bailey presentation 2 DQ Asia Pacific 2010
 
Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
Concept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePointConcept Searching ConceptClassifier For SharePoint
Concept Searching ConceptClassifier For SharePoint
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation Readiness
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
 
Isa 2
Isa 2 Isa 2
Isa 2
 

Similaire à Sask 3.0 Summit Pci dss presentation Bashir Fancy

Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018jadams6
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT GovernanceSUNIL KUMAR KOHLI, IDAS ndc
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity ProgramDan Houser
 
Information Strategy: Updating the IT Strategy for Information, Insights and ...
Information Strategy: Updating the IT Strategy for Information, Insights and ...Information Strategy: Updating the IT Strategy for Information, Insights and ...
Information Strategy: Updating the IT Strategy for Information, Insights and ...Jamal_Shah
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issuesJagdeepSingh394
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilienceRishi Kant
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wpwardell henley
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud SureCloud
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
A Practical Guide To Information Governance
A Practical Guide To Information GovernanceA Practical Guide To Information Governance
A Practical Guide To Information GovernanceMichael Curcio
 
SLVA - Top IT Trends and Priorities for 2014
SLVA - Top IT Trends and Priorities for 2014SLVA - Top IT Trends and Priorities for 2014
SLVA - Top IT Trends and Priorities for 2014SLVA Information Security
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 

Similaire à Sask 3.0 Summit Pci dss presentation Bashir Fancy (20)

Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
Intro To Secure Identity Management
Intro To Secure Identity ManagementIntro To Secure Identity Management
Intro To Secure Identity Management
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
 
Information Strategy: Updating the IT Strategy for Information, Insights and ...
Information Strategy: Updating the IT Strategy for Information, Insights and ...Information Strategy: Updating the IT Strategy for Information, Insights and ...
Information Strategy: Updating the IT Strategy for Information, Insights and ...
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilience
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wp
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
A Practical Guide To Information Governance
A Practical Guide To Information GovernanceA Practical Guide To Information Governance
A Practical Guide To Information Governance
 
SLVA - Top IT Trends and Priorities for 2014
SLVA - Top IT Trends and Priorities for 2014SLVA - Top IT Trends and Priorities for 2014
SLVA - Top IT Trends and Priorities for 2014
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 

Plus de SaskSummit

Sask 3.0 Summit David G. Brown
Sask 3.0 Summit David G. BrownSask 3.0 Summit David G. Brown
Sask 3.0 Summit David G. BrownSaskSummit
 
Sask 3.0 Summit Naveen Singh
Sask 3.0 Summit Naveen SinghSask 3.0 Summit Naveen Singh
Sask 3.0 Summit Naveen SinghSaskSummit
 
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_Chandramohan
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_ChandramohanSask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_Chandramohan
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_ChandramohanSaskSummit
 
SK Summit 3.0_Roda_Mc_innis_Contractor
SK Summit 3.0_Roda_Mc_innis_ContractorSK Summit 3.0_Roda_Mc_innis_Contractor
SK Summit 3.0_Roda_Mc_innis_ContractorSaskSummit
 
Sask 3.0 Summit Digital Identity - D. Nikolejsin
Sask 3.0 Summit Digital Identity - D. NikolejsinSask 3.0 Summit Digital Identity - D. Nikolejsin
Sask 3.0 Summit Digital Identity - D. NikolejsinSaskSummit
 
Sask 3.0 Summit Kind of a Big Deal- D. Risling
Sask 3.0 Summit Kind of a Big Deal- D. RislingSask 3.0 Summit Kind of a Big Deal- D. Risling
Sask 3.0 Summit Kind of a Big Deal- D. RislingSaskSummit
 
Sask 3.0 Summit L. Zacharilla
Sask 3.0 Summit L. ZacharillaSask 3.0 Summit L. Zacharilla
Sask 3.0 Summit L. ZacharillaSaskSummit
 
Sask 3.0 Summit -Seeing the Meaning, IBM R. Loepp
Sask 3.0 Summit -Seeing the Meaning, IBM R. LoeppSask 3.0 Summit -Seeing the Meaning, IBM R. Loepp
Sask 3.0 Summit -Seeing the Meaning, IBM R. LoeppSaskSummit
 
Sask 3.0 Smmit Govt 2 0 - N. Gruen
Sask 3.0 Smmit Govt 2 0 - N. GruenSask 3.0 Smmit Govt 2 0 - N. Gruen
Sask 3.0 Smmit Govt 2 0 - N. GruenSaskSummit
 
Sask 3.0 Summit A. Chopra
Sask 3.0 Summit A. ChopraSask 3.0 Summit A. Chopra
Sask 3.0 Summit A. ChopraSaskSummit
 

Plus de SaskSummit (10)

Sask 3.0 Summit David G. Brown
Sask 3.0 Summit David G. BrownSask 3.0 Summit David G. Brown
Sask 3.0 Summit David G. Brown
 
Sask 3.0 Summit Naveen Singh
Sask 3.0 Summit Naveen SinghSask 3.0 Summit Naveen Singh
Sask 3.0 Summit Naveen Singh
 
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_Chandramohan
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_ChandramohanSask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_Chandramohan
Sask 3.0 Summit Dtapp ppt Awareness_Clients_Lakkavally_Chandramohan
 
SK Summit 3.0_Roda_Mc_innis_Contractor
SK Summit 3.0_Roda_Mc_innis_ContractorSK Summit 3.0_Roda_Mc_innis_Contractor
SK Summit 3.0_Roda_Mc_innis_Contractor
 
Sask 3.0 Summit Digital Identity - D. Nikolejsin
Sask 3.0 Summit Digital Identity - D. NikolejsinSask 3.0 Summit Digital Identity - D. Nikolejsin
Sask 3.0 Summit Digital Identity - D. Nikolejsin
 
Sask 3.0 Summit Kind of a Big Deal- D. Risling
Sask 3.0 Summit Kind of a Big Deal- D. RislingSask 3.0 Summit Kind of a Big Deal- D. Risling
Sask 3.0 Summit Kind of a Big Deal- D. Risling
 
Sask 3.0 Summit L. Zacharilla
Sask 3.0 Summit L. ZacharillaSask 3.0 Summit L. Zacharilla
Sask 3.0 Summit L. Zacharilla
 
Sask 3.0 Summit -Seeing the Meaning, IBM R. Loepp
Sask 3.0 Summit -Seeing the Meaning, IBM R. LoeppSask 3.0 Summit -Seeing the Meaning, IBM R. Loepp
Sask 3.0 Summit -Seeing the Meaning, IBM R. Loepp
 
Sask 3.0 Smmit Govt 2 0 - N. Gruen
Sask 3.0 Smmit Govt 2 0 - N. GruenSask 3.0 Smmit Govt 2 0 - N. Gruen
Sask 3.0 Smmit Govt 2 0 - N. Gruen
 
Sask 3.0 Summit A. Chopra
Sask 3.0 Summit A. ChopraSask 3.0 Summit A. Chopra
Sask 3.0 Summit A. Chopra
 

Dernier

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Sask 3.0 Summit Pci dss presentation Bashir Fancy

  • 1. Corporate Solutions & Services Inc. How do you achieve security for your enterprise and in turn achieve effective Compliance? Saskatchewan Summit 3.0 Payment Card Industry “Compliance does not equal to security” Bashir Fancy, MD, Corporate Solutions & Services Inc. Special Advisor, Grant Thornton LLP April 25, 2012 © 2010 Grant Thornton International. All rights reserved. 1 Corporate Solutions & Services
  • 2. Objectives This session will focus on: 1. A quick review of what the problem was and is 2. How we are approaching the PCI Compliance standard in the last few years 1. The reason for limited success 3. How to approach PCI Compliance as part of your overall security compliance effectively and achieve sustainability 2
  • 3. Challenges that Organizations face Without an effective data protection policy/process in place, your Organization runs the potential risk of sensitive data loss, which can impact: – Brand reputation – Fraud Losses and financial impact – Breach notification costs – Costs to manage fraud – Possible fines from credit card companies – Loss of customer confidence – Undesired regulatory attention Your Organization may not be taking advantage of the opportunity to improve efficiency, cost savings and improved bottom-line PCI compliance would not have been required in the first place, if all the Organization had been doing the right thing to protect the sensitive information 3
  • 4. Background to the development of PCI Significant Fraud losses have been occurring in Canada & Globally in both card present (swiped) & card not present (online) environment • Stored data not protected by acquirers/merchants/3rd Party Processors • Sensitive data easily accessible, was not protected by processors • Transmission of credit card data in clear text, making it easy to compromise • Organized crime infiltrated major organizations and continue to do so today • High proportion of compromise had a major internal component • Lot more information continues to be stored than needed to conduct business Brand impact can be significant with loss of confidence by consumers being impacted by the compromise. Significant costs to handle customer service issues including card replacement costs, credit monitoring fraud losses and eventually resulting in loss of business Visa was concerned that fraud losses were becoming acceptable as “cost of doing business” 4 Grant Thornton LLP - Achieving compliance and security Corporate Solutions & Services Inc.
  • 5. Data: asset and liability Data is both an asset and a liability. As organizations grow, the volume and complexity of data increases to support the business. Sensitive data within the enterprise must be protected against theft, loss, and misuse, assuming there are legitimate reasons to store it in the first place. Without an effective method to: This data includes: • Discover data, it is difficult to apply the appropriate security controls to protect it • customer's information • Classify data, it is difficult to understand the importance • patent or trade secrets and sensitivity of the data and what should be protected • corporate information • Control data, it is difficult to restrict access to data, • personally identifiable information prevent misuse of it, and secure it at rest and in transit • credit card data • Audit data and its usage, it is difficult to enforce the security controls As a result, it is difficult to adequately protect data throughout its life cycle across the Organization 5
  • 6. Challenges that Organizations face • Initially there was a lack of support from the corner suite as not all Organizations truly understand the value of PCI standards • Today many Organizations adopt it as a compliance issue, primarily to achieve the certification paper • Organizational silos prevent a holistic view to the magnitude of the problem that create subsequent losses and costs • Worse, these costs and inefficiencies have become part of our infrastructure • Fraud is seen by many organizations as a “cost of doing business” and these losses have been normalized • Organizations track only the dollars they write off on the books and NOT costs to manage fraud that are distributed across the organization 6
  • 7. Lessons Learnt (Observations) • Organizations are doing the bare minimum to comply- putting their brand at risk • PCI is NOT part of broad regulatory/audit/compliance with no ongoing oversight or program/strategy in place to sustain compliance • Remediation efforts have been undertaken using the letter of law. No “enterprise wide owner” – lack of stakeholder involvement • Widespread access to critical data – “grandfather rights” -reluctance to change • PCI still seen as a “Credit Card” mandate only • Lack of effective access controls, including the Point of Sale • Communication and awareness has been lacking or has been selective • There are a lot of make work projects that neither produce security or enhance the operations! • We still see misunderstanding of the requirements and/or collusion 7
  • 8. Lessons Learnt (Observations) • Organizations continue to store data that is not required to conduct the business. • Some Organizations have opted for tokenization, but the benefits of this approach have been minimized because the whole project was not thought through. • For example the ability to translate exists in many parts of the Organization. • Some credit card processing has been outsourced without due diligence to whether the outsourced organization is in fact PCI compliant or secure. Outsourcers do outsource some of the work further down the stream compounding the problem • Lack of an enterprise-wide owner and done on a one time effort – NOT SUSTAINABLE • Organization have not done the mapping and as such duplicate the work instead of “do it once and satisfy many” • Some Organizations have embarked upon remediation without first doing data classification/discovery - Lack of Strategy 8
  • 9. Going Forward • Contracts managing third parties have not keep pace with changing business needs and in some instances, have not stipulated the right to audit the third parties – need to review contracts • Many of the processes have been derived from the paper based business and do not necessarily reflect the current environment or need • Utilize “compensating controls”. This has significant impact where legacy systems are involved or where organizations may have invested in a different approach/technology to secure themselves • The road to PCI compliance crosses many departments - Must have buy-in from the top; otherwise organizations risk failure and/or continued exposure • Take into account the original problem (fraud, data loss, data breaches, brand impact) that the PCI-DSS standard was developed to address, thereby taking a broader perspective, so that organizations can get a return on their investment 9
  • 10. Going Forward • A carefully thought through, holistic and risk-based approach is required to take advantage of the synergies that exist between PCI-DSS, SOX, AML etc.) – “Do Once and Satisfy Many” • Take a “risk based approach” – not all risks have to addressed, but they must be understood • First and foremost understand the data flows fully. Review, justify and rationalize what you really need to conduct your business. There will be resistance but Organizations must enforce the discipline of streamlining and managing who has access to what, why with proper oversight. • This approach will help reduce the overall effort, optimize operations and produce a “return on investment” • Review access controls and limit access • Build a value proposition beyond just compliance • Technology, Process and People must be aligned 10
  • 11. COSO - Overview © 2010 Grant Thornton International. All rights reserved. 11
  • 12. COSO Objectives and Components 12
  • 13. COSO Principles © 2010 Grant Thornton International. All rights reserved. 13
  • 14. Frameworks for IT 'GRC' Various IT Internal Control/Process Models Exist ITIL CobiT IT Infrastructure Library – collection of Control Objectives for Information and best practices in IT service related Technology management IT processes defined ISO 27001/ ISO27002 controls framework Code of practice for Information Security stresses linking IT to business Management requirements Guidelines for the Management of IT layered Security • orientation NIST 800 series • detail Generally Accepted Principles and • can be mapped to the other standards Practices for Securing IT Systems and practices © 2010 Grant Thornton International. All rights reserved. 14
  • 15. IT Governance in COBIT in COBIT IT Governance • IT delivery must enable the 1. Planning organization to achieve its 2. Acquisition & objectives. Implementation • Promotes process focus and process ownership. 3. Delivery & Support • Looks at fiduciary, quality and 4. Monitoring security needs of enterprises. • 7 information criteria to define 1. Effectiveness business requirements. 2. Efficiency 3. Availability • Supported by 300+ control 4. Integrity objectives. 5. Confidentiality 6. Reliability 15 7. Compliance © 2010 Grant Thornton International. All rights reserved. Corporate Solutions & Services
  • 16. Going Forward • Making PCI an integral part of the compliance building blocks throughout the organization, PCI should be a subset of your overall Security Strategy • Making Education & Awareness corner stone of this strategy, not just as one time but ongoing and part of performance review • Adopt best practices • Hold accountable employees that violate/breach the process • Ensuring that a dynamic security policy exists, or is developed to complement your technology and operational efforts – Ensure that the staff understand the policies and that the communication is very clear • Technology/Process and People must be aligned 16
  • 17. Addressing Compliance The Sustainable Approach Step 1: Identify, review and assess all of your security requirements (including the PCI of course). Rationalize your requirements into a single enterprise security “framework” and manage as part of your overall security program. Key Factors: • The framework should be built on industry standards (e.g. ISO17799, 27001, NIST, OWASP, etc.) and incorporate relevant requirements (PCI, etc.). • Track the source of the requirement! • Use the framework as the basis for measuring and monitoring security for your enterprise. 17
  • 18. Addressing Compliance The Sustainable Approach Step 2: Embed your security framework (requirements) into relevant business processes. Key Factors: • Not all of these processes will be owned by IT or Information Security. • Your framework must be practical in order to succeed. • Use the framework as the basis for measuring and monitoring security for your enterprise. 18
  • 19. Addressing Compliance The Sustainable Approach Step 3: Conduct a data flow analysis and system ‘inventory’ effort to understand the complete lifecycle of the (cardholder) data you wish to protect. That includes: • Acquisition • Processing • Storage • Usage • Destruction Key Factors: • Do not assume you know where the data is – many of the issues we have seen involve data that was not supposed to “be there”. Be systematic, don’t accept the easy answer. • Data is an asset and a liability – if you don’t need it, get rid of it! • Do not store full track, CVV2, etc. post authorization – challenge the teams that tell you it is necessary. 19
  • 20. Addressing Compliance The Sustainable Approach Step 4: Conduct a security risk assessment. Prioritize (risk rank) systems, applications and infrastructure components. Key Factors: • Work with relevant stakeholders to define the risk factors/criteria. • This is a risk based approach – it does not need to be an exercise in mathematics. • Not all systems present significant risk. • For most companies, protecting everything perfectly is not a realistic goal. Make risk based, strategic choices about where to apply your investment. 20
  • 21. Addressing Compliance The Sustainable Approach Step 5: Systematically assess the critical systems, applications and components in your environment using your security framework. Identify gaps, develop solutions appropriate to the risk and remediate. Key Factors: • Look beyond the individual requirements and across the environment. Address issues from a enterprise security perspective where appropriate. • Leverage other functions where possible (e.g. Internal Audit) • Automate assessment tasks where possible. Sample where appropriate. • Use the framework as the basis for measuring and monitoring security for your enterprise. 21
  • 22. Addressing Compliance The Sustainable Approach Step 6: Make this an ongoing process. Repeat. Key Factors: • This should be an ongoing process. The initial effort will be the most significant but it should greatly reduce the effort going forward. • The data flow analysis and system inventory should return value across multiple initiatives. It should be incrementally updated on a regular basis. • As new requirements are devised, add them to your framework and continue moving forward. • Use the framework as the basis for measuring and monitoring security for your enterprise. 22
  • 23. Addressing Compliance Benefits of The Sustainable Approach • Reduced Effort - One program as opposed to multiple programs - Streamline compliance validation going forward - Leverage technology and process improvements to meet multiple requirements • Improved Security - Risk based approach allows for investment in the most critical areas - Systematic, consistent assessment against the enterprise security framework allows for a holistic approach to security 23
  • 24. Addressing Compliance Level 3 and 4 Merchants The same process should work for you: • Simplified framework • Fewer systems to inventory, risk rank, assess, etc. Other Factors to consider: • Focus on security when dealing with key service providers: web design and hosting companies, payment processors, POS systems integrators, etc. - Ask about their security strategy and design as it relates to the product/service they offer. - Are they are PCI compliant? Do they store track data? What safeguards do they have in place to protect your customers? • To the extent possible, understand your entire payment chain. • Ensure you legal contracts reflects your needs and protects you. • You don’t have to be big to be a target. Criminals are opportunistic. 24
  • 25. Remediation I Approach Compensating Controls Common Compliance Issues Scope Reduction Other Items to Consider Tactical Fraud Prevention Be Prepared - Incident Response What To Do If Compromised 25
  • 26. Remediation Approach As a general framework to approaching remediation of compliance issues, an organization should consider the following: • What constitutes compliance (i.e., mandatory versus addressable requirements)? • Is the issue isolated or pervasive? • What is the priority of the issue? • Is the issue already being addressed? If not, can it be incorporated into an existing effort? • Can you do it now, how much will it cost and what is the impact? - Solve it now, or - Interim solution plus long-term strategy • What is the complexity of remediation? • What retroactive remediation needs to be done? • What are the on-going operational costs and resource requirements required to sustain the solution in the long-term? • What governance and controls are needed? - How do you manage compliance? - Not just PCI problem - Managing compliance across the organization 26
  • 27. Remediation Compensating Controls • The PCI DSS allows for compensating controls “…when an entity cannot meet a technical specification of a requirement, but has significantly mitigated the associated risk.” • Compensating controls must: 1. Meet the intent and rigor of the original stated PCI DSS requirement 2. Repel a compromise attempt with similar force 3. Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements) and 4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement • Compensating controls may be considered for all requirements EXCEPT storage of prohibited data (i.e., full track data, CVV2, PIN) post-authorization (Requirement 3.2). 27
  • 28. How data leaves production (Data discovery) Data leaves Organization’s production environments through many Channels. Outlined below are some of the ways data does leave production. Production data directly Production data “pushed” without 1 produced (“pulled”) using a Technology Intermediary Production data “pushed” using Production data restored to the non- 2 4 a Technology Intermediary production technology environment 28
  • 29. PCI remediation & compliance methodology Risk Development Data Assessment of Remediation Discovery & Certification & Remediation & Testing Analysis Prioritization Strategy & Solutions 29
  • 30. Leverage Example 1: Establishing common controls/ processes PCI Data CobIT 4.1 Security Standard General ISO 17799 / Computer ISO 27001 Controls 30
  • 31. Corporate Solutions & Services Inc. Achieving compliance does not necessarily mean becoming secure. However, achieving security does translate into compliance.
  • 32. Corporate Solutions & Services Inc. Questions
  • 33. Corporate Solutions & Services Inc. Thank You Bashir Fancy, Special Advisor Grant Thornton LLP E bashir.fancy@ca.gt.com bsfancy@rogers.com T: 905 232 9191 C (416) 716-3418