Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
1. Executive Alliance, Inc.
October 16, 2008
New York, New York
ISE UK and Ireland
Summit and Awards
NOMINEE SHOWCASE
PRESENTATION
October 22, 2008
London, United Kingdom
2. by
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2
Vladimir Jirasek
Information Security & Compliance manage
DSG International plc
Vulnerability scanning for PCI
DSS compliance and risk
management
3. ISE Northeast 2008 Executive Alliance, Inc.
Today’s Discussion Points
• About DSG International
• PCI DSS programme and beyond compliance
• Vulnerability scanning project
• Lessons learned
ISE UK and Ireland 2008 Executive Alliance, Inc. 3
4. ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4
DSG International plc
• Major electrical and computing retailer in Europe with
both traditional stores and Web store
• We own brads like Currys, PC World, Pixmania, The
TechGuys, PC City, Electroworld, Elkjop
• No 1 in the UK
• Head office in Hemel Hempsted, UK
• 40,000 employees in the Group
• Annual revenue over £6b
• Processes large amounts of customer data
5. ISE Northeast 2008 Executive Alliance, Inc.
PCI DSS is good but ...
• Why good? The first standard that retailers take
seriously
• But scope is/can be limited
• DSGi started work on PCI DSS in 2007 with
most of the projects kicked off
• Requirement 11.2 handled by this project
• Limited budget
• Although the scope is limited the approach was
to take risk based approach
ISE UK and Ireland 2008 Executive Alliance, Inc. 5
6. ISE Northeast 2008 Executive Alliance, Inc.
Requirements
• Compliant with 11.2, i.e. ASV
• Whole group in the scope (regardless of the PCI
DSS scope)
• Minimal operational overhead
• Potential to satisfy other requirements
• Easy to use
• Fit for distributed IT teams in the Group
ISE UK and Ireland 2008 Executive Alliance, Inc. 6
7. ISE Northeast 2008 Executive Alliance, Inc.
Goals
• Develop patching and vulnerability scanning
policy
• Quick win - find the state of DSGi network
(external then internal)
• Deliver first “PASS” PCI DSS scans
• Make this activity BAU for IT teams
ISE UK and Ireland 2008 Executive Alliance, Inc. 7
8. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8
Challenges
• Distributed IT teams
• No standardised patching policy
• Limited budget and overstretched IT resources
in most countries
• Missing risk assessment in IT patching
• Scepticism and wary of vulnerability scanning
9. ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9
Project team
ISE UK and Ireland 2008
Accountable and project lead:
Vladimir Jirasek - DSGi Information security manager
Team members:
Matt Leggett - Security project manager (UK)
Stelios Kavalaris - Security admin (Greece)
Samy Elmalki - Network admin (France)
Ana Maria Munoz Ponce - System admin (Spain)
Lars-Andre Johannessen - System manager (Nordic group)
Oyvind Gulikstad - Security manager (Nordic group)
Paolo Asioli - Security manager (Italy)
Ed Brown - Systems manager (UK, Techguys)
Michael Braid - Systems admins (UK, DSGi Business)
10. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10
Overcoming challenges
• Responsibility for “clean” scans transferred to
business units IT managers
• Group wide standardised patching policy agreed
• Limited budget addressed by using Software as a
service model
• Qualys service is easy to use and understood by IT
teams. Virtually no training required
• Business units in Qualys made group wide rollout
easy to manage
• Testing of impact of scanning to existing IT systems
11. ISE Northeast 2008 Executive Alliance, Inc.
Risk based approach
Internet
Internal network
Head office
DMZ
mainframe
eBusiness VPN GW
acquirer
setlement
Store network
12. ISE Northeast 2008 Executive Alliance, Inc.
Risk based approach (cont)
ISE UK and Ireland 2008 Executive Alliance, Inc. 14
Critical
Important
High
Medium
Low
5 24 hours 5 days 14 days 20 days 40 days
4 5 days 10 days 20 days 1 month 2 months
3 10 days 20 days 1 month 2 months 3 months
2 6 months* Next
release*
Next
release
Next
release
No fix
1 no fix* no fix* no fix no fix No fix
13. ISE Northeast 2008 Executive Alliance, Inc.
Project results
Patching policy agreed buy IT teams
Weekly vulnerability scans carried on all external
and critical internal assets - 14 internal
appliances in 7 business units
80% of security issues fixed across the group
within first 3 months
Qualys accepted by IT teams as a “good” tool for
highlighting security issues
Scanning is now BAU activity
13
14. ISE Northeast 2008 Executive Alliance, Inc.
Conclusion
• Looked beyond PCI DSS and adopted risk
based approach (now compliant with v 1.2)
• Each IT team is a separate business unit
• Responsibility for scanning and fixing transferred
to IT managers
ISE UK and Ireland 2008 Executive Alliance, Inc. 15
15. ISE Northeast 2008 Executive Alliance, Inc.
Thank You!
• Questions?
• Contact Info:
• Vladimir.jirasek@dgiplc.com or Vladimir@Jirasek.eu
• +447959040187
ISE UK and Ireland 2008 Executive Alliance, Inc. 16