Austin, TX (PRWEB) August 25, 2012
PCI remediation is a hot topic these days, primarily because organizations undergoing initial PCI DSS compliance unearth a laundry list of "must do" action items; areas requiring immediate attention and remediation. Fix them and move on with the goal of PCI compliance. Ignore them and problems persist, with PCI compliance never being achieved. A fair amount of the Top 10 PCI remediation items can take considerable time and effort in correcting, so it's important to begin the process early, budget ample time and resources, while aiming for PCI compliance as the ultimate goal. When undertaken successfully, the Top 10 PCI remediation list (three part series white paper authored by QSA Charles Denyer) can save organizations thousands of dollars and hundreds of hours when it comes to an actual PCI Level 1 on-site assessment by a PCI-QSA, so take note of the following:
1. Provisioning, hardening, securing, and locking-down all in-scope “system components”. It's critically important to properly harden all http://www.pciass essment.org/pci-blog/pci-qsa-consultant-charles-denyer-reveals-top-10-challenges-and-recommendations-for-pci-compliance-part-i/ [system components __title__ Top 10 PCI List] before they're ultimately deployed into the cardholder data environment (CDE).
2. Anti-virus. Easy enough, right? It's surprising how many organization run different types of AV software and different versions.
3. Two-Factor Authentication. This seems to catch many organizations off-guard as they're unsure as to the scope of two-factor, such as what employees must utilize this security measure, for what environments and system components, etc.
4. Web Application Firewall (WAF). It's also equally surprising how many organizations have never heard of a Web Application Firewall (WAF), but it's a strict requirement for PCI and there are some great open-source options.
5. Audit Trails and Logging. Without question, this seems to cause a significant amount of remediation efforts organizations must undertake for PCI compliance.
6. Log Server | Syslog. Though having a syslog or log server is fairly straightforward, many organizations simply don't have this architecture in place, at least not yet.
7. File Integrity Monitoring (FIM). Also called "Change Detection Software", there are a number of great open-source tools, along with some very expensive commercial products. Additionally, the implementation efforts can be demanding at times.
8. Intrusion Detection Systems (IDS). An IDS utility is an explicit requirement for monitoring all traffic at the "perimeter of the cardholder data environment". Once again, there are some great open source tools (i.e., Snort), but implementation and fine-tuning an IDS - especially in regards to false-positives - can take time.
9. Policies and Procedures. Believe it or not, this may be the biggest remediation issue of all - and it's not really technical in nature- but it requires a number of personnel to effectively develop a laundry list of well-written and comprehensive set of policies and procedures. The best I've seen to date (and they are very good) are those offered from pcipolicyportal.com.
10. Operational Commitments. Great, so it's time to kick off the PCI DSS compliance project. Anybody interested, please raise their hands. Unfortunately, operational commitments - or lack thereof - cause PCI compliance to fail miserably.
About NDB and Charles Denyer
Charles Denyer is a member of NDB, a nationally recognized firm specializing in Regulation AB, Service Organization Control (SOC) reporting (SSAE 16, AT 101, Trust Services Principles | TSP), ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with many other regulatory compliance initiatives. He is also actively involved in numerous professional associations and organizations for a wide range of industries and business sectors, such as the American Nuclear Society (ANS), ISACA, and the Cloud Security Alliance (CSA), just to name a few.
Additionally, Charles holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering from the University of Tennessee at Knoxville. He has a keen interest in all topics related to information security, national security and homeland defense, and conducts independent research projects on specific subject matter for various entities. He can be reached at firstname.lastname@example.org or at 800-277-5415-ext.705.