This is page 2 of:
Is That Your Data That Just Walked Out the Door?
For example, the first and probably most important step is to find all the cardholder data. You must then verify that no data exists outside of the cardholder data environment (CDE). Proving a negative (no other cardholder data exists) is never easy. But verifying that fact in the face of the widespread use of personal technology devices will be that much more difficult. IT managers and maybe their QSAs will need to take the time to verify that they have located all their cardholder data.
A solution that seems to make sense is to update your policies to reflect the new reality and to increase training to enforce those policies. I say this because every security professional knows in their heart that business needs always trump security dictates. Therefore, we need to accommodate these devices while maintaining PCI compliance.
To be sure, many security requirements for personal devices are already addressed in the DSS. For example, Requirement 1.4 states that employee-owned computers that can connect directly to both the Internet and your corporate network need to have a personal firewall (one that the employee cannot disable).
In addition, Requirement 12.3 mandates usage policies for a number of technologies, including remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), E-mail usage and Internet usage. This policy can be a pretty good guide.
It is worth noting that PCI version 2.0 revised a part of Requirement 12.3, and it looks like the Council had the spread of personal technology in the workplace in mind. The requirement (12.3.10) now stipulates that your policy cover the following: “For personnel accessing cardholder data via remote-access technologies, prohibit copy, move and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.” It was those last words about “explicitly authorized” that were added.
Like so much of PCI, this sounds simple. But it can be difficult to implement. I haven’t got any magic answers. Still, it seems as though increased employee awareness and specific training that addresses all those new smartphones and tablets will go a long way to meeting this requirement. That training will also go a long way toward making an organization more secure and reducing the chance of a data breach.
What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
January 18th, 2011 at 7:07 pm
Great column Walt, but I thought you were going to take it a different way. My learning from the Wikileaks scandal is that if you inappropriately classify everything as a secret, then you risk losing sight of the real secrets in the files and files of “almost” secrets.
The correct approach should be the opposite: apply a cost to keeping a secret, so that you have incentive to not keeping things secret. The network of secret sharing things can be reduced until the result is of minimum size and of maximum efficiency – if you accept you must maintain secrets.
The parallel to PCI DSS is clear: it may be easy to put everything in scope (from a classification perspective), but the greater scope means too many systems and too many actors are handling sensitive data. It is more costly to segment networks, to use effective encryption, to tokenize, but the result should be an efficiently small network of card data handling actors. Just as we should be encouraging governments to avoid making all things secret, we should avoid putting all systems in scope.
The higher the cost incentive used to encourage these smaller and tighter domains, the less likely an accidental breach should have absurdly large ramifications.
Should Manning have had access to the thousands of files he did? Probably not. Should a computer system have easy access to a broad card processing network? Of course not.