When Qualified Security Assessors (QSAs) talk about compliance with the PCI DSS, a lot of time is spent on identifying and then, if possible, reducing an organization’s scope for PCI. Defining exactly what is included within your cardholder environment (CDE) is the first step, and then determining the organization’s strategy for implementing the appropriate security controls within that environment.
Once the CDE is secured and PCI DSS compliance is part of your business-as-usual, concerns about cardholder data security are reduced. But what about personal health information, or personally identifiable information like social security numbers, birth dates, addresses, etc.? What are you doing to protect that information across your organization?
PCI is just one piece of the puzzle in your overall information security program. If you are familiar with other standards and requirements, you will notice there is a lot of overlap with the HIPAA security rule, FERPA, FACTA Red Flags, GLBA, GDPR, NIST 800-53, ISO 27002, etc. However, in the complex environments of campus-based organizations, the personnel responsible for complying with these different standards and requirements are often siloed in separate departments (Finance, IT, Student Records, etc.), so efforts are often duplicated and resources allocated separately.
It is often helpful to take a step back from your checklists and shift from a more narrow, compliance- only focus to a holistic information security focus. Many of the requirements from the PCI DSS do apply organization-wide as they provide a great framework for protecting all types of sensitive information. If you can reduce duplicated efforts and prioritize projects effectively, you should be able to not only protect your organizational systems and assets, but also benefit from the reduced costs on an ongoing basis (which should be an easy sell to your upper management!). Where you can, begin incorporating PCI controls into your information security program and you will improve your overall security posture while reducing risk.
Below is an overview of the general information security components you can begin to focus on as you move from compliance-focused approach to a broader information security program.
- Inventory of Devices/Software – Do you know what devices are connected to your network? Actively manage and track all hardware devices and software applications within your network, ensuring only authorized devices have access, and only authorized software is installed.
- Secure Configurations – Establish and implement configuration standards for workstations, laptops, servers, and network devices, and implement a defined change control process. Don’t forget to include a clear patching schedule to help prevent potential hackers from being able to exploit known vulnerabilities.
- Vulnerability Assessments and Remediation – Ensure you are able to continuously gather, assess, and take action on newly identified vulnerabilities. The sooner you can do so, the less time attackers have to exploit your systems. You should also test the overall strength of your organization’s defenses through regular penetration testing.
- Anti-Virus/Malware Detection – Automate this effort as much as possible to ensure timely updating of your protection solutions, which will then minimize the installation and spread of malicious software.
- Wireless Access Control – Implement processes to monitor the security of wireless networks and access points.
- Data Recovery – Ensure your processes are in place and tools are configured to back up all critical information and support a timely recovery.
- Access Rights – Controlled use of administrative privileges is critical to prevent authorized users from accessing information other than that which they need to know. Limiting the ability for individuals to change or override the security settings on your systems will reduce the potential for a breach, both deliberate and accidental. Monitor all access.
- Logging – Implement system logging and analyze the audit logs of events. Document what patterns are normal and acceptable, so that those that are not can be more quickly identified. This will help you identify, detect, understand, and recover from potential attacks.
- Training – Provide ongoing awareness training for all staff (not just IT) focusing on their individual roles and responsibilities for protecting information.
- Incident Management – Develop and implement clearly defined incident response plans and procedures with specific roles, training, communications, etc. You should be able to quickly discover a potential attack and then effectively contain the problem, limiting the damage to your systems and organization.
We often encourage organizations to think security first, compliance second. Audits, as well as fines and penalties for non-compliance, may be managed by each standard’s respective authority (i.e. card brands, FTC, HHS, etc.), but many of the security efforts needed to ensure compliance across different standards can be met through the use of general information security best practices and controls.
If you have a question or would like to inquire about a general information security risk assessment from CampusGuard, please don’t hesitate to reach out to firstname.lastname@example.org.
Some additional guidance from our Security Advisor team below:
[Gilmore]: It is imperative that organizations take a sharp look at how they are respecting sensitive data entrusted to them. Constituents believe that their personal information is safe and organizations are expected to provide that security. Continually ask if others’ personal data for which you are responsible is being kept the way you would expect your data to be kept? Is the level of effort to secure connections, storage, and processing not only up to current standards, but is it being regularly tested and updated to ensure vulnerabilities cannot be exploited leading to a system compromise and data breach?
The risk levels can be reduced by having a centrally maintained security standard that is known to all who are involved in handling sensitive data. It takes a village to keep data secure, so evaluation of the security standard should involve those who are daily on the front line. They know the processes and customers, so they are able to give the most valuable input on how to keep security fresh.