Compliance with things such as the PCI Data Security Standard and other regulations can be difficult even for small organizations, so how did you go about the process in such a large company?
Seeger: We have a massively distributed organization with dozens of business units. Because the company is so distributed and there are many areas where use of credit cards is a part of our normal business, we needed to get the most efficient method for complying with PCI DSS. We have a small but highly skilled group of corporate IT specialists so we needed to find a way to use as little of their time as possible. A lot of the credit card activity is contained with small separated segments of our network infrastructure. But since many other units are involved in those transactions, we needed to find a way to comply.
How much of a burden was it to comply?
Seeger: We have a lot of security infra already. Ihave a separate group that's focused on data security for the whole company, so a lot of the requirements we were already in compliance with. But we needed to be able to do was demonstrate that. So the priority wad having a way to certify our compliance in a formal way for the banks that were looking for that. So we needed a trusted third party that was certified by the payment card companies to help us do that.
Was there anything you found in the process that surprised you?
Seeger: We're using Qualys as our scanning tool and it's discovering things in some of the servers on our Internet facing segments that were classified as vulnerabilities. They weren't serious, but there was a potential there. In a business such as ours that has ot be up and running 24 hours a day, there are business imperatives that keep things running and delay things like patch management to another time. So there were servers that were somewhat behind in their deployment of patches. Having that information allowed us to increase the priorities for some of those, especially if they contained credit card information. The PCI standards are fairly stringent, so it does require additional work, but nothing that we wouldn't have wanted to do anyway. We were already being fairly vigilant about these things and trying to persuade people to better manage their computing assets. I would actually credit the PCI DSS to helping us persuade local IT managers to get their stuff in shape.
Have you gotten to the point yet that you're comfortable pushing out patches without testing?
Seeger: No, we tend to put pressure on the vendors to validate that their compatible with new Microsoft patches, and most of them are good about doing that. We have that as part of our written agreements with a lot of vendors.
Is it hard to look at some of these regulations and say, where is the return on investment for us?
Seeger: We can't afford to have any doubt that we're doing everything possible to comply with those regulations like PCI and Sarbanes Oxley (SOX). We have our external auditors that are focusing regularly on all of our business units. And we have internal auditors mirroring what they're doing. We're not at a point, and I doubt we ever will be, where we say profit is more important than compliance. Things we're compliant with have reasonably valid rationales behind them.
Have you found a good way to measure the return on investment you get from these security measures?
Seeger: No, I think it's more a matter of cost avoidance. It's basically considering what could happen if we don't maintain security within our IT infrastructure. We have a very small but capable group of people who do this. We're all working pretty hard, but it's easier to justify.
This was first published in January 2007