Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."

Download it now to read this article plus other related content.

Few things inspire fear and loathing like regulatory compliance. Josh Seeger, CIO of Tribune Broadcasting, faced a hugely complex task in ensuring the company met the requirements of the Payment Card Industry Data Security Standard. His experience showed that, while compliance can be burdensome, it can also serve as a window into your network's security posture.

JOSH SEEGER


PCI compliance can be difficult even for small organizations. How did you go about the process in such a large company? We have a massively distributed organization with dozens of business units. Because the company is so distributed and there are many areas where the use of credit cards is a part of our normal business, we needed to get the most efficient method for complying with PCI. We have a small but highly skilled group of corporate IT specialists, so we needed to find a way to use as little of their time as possible. A lot of the credit card activity is contained within small separated segments of our network infrastructure. Since many other units are involved in those transactions, we needed to find a way to comply.

How much of a burden was it to comply? We have a lot of security infrastructure already, so a lot of the requirements we were already in compliance with. But, we needed to be able to demonstrate that. The priority was having a way to certify our compliance in a formal way. We needed a trusted third party [Qualys]

    Requires Free Membership to View

that was certified by the payment card companies to help us do that.

Was there anything you found in the process that surprised you? We're using Qualys as our scanning tool, and it's discovering things in some of the servers on our Internet-facing segments that were classified as vulnerabilities. They weren't serious, but there was potential there. In a 24x7 business such as ours, there are imperatives that keep things running and delay things like patch management. So there were servers that were somewhat behind in their deployment of patches. Having that information allowed us to prioritize those, especially if they contained credit card information.

PCI is fairly stringent, so it does require additional work, but nothing that we wouldn't have wanted to do anyway. I would actually credit PCI with helping us persuade local IT managers to get their stuff in shape.

Is it difficult to look at some of these regulations and say, 'Where is the return on investment for us?' We can't afford to have any doubt that we're doing everything possible to comply with regulations like PCI and Sarbanes-Oxley. We have our external auditors focusing regularly on all of our business units. Internal auditors mirror what they're doing. We're not at a point, and I doubt we ever will be, where we say profit is more important than compliance.


Read the full interview with Josh Seeger at searchsecurity.com/ismag.

This was first published in February 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: