Home > Information Security Magazine > Columns > Ping
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Ping
by Dennis Fisher
Issue: Feb 2007
printer-friendly
licensing & reprints

Few things inspire fear and loathing like regulatory compliance. Josh Seeger, CIO of Tribune Broadcasting, faced a hugely complex task in ensuring the company met the requirements of the Payment Card Industry Data Security Standard. His experience showed that, while compliance can be burdensome, it can also serve as a window into your network's security posture.

JOSH SEEGER


PCI compliance can be difficult even for small organizations. How did you go about the process in such a large company? We have a massively distributed organization with dozens of business units. Because the company is so distributed and there are many areas where the use of credit cards is a part of our normal business, we needed to get the most efficient method for complying with PCI. We have a small but highly skilled group of corporate IT specialists, so we needed to find a way to use as little of their time as possible. A lot of the credit card activity is contained within small separated segments of our network infrastructure. Since many other units are involved in those transactions, we needed to find a way to comply.

How much of a burden was it to comply? We have a lot of security infrastructure already, so a lot of the requirements we were already in compliance with. But, we needed to be able to demonstrate that. The priority was having a way to certify our compliance in a formal way. We needed a trusted third party [Qualys] that was certified by the payment card companies to help us do that.

Was there anything you found in the process that surprised you? We're using Qualys as our scanning tool, and it's discovering things in some of the servers on our Internet-facing segments that were classified as vulnerabilities. They weren't serious, but there was potential there. In a 24x7 business such as ours, there are imperatives that keep things running and delay things like patch management. So there were servers that were somewhat behind in their deployment of patches. Having that information allowed us to prioritize those, especially if they contained credit card information.

PCI is fairly stringent, so it does require additional work, but nothing that we wouldn't have wanted to do anyway. I would actually credit PCI with helping us persuade local IT managers to get their stuff in shape.

Is it difficult to look at some of these regulations and say, 'Where is the return on investment for us?' We can't afford to have any doubt that we're doing everything possible to comply with regulations like PCI and Sarbanes-Oxley. We have our external auditors focusing regularly on all of our business units. Internal auditors mirror what they're doing. We're not at a point, and I doubt we ever will be, where we say profit is more important than compliance.


Read the full interview with Josh Seeger at searchsecurity.com/ismag.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts