Top 10 access-related controls for PCI compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of minimum security guidelines put in place to protect sensitive credit card data. But the standard outlines some of the most vital technologies and access-related policies and procedures needed to determine who has what and who did what on your systems, according to Viresh Garg, a member of Oracle's enterprise manager team and Oracle identity and compliance initiatives.
In a recent presentation conducted at Oracle OpenWorld last month in San Francisco, Garg outlined the top 10 access-related controls for PCI compliance and described why they are important in locking down data and keeping out intruders. Companies that have the tools to ensure continuous monitoring, identify, report and investigate audit trails and conduct risk analytics are taking the right steps to protect critical data, Garg said.
Data cleanup: Detect and remediate rogue accounts and grants. An effective security plan begins with data cleansing, Garg said. Access and identity related data must be cleansed to avoid duplicate information, wipe out terminated employees and start with a clean slate.
Access control policies: Define policies and procedures and ensure that they apply to applications and the data center. This can often be a difficult area to tackle, Garg said. Business and IT roles need to be determined as well as the roles of all end users to define who has access to certain applications and the kind of authority they have to make changes to those applications.
Access control processes: Review accounts and privileges and discover who has been given approval to access sensitive information or conduct certain business processes.
Physical security: Investigate and determine the company's access badge procedures. Integrate the procedures into the overall security guidelines.
Password management: Identify the current password procedures and possibly deploy a single sign-on technology. Develop a password plan that makes it easier for users to remember their passwords so they avoid writing them down.
Risk-based adaptive authentication: Two-factor authentication should be in place. It forces end users to provide two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. This helps block access from potential intruders and notifies administrators of the potential of fraudulent activity, Garg said.
Audit trails: By collecting and keeping accurate audit trails, companies gain a big benefit by allowing an investigator the ability to capture a point-in-time snapshot of system activity, Garg said. For example, an administrator could look at who had access to an application a year ago to determine the source of suspected fraudulent activity.
Reports: By keeping reports of system logs and reviewing those logs, companies can reduce risk to acceptable levels, Garg said.
Attestation: Much like the attestation used to comply with the Sarbanes Oxley Act, attestation is used to meet PCI access control standards by forcing a periodic review of user access rights. Companies can set up an automated review process to enable the right managers to certify or reject the access rights of employees in their unit. This keeps access data clean and eliminates duplicate and outdated information.
Risk analysis: Similar to deploying a business intelligence solution for financials, deploy a tool to analyze the audit trails that were developed. Find weaknesses in critical infrastructure and applications.