In compliance work, the concepts of reducing work and "reusing" existing controls can also be applied. Many organizations have invested time and effort to implement ISO 27002 controls and certify against 27001 Information Security Management System (ISMS) processes. Others have adopted the IT management techniques from the UK Office of Government Commerce (OGC), known as ITIL. And many organizations have made significant investments to create a standardized compliance framework for use across business units and divisions.
Although compliance with the Payment Card Industry Data Security Standard (PCI DSS) cannot be accomplished by using another framework or methodology exclusively, organizations have found that they can leverage valuable mappings between existing frameworks. Additionally, some of the policies and tools implemented for PCI DSS may provide unexpected compliance benefits for other initiatives.
David Howell, senior manager of compliance solutions at RSA, the security division of EMC Corp., said he's observed a desire for compliance normalization. Companies are looking for a "common framework that can be used to eviscerate the walls between disparate compliance programs," Howell said, "defining commonalities so that pieces can be leveraged."
Reuse can work bidirectionally. Controls implemented for PCI DSS can be used for other initiatives in the organization, and controls implemented before or independently of PCI DSS may be reusable as part of PCI DSS validation work.
Examples of PCI DSS controls that can be reused are policies and procedures related to protection of sensitive data. PCI mandates that sensitive authentication data cannot be stored after the authorization phase, but primary account numbers (PANs) can. Requirement 3.4 of the PCI DSS provides specific details on how PANs must be stored in order to achieve compliance. Implementing these specifics can be a challenge, involving the use of native encryption on databases, or a cryptographic gateway or library to encrypt the data before passing it to the database for storage. Such encryption requires key management, and PCI DSS also details rules regarding proper key storage, aging and control. With sophisticated storage protection in place, a number of companies have found that the techniques in Requirement 3.4 can be applied to other sensitive data in the organization.
Michelle Stewart, manager of data security for AirTran Airways, discovered some unexpected benefits from using PCI DSS controls. Monitoring systems that were put in place for PCI DSS became valuable tools for the operations and audit teams. Information from network and host scans were used to identify "devices that weren't in compliance with company policy," Stewart said. The increased visibility provided by the tools helped AirTran enforce policy management for non-PCI DSS-related initiatives like ensuring that no unwanted applications, such as streaming radio, were running on the corporate network. Stewart said savvy companies can leverage IT spending intended for PCI DSS compliance for work beyond PCI DSS and card data protection.
However, if a company is ISO 27001 certified, it is likely that the organization has already implemented many of the controls that PCI DSS requires. Though the two aren't aligned, an organization could perform a gap assessment of existing controls, such as those implemented from ISO 27002, to the mandatory PCI DSS controls. Sections A.10, A.11 and A.12 of the ISO standard focus on more technical controls, and this is where the majority of the overlaps occur. The end result would be a delta highlighting additional controls required for PCI, potentially streamlining compliance and assessment work. Another benefit for ISO 27001 certified organizations is that extensive documentation is required. Insufficient documentation is a core reason that companies fail PCI DSS compliance, so having it in place for ISO will make the PCI compliance work easier.
Finally, the Unified Compliance Framework (UCF) is an interesting approach to compliance. Developed by Dorian Cougias and Marcelo Halpern, UCF attempts to help companies streamline compliance work by mapping normalized controls and management approaches. In February 2008, the group behind UCF published a "harmonization" that integrates the PCI DSS Self-Assessment Questionnaire (SAQ) v1.1 and PCI DSS requirements into the UCF. Companies using the UCF as a meta-compliance framework may find the integration document helpful for normalization and mapping between the two. The document is available to all PCI Qualified Security Assessors (QSAs) as well as UCF subscribers.
Compliance is a cornerstone to a healthy IT environment. Consider "going green" when it comes to compliance. In other words, rather than throwing out previous compliance work when new regulations comes along, look for areas where controls and policies can be mapped and "recycled" for applicability to the new mandates.
About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
- Payment Card Industry Data Security Standard Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit
- The Unified Compliance Framework, and
Conformity Assessment Scheme for Information Security Management Systems (ISMS Conformity Assessment Scheme)
- ISO 27001 and 27002
This was first published in July 2008