SECURITY - GOVERNANCE - RISK - COMPLIANCE
Trusted Client, Financial industry
Security Assessment, IT Services
May 30, 2011
A national financial industry organizaton with a centralized organization operating in 7 countries cross the Nordic and Baltic reigions was subject for annual Payment Card Industry/Data Security Standard (PCI/DSS) assessment.
The overall organization consist of 10 data centres where payment transactions were card data was transmitted, processed and stored. The work was seperated into 10 sub-projects where each data centre was assessed alone. They all shared main processes and payment gateways but each data centre stored their own data to adhere to each centres local Law. The goal for the project were to prepare the organization for their annual audit and PCI/DSS assessment.
The organization had several seperate architects and blue print that needed to be consolidated to provide an overview of data transfer that included all network, firewalls, gateways, systems, databases and storage environments.
In addition the organization needed help to create a plan for IT-environmental progress towards external PCI/DSS compliance covering all locations inside the organizations scope. As of deliverables, a draft Report Of Compliance (ROC) was required to provide a proper understanding of the current posture and maturity.
In order to ensure a consistent approach, the project was run in all 7 countries simultanesously.
Each country was assessed as for their current network, firewall and gateway usage compared to the PCI/DSS requirements. Where discrepancy existed, the network firewall and gateways used where either replaced, re-configured ot migrated to adhere to existing valid network, firewalls and gateways for secure transmissions.
Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.
The overall set of completed deliverables included a ROC covering PCI/DSS Version 3.1 requirements for:
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
The project achieved identifying client specific PCI/DSS compliance issues, remediation planning and documentation of supporting processes, tools, and evidence for audit purposes in alignment with Global payment industry policy. Activites that were identified in need of re-design, an architectual change or, to be replaced, was summarised into a new post audit project for completion within 90 days of assessment end.