Presentation Title Size 30PT
Download
Report
Transcript Presentation Title Size 30PT
Compliance and the
Intelligent
Information Network
Fred Colacchio, CISSP
Security Specialist
[email protected]
October 3, 2007
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
1
Agenda
Compliance
Mapping IIN to Compliance
PCI Prescriptive
Summary
Reference
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
2
Compliance
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
3
The Four Main Themes in Compliance:
Think “CIAA”
1. Confidentiality - Keep it Secret
2. Integrity of Data - Protect against
improper alteration or destruction
3. Audit/reporting/monitoring/logging
- Security activity must be tracked and
auditable to demonstrate compliance and
incident investigation
4. Availability - Regulated data must be
available to authorized users/consumers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
4
Compliance Drivers
U.S. Public Company Accounting Reform and Investor Protection
Act of 2002 (“Sarbanes-Oxley”)
Protects investors by improving the accuracy and reliablity of corporate
disclosures.
The Financial Services Modernization Act of 1999 (“Gramm-LeachBliley”)
Provides a framework for the affiliation of banks, securities firms,
insurance companies, and other financial service providers.
Establishes the Financial Privacy Rule and the Safeguards Rule.
Health Insurance Portability and Accounting Act of 1996
Improve portability and continuity of health insurance coverage;
combat waste, fraud, and abuse in health insurance and health care
delivery; promote the use of medical savings accounts; improve access
to long-term care services and coverage; simplify the administration of
health insurance
California SB 1386
Requires any entity that conducts business in California to disclose any
breach of the security of any data which includes personal information
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
5
Compliance Drivers
Family Educational Rights and Privacy Act
Protects the privacy of student educational records.
Payment Card Industry Data Security Standards
Applies to all merchants and service providers that store, process, or
transmit credit card data, and provides the tools and measurements
needed to protect against cardholder data exposure and compromise
Notification of Risk to Personal Data Act (S. 1350, pending)
Would require Federal agencies, and persons engaged in interstate
commerce, in possession of electronic data containing personal
information, to disclose any unauthorized acquisition of such
information
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
6
Sanctions for Regulatory
Non-Compliance
Regulation
Date of
Enforcement
Fine
Imprisonment
Industry
HIPAA
1996
$250,000
10 years
Health
GLBA
1999
$100,000 per incident
5 years
Financial
SOX
2002
$22 million per violation
20 years
(Former Gemstar CEO, May
9, 2006)
CA SB
1386
2003
Any customer injured by a
violation of this act may
institute a civil action to
recover damages
PCI
2005
$500k per incident + $100k if None—Rescind
VISA is not notified
the right to
accept credit
card payments
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
Information
Security
None—
Personal
Customers must Information
be notified
Credit Card
Security
7
S-OX
Applies to public companies
Section 302 compliance – Attestation to validity of
public reports
Section 404 compliance – Attestation to the
effectiveness of internal control structures
Section 409 compliance – “real time” public disclosure
of material changes in the financial conditions or
operations of a company
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
8
GLBA
Applies to “Financial Institutions”
Includes not only banks, securities firms, and insurance
companies, but also companies providing many other types of
financial products and services to consumers (student loans)
Financial Privacy Rule
Governs the collection and disclosure of customers' personal
financial information
Safeguards Rule
Requires all financial institutions to design, implement and
maintain safeguards to protect customer information.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
9
In summary, the objectives of GLBA are to:
• Protect the security and confidentiality of customers'
nonpublic personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information
security
• Protect against unauthorized access to or use of information
A further objective is to establish a continuous risk-based information
security program with:
• Board oversight
• Assessment of threats and vulnerabilities
• Risk management and controls
• Training and testing
• Vendor oversight
• Monitoring, auditing, adjusting, and reporting
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
10
Who is affected by GLBA?
Banks, securities firms, and insurance companies
• Mortgage lenders or brokers
• Check cashers and payday lending services
• Credit counseling service and other financial advisors
• Medical-services providers with long-term, interest-bearing payment plans
for a significant number of its patients
• Financial or investment advisory services including tax planning, tax
preparation, and individual financial management
• Retailers that issue their own credit cards
• Auto dealers that lease or finance purchases
• Higher education institutions providing financial aid or student loans
• Collection agencies
• Government entities that provide financial products such as student loans
or mortgages
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
11
HIPAA
Applies to health care providers, clearinghouses, and
plans
The Privacy Rule
Includes standards to protect the privacy of individually
identifiable health information
The Security Rule
Specifies a series of administrative, technical, and physical
security procedures for covered entities to use to assure the
confidentiality of electronic protected health information
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
12
Who is affected by HIPPA?
In general, the requirements, standards, and implementation
specifications of the HIPAA Security Rule apply to the following
entities:
• Covered Health Care Providers-Any provider of medical or
other health services or supplies, who transmits any health
information in electronic form in connection with a
transaction
• Health Plans-Any individual or group plan that provides or pays the
cost of medical care, including certain specifically listed
governmental programs
• Health Care Clearinghouses-A public or private entity that
processes another entity's healthcare transactions from a standard
formation to a nonstandard one, or vice versa
• Medicare Prescription Drug Card Sponsors-A nongovernmental
entity that offers an endorsed discount drug program under the
Medicare Modernization Act
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
13
Family Educational Rights
and Privacy Act
Applies to all schools that receive funds under an
applicable program of the U.S. Department of
Education
Establishes:
Inspection right
Correction right
Restrictions on disclosure
Notification obligation
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
14
Addressing
Compliance
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
16
“ An entire organization, despite its best
efforts to prevent wrongdoing in its ranks,
can still be held criminally liable for any of
its employees’ illegal actions.”
Paula Desio
Deputy General Counsel
United States Sentencing Commission
An Overview of the Organizational Sentencing Guidelines
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
17
“ [The Sentencing Commission] attempted
to alleviate the harshest aspects
of...institutional vulnerability...by mitigating
the potential fine...if an organization can
demonstrate that it had put in place an
effective compliance program.”
Paula Desio
Deputy General Counsel
United States Sentencing Commission
An Overview of the Organizational Sentencing Guidelines
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
18
Three Pieces of the Puzzle
People
Process
Technology
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
19
Why use PCI for our discussion?
Regulatory programs open to interpretation
May require teams of experts: General Counsel, Finance, Risk, etc. to
determine organizational compliance requirements, “fuzzy”
PCI is the most prescriptive and easily to map against and
measure
The PCI DSS embodies information security best practices
The process of complying with PCI can benefit and likely transfer
over to other compliance programs, GLBA, HIPPA, etc.
Demonstrating controls in place with regards to data protection,
regardless if that data is corporate, personal, financial, health, or in
the case of PCI, credit card information can be leveraged
PCI Compliance may prove “due care”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
23
General Security Recommendations
Store Less Data
–Reduce the scope
–Justify why you’re storing critical data
Understand the Flow of Data
–Diagrams, understanding where data is stored, how far it travels
Encrypt Data
Address Application and Network Vulnerabilities
–Update your software with patches as they are released.
–Have a third party conduct an application test and code review
Improve Security Awareness and Training
Monitor Systems for Intrusions and Anomalies
–Place IDS devices near the assets you want to protect.
–Establish a centralized server for reviewing, correlating, and
managing IDS logs.
Segment Data Sensitive Networks and Control Access to Them
Change default passwords immediately
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
24
Payment Card Industry
(PCI) Solution &
Prescriptive
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
25
PCI Defined
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
26
The PCI Data Security Standard
Published January 2005
Impacts all who:
Process
Transmit
Store cardholder data
Developed by MasterCard
and Visa, endorsed by the
other payment brands
Pertinent for all industries
and company size
PCI Data Security
Standard
January 2005
SMB to large enterprise and
service providers
Global in nature
Visa says approximately 22% of Tier 1 Merchants are currently compliant.
Computerworld, July 10, 2006.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
27
The PCI Data Security Standard
PCI applies to all companies that handle credit card
information—not just credit card processing
Merchants are tiered based on transaction volume and
each level has different requirements
Penalties associated with the levels
Applies globally to all environments including physical,
electronic commerce, wireless, etc.
PCI covers systems, policies, and procedures
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
28
It’s About Good Business Practices
Providing a secure shopping
environment whether
in the store or online
Prevention of identity theft for
customers
Securely and reliably protecting
brand image and assets
Mitigating financial risk associated
with fines and penalties due to
failure in compliance (and breach!)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
29
Categories of Merchants
Category
Criteria
Requirement
Level 1
Merchants
6,000,000 Visa/MC
transactions per year.*
Annual onsite PCI Data
Security Assessment
Quarterly network scan
*Any merchant that has suffered a
hack or an attack that resulted in an
account data compromise
Level 2
Merchants
1 million – 6 million
transactions per year.
Quarterly networks scan
Annual self-assessment
Level 3
Merchants
20K –1 million e-commerce
transactions per year
Quarterly network scan
Annual self-assessment
Level 4
Merchants
< 20,000 VISA e-commerce
transactions per year
Quarterly network scan
Annual self-assessment
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
30
Critical Role of the Network for
PCI Compliance
PCI Data Security Standard Requirements
1.
2.
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data
3.
4.
Protect stored data
Encrypt transmission of cardholder data and sensitive
information across public networks
Maintain a Vulnerability
Management Program
5.
6.
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7.
8.
9.
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12.
Build and Maintain a
Secure Network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
Maintain a policy that addresses information security
31
Where Most Assessments Are Failing
PCI Requirement
Requirement 3: Protect Stored Data
Requirement 11: Regularly Test Security Systems and
Processes
Requirement 8: Assign a Unique ID to Each Person with
Computer Access
Requirement 10: Track and Monitor All Access to Network
Resources and Cardholder Data
Requirement 1: Install and Maintain a Firewall Configuration
to Protect Data
Requirement 2: Do Not Use Vendor-supplied Defaults for
System Passwords and Other Security Parameters
Requirement 12: Maintain a Policy That Addresses
Information Security
Requirement 9: Restrict Physical Access to Cardholder Data
Requirement 6: Develop and Maintain Secure Systems and
Applications
Requirement 4: Encrypt Transmission of Cardholder Data
and Sensitive Information Across Public Networks
Percentage of
Assessments Failing
79%
74%
71%
71%
66%
62%
60%
59%
56%
45%
Source: VeriSign. “Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them.”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
33
Compliance Is Still an Issue
Forrester Research: Self-assessment in payment card security is not enough
Forrester concludes: “Information security (or a lack of it) is not an area in which
banks and retailers should try to save money or compete.”
Gartner: The PCI Data Security Standard was created in 2001, yet the cardaccepting industry still struggles to demonstrate compliance with it, let alone
protect cardholder data in many cases
The Logic Group, September 27, 2006: Survey reveals alarmingly low levels of
compliance for PCI DSS—Only 3% of merchants were ready
Backend
PC-Based Point of Sale
Systems Experienced
the Largest Percentage
of Compromises in
2005 in the US
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
Shopping Cart
Physical 12%
1%
2%
Mainframe
1%
PC POS
84%
35
The Risks are Real
Over 192 disclosed security breaches through October 2006, potentially
affecting more than 12 million individuals
1/06 University of Delaware
1/06 Pittsburg University Medical
1/06 Illinois Education Assoc
1/06 Oregon Dept of Revenue
1/06 California National Guard
1/06 Atlantis Resort-Kerzner
1/06 People’s Bank
1/06 Notre Dame University
1/06 Ken State University
1/06 City of San Diego
1/06 State of Washington Health
1/06 Honeywell International
1/06 Ameriprise financial1/06 Boston
Globe
1/06 FedEx Freight West
2/06 Blue Cross Blue Shield NC
2/06 Ernst & Young
2/06 US Agriculture Department
2/06 Blue Cross Blue Shield FL
2/06 Deloitte & Touche / McAfee
3/06 American International Group
3/06 University of Michigan
3/06 Verizon Communications
3/06 General Motors
6/06 Department of Energy
6/06 Minnesota State Auditor
6/06 ING
6/06 VA Bureau of Insurance
6/06 ADP TotalSource
6/06 Visa USA
6/06 National Institute on Health
Federal Credit Union
7/06 US Citizenship and Immigration
Services
7/06 Riverside City Hall (CA)
7/06 US Navy
7/06 Moraine Park Technical College
7/06 Mississippi Secretary of State
7/06 PSA Healthcare
7/06 Hampton Roads, VA Circuit Court
7/06 Helnet, Inc.
9/06 Madrona medical Group
8/06 Hospital corporation of America
8/06 Williams Sonoma, Inc.
8/06 Weyerhaeuser
8/06 Louisiana State University
8/06 Transportation Security Admin
8/06 Linden Lab
8/06 Toyota
8/06 Columbus Income Tax Division
8/06 MI Dept of Community Health
8/06 Dept of Veteran Affairs
8/06 Illinois Dept of Corrections
8/06 Adams State College 8/06
University of Texas
8/06 CA Dept of Mental Health
8/06 US Department of Education
8/06 Sovereign Bank
8/06 Federal Motor Carrier Safety
8/06 AT&T
8/06 University of Colorado
8/06 PortTix
9/06 Berry College
9/06 North Carolina Division of Motor
Vehicles
9/06 Purdue College of Science
9/06 Louisiana State University
9/06 Kentucky Personnel Cabinet
9/06 US Census Bureau
9/06 Nikon world Magazine
9/06 Erlanger Hospital
9/06 DePaul medical Center
9/06 Life is Good, Inc.
9/06 General Electric Co.
9/06 University of Texas
9/06 University of Iowa
10/06 Lexis Nexis
10/06 Cumberland County, PA
Government
10/06 Chicago Board of Elections
10/06 Colorado Dept of Human
Services
2007 Breach List:
9/25/2007
Breaches: 297 Exposed: 75,926,667
1/06 NYC Teachers’ Retirement
1/06 Presbyterian Health Care
3/06 Fidelity Investments
4/06 Nationwide Retirement Services
4/06 US Department of Defense
4/06 Iron Mountain
4/06 Fifth Third Bank
4/06 University of South Carolina
4/06 Ross-Simons
4/06 University of Alaska, Fairbanks
4/06 Boeing
4/06 University of Virginia
4/06 State of Georgia
4/06 Union Pacific corporation
5/06 Internal Revenue Service
5/06 Equifax
5/06 Northwestern University
5/06 Hotels.com
5/06 Wells Fargo
5/06 Mercantile Bankshares
5/06 Minnesota Revenue Dept
5/06 Frost Bank
5/06 YMCA
5/06 VyStar Credit Union
6/06 Federal Trade Commission
6/06 US Navy Recruiting
6/06 Fluor Hanford
6/06 Humana Health Plans
6/06 Royal Ahold USA
6/06 Barnard College
Source: www.idtheftcenter.org
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
36
Implications of Non-Compliance
Fines levied by the PCI Data Security Standards Body
Up to $500K per incident for any merchant or SP not compliant at the
time of the compromise
Increased transaction costs
Restrictions on card acceptance: Temporary suspension with
possible permanent implications
Consumer confidence and retailer brand integrity compromised by
data security breach
Loss of cardholder data due to network attack
Liable for cleanup & notification costs**
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
37
Differences between PCI DSS 1.0 and 1.1
PCI DSS 1.1 went into effect on October 1, 2006.
All QSA and Network scans as of Jan 1, 2007 must use 1.1
Some specific changes:
Section 6.6 – Added requirement for application code review or application
firewall to be used
Section 11.1 Clarified that wireless analyzers should be used periodically,
even if wireless is not currently deployed.
Section 12 Added requirement for a policy to manage connected entities,
including maintaining a list, implementing appropriate due diligence, ensuring
connected entities are PCI DSS compliant, and having an established
process to connect and disconnect entities.
NEW appendices that were added:
Appendix A: PCI DSS Applicability for Hosting Providers
Appendix B: Compensating Control – with example for stored data encryption
For the specific 1.1 difference see:
https://www.pcisecuritystandards.org/pdfs/pci_summary_of_pci_dss_changes_v1-1.pdf
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
38
Cisco and PCI
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
39
How Cisco Is Helping Retailers
Provide an end-to-end secured solution to address PCI
requirements
Provide a set of recommended architectures for small, medium,
and large footprint stores
Ensuring data security as you build out advanced capabilities in
your network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
40
Our Partners for PCI Solution for Retail
We are working with leading
industry partners to join us
in providing recommended
network architectures to
meet compliance
Audit and remediation
services
Cybertrust
AmbironTrustWave
Hardware and software
partners
POS: IBM, Wincor Nixdorf
Handheld devices: Intermec
Anti-virus software: TrendMicro
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
41
Recommended Architectures
The Benefits of Recommended Architectures
Cisco worked with PCI auditors to develop
architectures that address the requirements of PCI
compliance
Lab tested and audited architectures to provide
guidance on the best configuration of various network
products
Tested architectures provide guidance to maximize
integration with various technology partners
Reduce the amount of complexity for retailers
configuring networks for PCI compliance
Mapping of Cisco products directly to PCI requirements
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
42
Applying the
Intelligent
Information
Network to PCI
DSS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
43
Sample Network Environment
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
On-Line
store
Wireless
POS
CSA
CSA
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
44
PCI DSS Requirement 1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
45
PSS DSS Requirement 1 (continued)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
46
Requirement 1: Install and maintain a firewall
configuration to protect data
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
CSA
CSA
Requirement 1
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
47
PCI DSS Requirement 2
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
48
Requirement 2: Do not use vendor-supplied
defaults for system settings
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
CSA
CSA
Requirement 1
Requirement 2
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
49
PCI DSS Requirement 3
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
50
PCI DSS Requirement 3 (continued)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
51
Requirement 3: Protect Stored Data
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
CSA
CSA
Requirement 1
Requirement 2
Requirement 3
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
52
PCI DSS Requirement 4
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
53
Requirement 4: Encrypt transmission of
cardholder data across public networks
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
VPN/FW
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
CSA
CSA
Requirement 4
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
54
PCI DSS Requirement 5
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
55
Requirement 5: Use and Regularly update antivirus software
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
CSA
CSA
Requirement 4
Requirement 5
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
56
PCI Requirement 6
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
57
PCI DSS Requirement 6 (continued)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
58
Requirement 6: Develop and maintain secure
systems and applications
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
ACE
ACE XML
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
59
PCI DSS Requirement 7
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
60
Requirement 7: Restrict access to data by
business need-to-know
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
CSA
Desktop
Ironport
Postx
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
61
PCI DSS Requirement 8
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
62
Requirement 8: Assign a unique ID to each
person with computer access
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
DATA CENTER
NAC
Appliance
POS Server
CSA
ACS
CSA
Desktop
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
63
PCI DSS Requirement 9
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
64
Requirement 9: Restrict physical access to
cardholder data
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
Digital Video
Surveillance POS Server
CSA
CSA
Desktop
DATA CENTER
NAC
Appliance
ACS
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
65
PCI DSS Requirement 10
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
66
Requirement 10: Track and Monitor all access
to network and cardholder data
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
Digital Video
Surveillance POS Server
CSA
CSA
Desktop
DATA CENTER
NAC
Appliance
ACS
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
Ironport
Postx
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9
Requirement 10
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
67
PCI DSS Requirement 11
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
68
Requirement 11: Regularly test security
systems and processes
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
Digital Video
Surveillance POS Server
CSA
CSA
Desktop
DATA CENTER
NAC
Appliance
ACS
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
Ironport
Postx
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9
Requirement 10
Requirement 11
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
69
PCI DSS Requirement 12
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
70
PCI DSS Requirement 12 (continued)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
71
Requirement 12: Maintain a policy that
addresses information security
REMOTE LOCATION
INTERNET
EDGE
MAIN OFFICE
Digital Video
Surveillance POS Server
CSA
CSA
Desktop
DATA CENTER
NAC
Appliance
ACS
CSM
NCM/CAS
ASA
ASA
ASA
CSA
CS-MARS
Internet
POS terminal
4500
switch
ISR
LAN
switch
WAP
6500/7600
FWSM
CSA
LWAPP
Credit card
storage
CSA
On-Line
store
Wireless
POS
Requirement 1
Requirement 2
Requirement 3
Ironport
Postx
CSA
CSA
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9
Requirement 10
Requirement 11
Requirement 12
Policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
72
Applying IIN Components to PCI
Product Details
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
73
Cisco Security Routers:
Addressing PCI Requirements
Applies to PCI Requirements 1, 2, 4, 6, 10, 11
Integrates PCI Control into Network Infrastructure
Reduces Complexity
Less products to manage
Enables future business initiatives
SSL and
IPSec
VPN
Application
Firewall
Intrusion
Prevention
Network
URL
Admission
Filtering
Control
IP
Telephony
Wireless
Network
Foundation
Protection
WAN
Backup
Cisco® Security Routers: Core Platform for PCI
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
74
Cisco Security Routers:
Addressing PCI: Core Platform
Applies to PCI Requirement 1, 2, 4, 6, 10, 11
Encrypt transmission of all cardholder data
Limit access to cardholder resources
Hide Internal IP addresses (NAT)
Stateful firewall between wired & wireless
Block unused ports
Network IDS/IPS
SSL and
IPSec
VPN
Application
Firewall
Intrusion
Prevention
Network
URL
Admission
Filtering
Control
Reduce devices w/integral WAP
WPA
All Systems Secured
-AutoSecure
-Secure Management
Integrated
Call Manager
VoIP
IP
Telephony
Business
Resiliency
Wireless
Network
Foundation
Protection
WAN
Backup
Cisco® Security Routers: Core Platform for PCI
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
75
Secure Router
Addresses PCI Requirement 1, 2, 4, 6, 10, 11
1. Stateful IOS firewall separates wired and wireless networks
2. Apply NSA guidelines for secure router configuration with one click
AutoSecure (or network-wide with NCM)
4. Provides high-performance encryption of sensitive data
6. Offers secure device management (HTTPS, SSH, SCP, etc.)
10. Provides forensic logging using NetFlow and syslog
11. Integrates IPS for wired and wireless networks
Application inspection and URL filtering, exceeding PCI requirements
Integrated with other advanced technologies – VoIP & wireless in the
same platform
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
76
ASA
Addresses PCI Requirement 1, 2, 4, 6, 10, 11
1. Stateful IOS firewall separates wired and wireless networks
2. GUI Device manager to change system default passwords
4. Provides high-performance encryption of sensitive data, ideal at headend and
at larger remote locations that need dedicated security device
6. Offers secure device management (HTTPS, SSH, SCP, etc.)
10. Anti-X capabilities protect against malicious attempts
11. Integrates IPS for wired and wireless networks
Application inspection and URL filtering, exceeding PCI requirements
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
77
Catalyst 6500/Cisco 7600
Security Service Modules
Addresses PCI Requirements 1,2,3,6,11,12
Similar to ASA, appropriate for large enterprises and service
providers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
78
Cisco Security Agent
PC and Server Protection
Desktop Protection:
• Distributed Firewall
• Day Zero Virus/Worm Protection
• File Integrity Checking
• Application security
• Policy Enforcement
Server Protection:
• Host-based Intrusion Prevention
• Day Zero Virus/Worm Protection
• Operating System Hardening
• Web Server Protection
• Security for other applications
• Application Data Protection
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
79
Cisco Security Agent
Addresses PCI Requirements 1,2,3, 5, 6, 7,10,11,12
1.
2.
Personal firewall on end devices
Disables unnecessary and insecure services, protocols and functionality on
servers
3. Data Theft Prevention Rule protects stored data on servers and
clients, as well as prohibits copying/tampering of information
5. Augments anti-virus software via Day Zero protection
6. Protects devices during security patch testing and enables effective patch
management process
7. Data Theft Prevention Rule allows only authorized users access to
information
10. Can maintain per-system audit logs, providing a forensic behavior trail
11. Provides host-based intrusion prevention, and performs file integrity
monitoring & protection against unauthorized modification
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
80
identity
Please enter username:
network
device
security NAC security
Network Admission Control
Si
1.
Network access is blocked until end
user provides login information.
Wired
Si
End user attempts to access a Network
Authentication
Server
Network Access Device
Wireless
NAC Appliance
Posture
Assessment
(Clean Access Manager)
Compliant
Not compliant
3b.
VPN
IPSec/SSL
NAC Appliance
(Clean Access Server)
2.
Device is compliant
Machine gets on “clean list”
and is granted access to
network.
Quarantine
User is redirected to a login page
3a. Device is noncompliant
User is denied network access. Assigned to a
quarantine role. Device remediation takes place.
User login validated. Device scanned to
assess vulnerabilities and posture
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
81
Cisco NAC Appliance
Addresses PCI Requirements 5, 6, 11, 12
5. Checks that anti-virus software on end point is up to date and
consistent with current security policy
6. Checks to ensure that all relevant security patches are
installed on end device
11. Prevents unauthorized access to the network from the
inside
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
82
IronPort
Email & Content Security At Work
IronPort Customer Use Cases
Intellectual Property Protection (NPI Data)
Policy rules for specific senders/recipients
Block messages containing confidential data
Acceptable Use Policy Enforcement
Block profanity
Email attachment controls (size, type, content)
Legal disclaimers on specific messages
Archive specific messages
Regulatory Compliance
Scan for PHI/NPI and block infractions
Secure business partner communication
Compliance quarantines for remediation policies
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
83
IronPort Content Security
Overview
Powerful attachment scanning technology for Intellectual
Property Protection (NPI Data)
Complete on-box or off-box end user to end user Encryption
capability
Turnkey solution for Regulatory Compliance (HIPPA, SOX, etc)
Flexible system for creating and enforcing corporate Acceptable
Use Policy
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
84
IronPort Email Encryption
The Easiest Path to Protecting Confidential Email
Universal Reach: send to any email user
Auditable Policy Enforcement
Content scanning at gateway drives encryption
Does not rely on or require user action
Easiest to use
Transparent to sender
No client software for sender or receiver
Easiest to Deploy and Manage
No client software
Hosted key management system
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
85
IronPort
Addresses PCI requirement 4, 7, 10, 12
4. Enforces encryption of confidential information
7. Restricts access to cardholder data
Data Theft Prevention Rule allows only authorized users to
access/send/open confidential information
10. Tracks and Monitors access to cardholder data
12. Demonstrates/maintains security policy
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
86
Cisco Wireless Access Points
Addresses PCI Requirements 2,4,6,11,12
2. WPA encryption support
4. WPA encryption support
11.Wireless intrusion detection support within Wireless access
points
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
87
Cisco Secure MARS
Monitor, Analysis and Response System
Reduced Complexity
Visualization
Visualize attack paths and
identify network hot spots
Multi-vendor
Powerful monitoring,
analysis, response
system
Identifies valid incidents
and minimizes false
positives
Higher network availability
Identify day-zero attacks,
reduce resolution time
Multi-vendor support
© 2006 Cisco Systems, Inc. All rights reserved.
Simple to install solution
Mitigation of Attacks
Simple licensing, no
software agents
Mitigate attacks by isolating
switch ports and applying
ACLs closest to source
Know “what, where, and
how” of threats
Correlate events from
multiple sources such
as vulnerability
assessment and NetFlow
data to detect anomalies
Presentation_ID
Lower TCO
Appliance based
Leverage the intelligence
in the network to enforce
security policies
Cisco Pulbic
88
CS-MARS
Multi-vendor event correlation
Network-wide security monitoring, attack visualization and response
Addresses PCI Requirements 10, 11, 12
Receives logs, alerts, audit trails from systems throughout the network
and creates reports to use for compliance
Must review device logs. Provides correlation, aggregation and
comparisons of information
Gather/Analyze NetFlow data
Generate incident reports
Immediate incident response: CS-MARS defines appropriate mitigation
response
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
89
CS-MARS
Addresses PCI Requirements 10, 11, 12
10. Receives logs, alerts, audit trails from systems throughout the
network and creates reports to use for compliance
Creates operational efficiencies for log review
11. Provides correlation, aggregation and comparisons of information
CS-MARS is the primary tool for reducing costs and increasing
reporting efficiencies around maintaining compliance
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
90
Cisco Security Manager
Multi-product, multi-technology configuration
VPN Administration
Superior Usability
VPN Wizard setup
Site-to-Site, hub-spoke
and full mesh VPN’s
with a few mouse clicks
Administer policies
visually on tables or
topology map
Policy Administration
Centrally provision
policies for firewalls ,
VPN’s and IPS
Very scalable
Jumpstart help: an extensive
animated learning tool
Flexible management views:
- Policy-based
- Device-based
- Map-based
- VPN based
Configure policies for ASA,
PIX, FW SM and IOS
Intelligent analysis of
policies
Sophisticated rule table
editing
Powerful device grouping
Options
IPS Administration
Automatic updates to the
IPS Sensors
Support for Outbreak
Prevention Services
Compresses the number of
access rules required
Role-based access:
Change Control
© 2006 Cisco Systems, Inc. All rights reserved.
Firewall Administration
Single rule table for all
platforms
Policy Inheritance
feature enables
consistent policies
across enterprise
Presentation_ID
Configure remote-access
VPN, DMVPN, and Easy
VPN devices
Cisco Pulbic
91
Cisco Security Manager (CSM)
Addresses PCI Requirements 11, 12
11. Provides comparisons of configurations (diffs)
12. Maintains a Security Policy (FW, IDS, VPN, Switches)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
92
Cisco Secure Access Control Server
(ACS)
AAA logging/Audit: Who, What, When
Support strong password requirements/change mgmt.
Two-Factor authentication
Administration authentication, access rights
Network device authentication
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
93
Cisco Access Control Server
Addresses PCI Requirements 8, 10, 12
8. Provides authentication, authorization, and accounting (AAA)
for network devices through TACACS+. Provides unique
username for all users
10. Maintains a forensic audit trail of who accessed the network,
what they did, and when they did it
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
94
Network Compliance Manager
Addresses PCI Requirements 10, 12
10. Maintains a forensic audit trail of who accessed the network,
what they did, and when they did it
Alerts on configuration modifications, deviations
Full Audit trail
Validates Config. against NSA, SAFE, best practice
Tracks system compliance metrics
Demonstrable controls
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
95
Audit Process
and Lessons
Learned
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
96
Audit Process
Assessment and ROC
The QSA’s Assessment report
is the written response to the
audit process.
For areas that do not pass, they
will recommend compensating
controls
Remediation services are
typically required after the audit.
After audit and remediation,
the retailer can submit their
Report of Compliance for
review by a PCI Company
(e.g., Visa, MasterCard) for
final approval.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
97
Audit Process
Best Practices for Retailers
Be proactive - Collecting information required for the
audit in advance can shorten the process
Study a sample ROC – shows the whole spec and helps
clarify focus on areas
Centralized network management tools save time and
costs in managing remote device configurations
Partner with your Qualified Security Assessor (QSA)
The QSA is strategic to becoming PCI compliant.
Most companies will not pass on the first try
Understand the QSA’s process and their approach to the audit
and remediation.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
98
Design Validation
Lessons learned
ISR is ideal for retail because it addresses many PCI
requirements in a single device –Router, FW, IDS
MARS reduces labor requirements for event correlation
Wireless scanning for rouge AP detection is required –
whether a WLAN is installed or not. (PCI 11.1b)
WCS, ACS and MARS require compensating controls for
administrative authentication
“CSA was impressive” – it ensures file integrity of audit
logs on systems that had no file integrity system
Source: Cybertrust auditor Dec 2006
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
99
Summary
Enterprises are still struggling with compliance, as
evidenced with fines, lawsuits, and breaches
The IIN plays a critical role in addressing various
compliance programs…Internal, Regulatory, or
Commercial
PCI DSS can be leveraged for other compliance
programs
Cisco continues provide customers with a framework
for compliance
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
100
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
101
Reference &
Supplemental Material
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
102
Links
Compliance related on Cisco.com
http://www.cisco.com/pcgibin/search/search.pl?searchPhrase=compliance&accessLevel=Guest&language=en&count
ry=US&Search+All+Cisco.com=cisco.com
Cisco’s PCI for Retail architectures
http://www.cisco.com/web/strategy/retail/pci.htmlRelated
VISA CISP website
http://usa.visa.com/merchants/risk_management/cisp.html
SANS
www.sans.org
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
103
PCI Solution
Product Alignment
Solution Feature
PCI Value
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Integrated Service Router (ISR)
Network security (firewall segmentation/filtering), stateful
filtering
CiscoWorks (LMS), CSM
Configuration management/secure configurations
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters.
ISRs, switches, wireless devices, WCS, ACS,
CiscoWorks (LMS), CSA, CSM
Vendor defaults changed
WCS/wireless controllers
Wireless security (WPA/WPA2, SSID broadcast disabled)
ISRs, switches, wireless controllers (CSA
Manager, CSM, CiscoWorks (LMS)
Best practice security parameters enabled
ISRs, switches, wireless controllers (CSA
Manager, CSM, CiscoWorks (LMS), CSMARS, ACS, WCS)
Non-console encrypted administrative access
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Wireless controllers
WPA wireless security
Requirement 5: Use and regularly update anti-virus software or programs.
Cisco Security Agent
Anti-virus protection, malware/spyware protection, alerting
Requirement 6: Develop and maintain secure systems and applications.
CiscoWorks
(LMS),
CSM
(Workflow
mode)
Change control
© 2006
Cisco Systems,
Inc. All
rights reserved.
Cisco Pulbic
Presentation_ID
104
PCI Solution
Product Alignment
Requirement 7: Restrict access to cardholder data by business need-to-know.
ISRs, switches, wireless controllers CSA Manager,
CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS
Least-privilege, role-based access
Requirement 8: Assign a unique ID to each person with computer access.
ISRs, switches, wireless controllers CSA Manager,
CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS
Unique user IDs, authenticated access, encrypted
passwords, no group/shared IDs/passwords
ISRs, switches, wireless controllers CSA Manager,
CSM, CiscoWorks (LMS), CS-MARS, ACS
Password strength requirements
ISRs, switches, wireless controllers CSA Manager,
CSM, CiscoWorks (LMS), CS-MARS, ACS
Account lockout requirements
Requirement 10: Track and monitor all access to network resources and cardholder data.
ISRs, switches, wireless devices, WCS, ACS,
CiscoWorks (LMS) CSA
Audit trails, time synchronization
Requirement 11: Regularly test security systems and processes.
Wireless controllers
Rogue wireless AP/device detection
ISRs (sensor), CSM (policy, signature updates)
Network IDS
CSA
Host-based IDS
CSA
File integrity
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
105
GLBA
Presentation_ID
Financial Privacy
The Gramm-Leach Bliley Act
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes
provisions to protect consumers’ personal financial information held by financial institutions. There are three
principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting
provisions.
The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial
Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include
not only banks, securities firms, and insurance companies, but also companies providing many other types of
financial products and services to consumers. Among these services are lending, brokering or servicing any
type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial
advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and
an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more
information on the types of financial activities covered, click here.
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by
financial institutions. It also applies to companies, whether or not they are financial institutions, who receive
such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy
Requirements of the Gramm-Leach-Bliley Act.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect
customer information. The Safeguards Rule applies not only to financial institutions that collect information from
their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer
information from other financial institutions.
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their
personal financial information under false pretenses, a practice known as "pretexting."
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
106
Which Cisco Products and Solutions Help Address
the SOX Requirements?
Intrusion Detection and Prevention—Cisco IPS 4200 Series Sensors, Cisco
Integrated
Integrated Services Routers with Security Bundle, Cisco ASA 5500 Series Adaptive
Security
Appliances, Cisco Catalyst® Security Services Modules
Logging, Authentication, Access Control—Cisco Secure Access Control Server
(ACS),
Cisco Security Agent, Cisco Security Mitigation, Analysis and Response System
(MARS)
Antivirus Policy—Cisco ASA 5500 Series, Cisco Firewall Services Module,
Integrated Services Routers, Cisco IPS 4200 Series, Cisco Security Agent
Remote-Access Policy—Cisco ASA 5500 Series, Cisco Integrated Services
Routers
Configuration Policy—Cisco Security Device Manager (Security Bundles), Cisco
Security
Network Compliance Manager
Agent, Cisco Security MARS, Cisco Security Manager, Network Admission Control
Regular Vulnerability Assessment
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
107
Which Cisco Products and Solutions Help Address
the GLBA Requirements?
Protect Against Unauthorized Access
Cisco Access Control Servers, 802.1x, Network Admission Control,
Cisco Integrated Services Routers, Cisco ASA 5500 Series
Adaptive Security Appliances
Secure Data Exchange with Affiliates and Service Providers
VPNs (such as those using IP Security, DMVPN, and Secure
Sockets Layer VPN technologies), Cisco ASA 5500 Series & ISRs,
IronPort PostX
Detecting, Preventing, and Responding to Attacks and
Intrusions
Cisco Security Monitoring, Analysis and Response System, Cisco
IPS solutions, Cisco Security Agent, Cisco Security Manager
Implement, Test, and Adjust a Security Plan on a Continuing
Basis
Cisco Network Compliance Manager, Configuration Assurance
Solution, Cisco Security Posture Assessment, and Penetration
Testing Services
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
108
Which Cisco Products and Solutions Help Address
the HIPAA Requirements?
Protect Against Unauthorized Access
Cisco Access Control Server, 802.1x, Network Admission Control, Cisco
Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security
Appliances
Secure Data Exchange with Affiliates and Service Providers
VPNs (such as those using IP Security, DMVPN, and Secure Sockets
Layer VPN technologies), IronPort PostX
Detecting, Preventing, and Responding to Attacks and Intrusions
Cisco Security Monitoring, Analysis and Response System, Cisco Intrusion
Prevention System solutions, Cisco Security Agent, Cisco Security
Manager
Implement, Test, and Adjust a Security Plan on a Continuing Basis
Cisco Security Posture Assessment and Penetration Testing Services,
Network Compliance Manager, Configuration Assurance Manager
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Pulbic
109