10 Questions To Ask During An Information Security Interview

I’m getting ready to help screen some candidates for an information security consultant position, and I decided to jot down a few questions to ask. These won’t be the only questions being asked, of course, but just a few that came to mind. Anyway, I thought they were worth sharing.

The key here for me is not so much getting the perfect technical answer, but more so not getting a lame one. In other words, we’re looking to filter out those who don’t have the right skills and/or mindset rather than guarantee a good fit. I’ll highlight the things I’m looking for with each question.

1. Where do you get your security news from?
   
   Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include RSS feeds for solid sites like rootsecure, secguru, astalavista, whitedust, internet storm center, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.” (and nothing else). It’s these types of answers that will tell you he’s likely not on top of things.
2. If you had to both encrypt and compress data during transmission, which would you do first, and why?

   If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.”

3. What kind of computers do you run at home?

   Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I like to leave my computers at work.” I’ve yet to meet a serious security guy who doesn’t have a considerable home network.

4. What port does ping work over?

   A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP.

5. How exactly does traceroute/tracert work?

   This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.The key point people usually miss is that each packet that’s sent out doesn’t go to a different place.

   Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

6. Describe the last program or script that you wrote. What problem did it solve?

   This is a trick as well. All we want to see is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.

7. What are Linux’s strengths and weaknesses vs. Windows?
   Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is *everywhere* in the security world.
8. What’s the difference between a risk and a vulnerability?
   
   As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional.
9. What’s the goal of information security within an organization?

   This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for.A much better answer in my view is something along the lines of, “To help the organization succeed.”

   This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding — a realization that security is there for the company and not the other way around.

10. Are open-source projects more or less secure than proprietary ones?

    The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions).

    My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.

    The ideal answer involves the size of the project, how many developers are working on it (and what their backrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.

The goal of these questions is to get a feel for how the person thinks and approaches problems — not so much how strong they are technically (that’s a different set of questions). My friend Arik put it nicely:

Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.

Posted by Daniel Miessler
http://dmiessler.com/jobs/10-questions-to-ask-during-an-information-security-interview

ISO 27001: Frequently asked questions

What is information security?
Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization’s ISMS. Other standards for information security are much more specific and have a different focus:

• IT systems (FISMA and ISO 13335-2)
• Product (Common Criteria, ISO 15408, FIPS 140-2)

Why should I certify my ISMS?
Certification of a management system brings several advantages. It gives an independent assessment of your organization’s conformity to an international standard that contains best practices from experts for ISMS. A certified ISMS does not guarantee compliance with legislative and local policies, but provides a systematic platform to build on.

Drivers for certification include:

• Meeting U.S. legislative requirements directly:
  • Sarbanes-Oxley Act of 2002, Section 404
  • SAS/70 requirements
  • HIPAA requirements (Security rule)
  • Gramm Leach Bliley Act of 2002
  • California’s privacy laws including SB 1436
• Meeting legislative and regulatory requirements indirectly:
  • Privacy legislation
  • Managing the need to meet international legislative requirements
• As part of a supplier management program:
  • Some major corporations prefer suppliers that can prove they meet best-practice standards.
  • In some industries, certification is demanded by customers. This is often seen in finance related industries, data centers, and online service providers.
• As a measure and independent evidence that industry best practices are being followed.
• To reduce insurance premiums:
  • In some cases insurance premiums can be reduced if you can prove that you meet the best practice standards
• As part of a corporate governance program
  • Corporations must take care to meet the best practices and often need to show stakeholders such as sponsors, shareholders, and financers that they take good care of information security.
• May offer competitive advantage; ISO/IEC 27001 (BS 7799) certification might be a differentiating factor between you and your competition.

What is the history and future of the standards?
The ISMS standard was first published as British Standard (BS) 7799 in two parts:

• The code of practice: BS 7799-1, which later became ISO/IEC 17799 and is planned to be renumbered as ISO/IEC 27002.
• The management system that can be used as a standard for certifying an organization, which was originally published as BS 7799-2 and has been released as an international standard, ISO/IEC 27001.

Throughout this FAQ we emphasize the new names for the standards.

What are the main concepts of ISO/IEC 27001 (BS7799)?

• All activities must follow a method. The method is arbitrary but must be well defined and documented.
• The standard requires a company to specify its own security goals. An auditor will verify whether these requirements are fulfilled.
• All security measures shall be the result of a risk analysis.
• The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.
• A process must ensure the continuous verification of all elements of the security system through audits and reviews.
• A process must ensure the continuous improvement of all elements of the security system.

What is ISO/IEC 27001 (BS 7799), and how does an ISMS relate to it?
British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets:

• ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management. It will be renumbered to ISO/IEC 27002.
• BS 7799 Part 2, the specification for an ISMS that can be used as the basis for certification. It has been adopted as an international standard, ISO/IEC 27001.

Why does ISO/IEC 17799 (BS 7799 Part 1) matter?
ISO/IEC 17799 is a code of practice for information security managers. It matters because it documents the best-practice security objectives and the associated controls (safeguards) that help support those objectives. This part of the standard will be renumbered ISO/IEC 27002 in 2007.

Why does ISO/IEC 27001 (BS 7799 Part 2) matter?
ISO/IEC 27001 (BS 7799 Part 2) is the specification for an ISMS. It explains how to apply ISO/IEC 17799. It matters because it provides the standard against which certification is performed including a list of mandatory documents. An organization that seeks ISO/IEC 27001 certification is examined against the management system standard.

How does ISO/IEC 27001 (BS 7799) relate to other management system standards (ISO 9001 and 14001)?
ISO/IEC 27001 (BS 7799-2) is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001 (BS 7799-2)?
If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/IEC 27001 standard. ISO/IEC 27001 and BS 7799 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets. A growing number of organizations around the world have already gone through the certification process.

How can I get a copy of the standards?
The standards are copyright protected text and must be purchased.

For ISO standards including ISO/IEC 27001, contact ANSI

• http://webstore.ansi.org

Or you can purchase from ISO directly:

• Online Shop: http://www.iso.ch

Risk Assessment and Risk Management
A responsible organization will assess the risk to its identified information assets, make decisions about which risks are intolerable and therefore need to be controlled, and manage the residual risks through carefully-considered policies and procedures.

What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

What is risk management?
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

How is risk assessment related to ISO/IEC 27001 (BS 7799)?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in BS 7799-2 for the establishment, implementation, and maintenance of an ISMS.

Does ISO/IEC 27001 (BS 7799) define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed; here are some published examples.
ISO/IEC 13335 (Management of information and communications technology security
NIST SP 800-30 (Risk Management Guide for Information Technology Systems) http://csrc.nist.gov/publications/nistpubs/

After implementation, must the organization re-assess risks?
An organization that manages change effectively has a better chance of survival. The PDCA process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.

Certification

What is ISMS certification?
ISO/IEC 27001 is the standard that specifies an ISMS . A third party can audit an ISMS and if satisfied that it is true can certify that an organization is compliant with this standards.

What is a certification body (CB)?
A certification body (also called a registration body, assessment and registration body, or registrar) is an independent third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations have the responsibility of assessing the competence of certification bodies to perform ISMS assessments. These accreditation organizations are often, but not always national in scope. Examples of accreditation bodies are ANAB, UKAS, DAR.

It is vital that your certification body is accredited by a reputable accreditation organization otherwise your certificate might be worthless.

What is the Certification Process?
1. Assess if your ISMS is ready for certification.

• Is your ISMS conformant with the standard?
• Do you need to do work to get it ready?

2. Identify an accredited CB

• Find a CB (Many are listed on www.us-isms.org)
• Agree and sign a contract wit the CB (Generally this is a 3 year commitment)
• Agree the Schedule.

3. Go through the audit process:

• Stage 1 audit (also known as a desktop audit). Here the CB examines the mandatory ISMS documentation.
• Take action on the results of the stage 1 audit.
• Stage 2 audit (on-site audit). Here your CB sends an audit team to examine your implementation of the ISMS.
• Address audit findings and agree on a surveillance audit schedule.

4. When your ISMS is found to be conformant, the CB recommends to its validating committee that the ISMS is compliant with the standard, and if the validation committee agree then they issue the certificate. (Depending on the organization this can take a few weeks to several months)

5. Go through the surveillance audit as scheduled with the CB

6. Keep your CB informed of any significant changes affecting your ISMS

7. Re-certification after three years.

How long is a certificate valid?
Usually certificates have a limited validity only. The maximum term of validity is three years.

Will I be supervised by the certification body?
Yes. The certification body will conduct regular continuing assessments of your ISMS. You are also obliged to announce major changes of your ISMS. The certification body will then decide on the necessity of additional checks.

Can a certificate be withdrawn?
Yes. In the case of a minor non-conformity, the auditor will require you to write a corrective action plan and will verify its implementation. If identified non-conformities are not quickly eliminated, the certificate will be revoked.

Can I return a certificate?
Yes, but before you do so, contact your CB.

How do I choose a CB?
You could consider including the following factors as you make your choice from among available CBs:

• Who are they accredited by?
• Do they have expertise in your business area?
• What resources do they have?
• What is their schedule?
• What is their reputation and do they have references?
• What is the cost of certification?

What expertise does atsec have in ISMS?

• atsec employees have over 500 years of experience in information security
• atsec have consulted and implemented ISMS for many customers including Vodafone, Swisscom Mobile, and Axalto
• atsec’s expertise is in demand – our consultants speak at international conferences and author books and articles about information security management.
• atsec employees were and are members of standardization organizations including ISO:
  • Oliver Weissmann – Co-editor of ISO/IEC 17799, Active leadership role in WG1
  • Fiona Pattinson – INCITS CS1 Committee (US ISO SC27 TAG), US chapter of International ISMS Users Group co-chair
• atsec mandate ISO/IEC 27001 (BS 7799) lead auditor training for ALL technical employees.

From : atsec information security

http://www.atsec.com/01/isms-iso-iec-27001-BS-7799-faq.html

Wireless LAN Security

From Wikipedia, the free encyclopedia

One issue with corporate wireless networks in general, and WLANs in particular, involves the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to wardrivers. Such corporate issues are covered in wireless security.

Concerns

Anyone within the geographical network range of an open, unencrypted wireless network can sniff on all the traffic, gain unauthorized access to internal network resources as well as to the Internet, possibly sending spam or doing other illegal actions using the owner's IP address, all of which are rare for home routers but may be significant concerns for office networks.

If router security is not activated, or if the owner deactivates it for convenience, it creates a free hotspot. Further, virtually all laptop PCs now have Wireless Networking built in (cf. Intel 'Centrino' technology), thus rendering redundant the need for a third-party adapter (usually a PCMCIA Card or USB dongle). These features might be enabled by default, without the owner ever realizing it, thus broadcasting the laptop's accessibility to any computer nearby.

Modern operating systems such as Linux, Mac OS, or Microsoft Windows XP as the 'standard' in home PCs make it very easy to set up a PC as a Wireless LAN 'basestation' and using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby, such as a next-door neighbor, may also use the internet connection. This is typically done without the wireless network owner's knowledge; it may even be without the knowledge of the intruding user if his computer automatically selects a nearby unsecured wireless network to use as an access point.

Conversely, weak as the default encryption of most routers may be, it often defeats a user's attempt to use his own laptop wirelessly at home.

Security options

There are three principal ways to secure a wireless network.

* For closed networks (like home users and organizations) the by far most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address.
* For commercial providers, hotspots and large organizations, the preferred solution is often to have an open, unencrypted but completely isolated wireless network. The users will at first have no access to the internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
* Wireless networks are little more secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

Access Control at the Access Point level

One of the simplest techniques is to only allow access from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures.

Another very simple technique is to have a secret ESSID (id/name of the wireless network), though anyone who studies the method will be able to sniff the ESSID.

Today all (or almost all) access points incorporate Wired Equivalent Privacy (WEP) encryption and most wireless routers are sold with WEP turned on. However, security analysts have criticized WEP's inadequacies, and the U.S. FBI has demonstrated the ability to break WEP protection in only 3 minutes using tools available to the general public (see aircrack).

The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address these problems. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

Restricted access networks

Solutions include a newer system for authentication, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

End-to-End encryption

One can argue that neither encryption in the router level nor VPN is good enough for protecting valuable data like passwords and personal emails; those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the software layer, using technologies like SSL, SSH, GnuPG, PGP and similar.

The disadvantage with this approach is that it can be difficult to cover all the traffic - with encryption on the router level, or VPN, it's just one switch to get all traffic encrypted (even UDP and DNS lookups), while with end-to-end encryption, one has to "turn on encryption" for each and every service one wants to use, and quite often also for each and every connection. For sending emails, all the recipients must support the encryption and keys have to be exchanged. For web, not all web sites offer https - and even if using end-to-end-encryption on everything, the IP-addresses you communicate with will go in clear text. Say, if you frequent the Playboy Magazine, your mother-in-law may find it out, even if https hides the contents.

The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.

Open Access Points

Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community network (which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.

The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

* The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
* The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible crackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
* If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
* With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
* It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
* Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.

12 key requirements Detail

Build and maintain a secure network
• Requirement 1: Install and maintain a
firewall configuration to protect
cardholder data
• Requirement 2: Do not use vendorsupplied
defaults for system passwords
and other security parameters

Protect cardholder data
• Requirement 3: Protect stored cardholder
data
• Requirement 4: Encrypt transmission
of cardholder data across open, public
networks

Maintain a vulnerability management program
• Requirement 5: Use and regularly update antivirus
software
• Requirement 6: Develop and maintain secure
systems and applications

Implement strong access control measures
• Requirement 7: Restrict access to cardholder data
by business need-to-know
• Requirement 8: Assign a unique ID to each person
with computer access
• Requirement 9: Restrict physical access to
cardholder data

Regularly monitor and test networks
• Requirement 10: Track and monitor all access to
network resources and cardholder data
• Requirement 11: Regularly test security systems
and processes

Maintain an information security policy
• Requirement 12: Maintain a policy that addresses
information security
In order to fully comply with the standard, every
organisation that the standard applies to must
implement all of the controls to the target
environment and annually audit the effectiveness of
the controls in place.

PCI validation requirements & ISO 27001
compliance requirements
Both ISO 27001 and PCI require the organisation to
ensure that a formal validation and compliance
(audit) structure is in place and that validation
requirements (including self audits and vulnerability
scans) are undertaken on a regular basis and results
are fed into a management system for ongoing
review and improvement (e.g. PCI validation
requirements are based on number of transactions -
the more transactions an organisation handles, the
greater the quantity and detail of audits that are
required).

The number of validation audits includes:
Annual on-site security audits - MasterCard and
Visa require the largest merchants (level 1) and
service providers (levels 1 and 2) to have a yearly
on-site compliance assessment performed by a
certified third-party auditor, which is similar to an
ISO 27001 certification programme

PCI annual self-assessment questionnaire - In
lieu of an on-site audit, smaller merchants and
service providers are required to complete a
self-assessment questionnaire to document their
security status. Again this is similar to ISO 27001,
as there should be a formal structure of scheduled
audits that enables early identification of ‘weak
spots’ and should feed into an existing ‘enterprise
risk structure’ that enables the organisation to fulfil
corporate governance guidance requirements, such
as Basel II, SOX, Combined Code, Revised Guidance,
OGC, OECD and FSA

Quarterly external network scans - All merchants
and service providers are required to have external
network security scans performed quarterly by a
certified third-party vendor. Scan requirements are
rigorous: all 65,535 ports must be scanned, all
vulnerabilities detected of level 3-5 severity must
be remedied, and two reports must be issued a
technical report that details all vulnerabilities
detected with solutions for remediation, and an
executive summary report with a PCI approved
compliance statement suitable for submission to
acquiring banks for validation.
One important thing to note is that PCI have created
security audit procedures (a tick box / checklist
document) that provides information on the
requirements for technical PCI compliance and also
provides details on the expected content that should
form part of the annual submission report - the
‘report for compliance or executive summary report’.
To assist service providers or merchants in this
compliance process an ‘accreditation’ scheme has
been established. This has been designed to allow
pre-approved PCI security and audit organisations to
offer ‘Qualified Security Assessor’ (i.e. Auditor of
system) services or Approved Security Vendor (i.e.
Penetration tester), or both.
These services will appeal to the many service
providers or merchants that need to comply on all
levels with PCI DSS, but ultimately, every service
provider or merchant will have the option of who
they choose to work with to verify they meet all the
technical requirements of PCI DSS.

PCI DSS Validation Enforcement Table
While PCI DSS non-compliance penalties also vary
among major credit card networks, they can be
substantial and perhaps more worryingly, they can
represent a major embarrassment or worse, lead to
reputation damage, which is difficult to quantify.
Participating companies can be barred from
processing credit card transactions, higher
processing fees can be applied, and in the event of a
serious security breach, fines of up to £250,000 can
be levied for each instance of non- compliance.
Since compliance validation requirements and
enforcement measures are subject to change,
merchants and service providers need to
closely monitor the requirements of all
card networks in which they participate.

PCI and ISO 27001 - the comparisons
In contrast to the PCI framework, the
ISO 27001 standard is more flexible in
terms of scope, controls, compliance and
enforcement. As an internationally
recognised security standard, ISO 27001
is designed to apply to a wide variety of
organisations across numerous
industries. It is regarded as the de-facto
information security standard by many
organisations where information security
is a strict requirement; although
compliance is voluntary. Many
organisations that choose to certify to
the standard often do so for purposes of
due diligence or partner confidence.
When properly applied ISO 27001 is
based around a flow of information,
which makes up what the standard
defines as a system. The organisation
defines the systems to be certified and
sets up an Information Security
Management System (ISMS) around the
relevant area of business, which is then
defined as the scope.
Subsequently the organisation fully
documents the scope, creates a detailed
asset inventory and performs a formal
risk assessment on those assets. The
results of the risk assessment lead the
organisation to the control clauses of the
standard and they choose those that best
address the risks to the environment.
The selected controls are then
documented in its Statement of
Applicability (SOA) and mapped back to
the risk assessment.

Back To Using ISO 27001 for PCI DSS Compliance Frist Page

Using ISO 27001 for PCI DSS Compliance Frist Page (2)

PCI, as it is almost universally known,
was originally developed by MasterCard
and Visa through an alignment of
security requirements contained in the
MasterCard Site Data Protection Plan
(SDP) and two Visa programs, the
Cardholder Information Security Plan
(CISP) and the international Account
Information Security (AIS). In September
of 2006, a group of five leading payment
brands including American Express,
Discover Financial Services, JCB,
MasterCard Worldwide and Visa
International jointly announced
formation of the PCI Security Standards
Council, an independent council
established to manage ongoing evolution
of the PCI standard. Concurrent with the
announcement, the council released
version 1.1 of the PCI standard. Since
then it has rapidly become the ‘de-facto’
standard within the card industry for
both merchant and service provider.
While the newly-established PCI Security
Standards Council manages the
underlying data security standard,
compliance requirements are set
independently by individual payment
card brands. While requirements vary
between card networks, MasterCard’s
Site Data Protection Plan and Visa’s
Cardholder Information Security Program
are representative. They stipulate
separate compliance validation
requirements for merchants and service
providers, which vary depending on the
size of the company and its transaction /
business throughout.
PCI DSS is based on established best
practice for securing data (such as
ISO 27001) and applies to any parties
involved with the transfer or processing
of credit card data.
Its purpose is to ensure that confidential
cardholder account data is always secure
and comprises 12 key requirements:

1.Build and maintain a secure network
2.Protect cardholder data
3.Maintain a vulnerability management program
4.Implement strong access control measures
5.Regularly monitor and test networks
6.Maintain an information security policy
7.PCI validation requirements & ISO 27001 compliance requirements
8.Annual on-site security audits
9.PCI annual self-assessment questionnaire
10.Quarterly external network scans
11.PCI DSS Validation Enforcement Table
12.PCI and ISO 27001 - the comparisons

See 12 key requirements Detail

Back To Using ISO 27001 for PCI DSS Compliance Frist Page

Using ISO 27001 for PCI DSS Compliance

A white paper by Steve Wright,
Siemens Insight Consulting

The Payment Card Industry Data Security
Standard (PCI DSS) isn’t dramatically
different to the requirements of the best
practice security standard - ISO 27001,
except that PCI doesn’t mention any of
the prerequisites required for a
management framework, e.g.
management commitment, scope
definition, security awareness training,
ongoing improvement plans, whereas
ISO 27001 omits a lot of the detail
around how controls are actually
implemented. So therefore, one could
be forgiven for believing that MasterCard
and Visa assumed PCI would contain
additional security requirements to sit on
top of an already established Information
Security Management System (ISMS).

There is no getting away from the fact that this is good news for
industry as a whole. Any new baseline security standard that
helps measure the security of systems is good news. For
example, making sure that firewalls are only passing traffic on
accepted and approved ports, ensuring that servers are running
only those services that really need to be live and validating those
databases aren’t configured with vendor supplied defaults.
The problem is, like with any baseline standard, it is only as good
as the last review; and herein lays a dilemma. ISO 27001 has
deliberately moved away from specifying or dictating too many
detailed controls (133 in ISO 27001, but over 200 in PCI), as it did
not want it to become a simple tick box exercise. ISO 27001
stipulates that an organisation should ensure any control to be
implemented should reflect the level of risk (or vulnerability), that
could cause unnecessary pain should it not be addressed.
PCI does refer to conducting a formal risk assessment (see section
12.1.2 of the standard), but how flexible would a certified
third-party auditor be during the audits?

Would he /she agree with the
organisation that the risks acceptable to
one organisation were deemed
unacceptable to another (depending
upon the risk appetite of the
organisations)?

Using ISO 27001 for PCI DSS Compliance Next Page