Search in ISMS Guides

Google
 

Monday, June 9, 2008

How to apply ISO 27002 to PCI DSS compliance

This tip is part of SearchSecurity.com's Compliance School lesson, Building a risk-based compliance program. Visit the Building a risk-based compliance program main page for related materials, or check out the Security School Course Catalog for more learning content.

The PCI Data Security Standard (PCI DSS) consists of 12 mandatory high-level requirements for all organizations that store, transmit, or process payment cards. These 12 requirements are further subdivided into sections, describing activities that organizations must engage in while managing their networks, administering their systems, and, in general protecting the payment card data with which they have been entrusted.

While PCI DSS details compliance requirements in most areas, its directives make only passing reference (if at all) to an overall security framework into which the required actions must fit. If organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.

ISO 27002, also known as ISO 17799, is a security standard of practice. In other words, it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations. The benefit of such a standard to organizations attempting to comply with the PCI-DSS is twofold. First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program.

For example, ISO 27002 discusses the necessity of involving business, management, human resources and technology representatives in the security program. It also provides references for high-level policies for important areas such as data classification, data handling and access control. While PCI DSS describes specific technical practices and organizational activities, it doesn't talk about the overall program in which these activities exist or the specific policies that require these activities.

When a company establishes a program based on a broad standard like ISO 27002, it can treat the PCI-DSS requirements as a subset of those required by the ISO. Further, a program structured according to ISO 27002 will require organizations to employ critical support systems required by many regulations (and PCI DSS in particular). For example, ISO 27002 requires change control in network administration, system configuration, policy management, procedure management and software development. PCI DSS calls out the need for accurate diagrams and documentation for its network and systems as well as change control processes to ensure discipline in administration of the PCI DSS-related components.

ISO 27002's broad requirements for change control associated with all aspects of administration encourage a consistent approach across an enterprise. This kind of approach, when applied to PCI DSS, would help improve both the consistency, effectiveness and efficiency of change control across a company and increase the likelihood that an auditor would find a company's practices acceptable.

Another benefit of combining the structure of ISO 27002 and the specific requirements of PCI DSS is that the PCI DSS helps organizations define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling. Armed with these constraining requirements, organizations can define policies and procedures that are consistent with best practice as specified by ISO and directly address PCI DSS compliance. For example, PCI DSS defines what aspects of credit card data are sensitive. It describes access control requirements for credit card information, encryption requirements for transmission and storage, and even the testing necessary to verify effectiveness of controls. These specific requirements allow organizations to state how systems must be configured, how employees must treat data and how an organization monitors the effectiveness of its controls.

A growing number of organizations are building security programs according to standard frameworks like ISO 27002. These frameworks are allowing organizations to factor compliance with multiple regulations and contracts into their security programs in a consistent and effective manner.

The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability.

About the author:
Richard E. "Dick" Mackey is regarded as one of the industry's foremost authorities on security and compliance. He is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA and SOX. He has also provided guidance to a wide range of companies on enterprise security architectures, identity and access management and security policy and governance.

New Risk Assessment Tool for ISO27001 Consultants Simplifies and Accelerates Compliance Process for Clients

Following the successful launch of the vsRisk ISO27001 compliance tool at Infosecurity Europe 2007, Vigilant Software has launched a complementary software tool for IT consultants and information security specialists. vsRisk Consultant Edition (vsRCE) is a powerful new software product that will enable information security consultants to deploy vsRisk as their preferred risk assessment tool in up to 10 different clients.

Targeted at specialist consultants dealing with ISO27001 compliance, vsRCE is an affordable and intuitive risk assessment management tool for the IT consultant community that allows consultants the ability to directly support their clients' risk assessment activity from an off-site location. vsRCE allows clients to create and export risk assessment files that can be analysed on the consultants' own workstations or laptops, and then re-imported into the client's own software.

vsRCE allows IT consultants to manage up to ten separate risk assessments or risk assessment in up to ten different organisations, each of which must have purchased its own copy of vsRisk. By working in harmony with its sister application vsRisk, vsRCE will dramatically reduce the time and effort it takes for companies to achieve ISO27001 compliance, transferring an important element of the work to the consultant and ensuring that the work of the project team can be monitored more closely.

In addition to supporting ISO/IEC27001, vsRCE supports ISO/IEC27002 (17799); complies with BS7799-3:2006; conforms to ISO/IEC TR 13335-3:1998 and NIST SP 800-30; and complies with the UK's Risk Assessment Standard.

Vigilant Software is a joint venture between IT Governance Limited, the one-stop-shop for books, tools and information on ISO27001 compliance, and Top Solutions (UK) Limited, an award-winning developer of risk management software tools.

Alan Calder, Chief Executive of IT Governance, commented, "vsRCE is the perfect complement to vsRisk and offers a major enhancement to vsRisk users. By employing a consultant who uses vsRCE, companies can simplify and speed the process of achieving ISO27001 compliance. For consultants, it offers a means of providing greater added value and is therefore a powerful competitive advantage."

Source: compliancehome.com