In this 45 minute webinar ControlCase will discuss the following
- What is Data Discovery
- Why Data Discovery
- PCI DSS requirements
- Need for Data Discovery in the context of PCI DSS
- Challenges in the Data Discovery space
2. Agenda
• About Data Discovery
• PCI DSS Requirements and need for Data Discovery in
the context of PCI DSS
• Challenges in the Data Discovery space
• Q&A
1
5. What is Data Discovery
• Ability to identify and pinpoint sensitive data
across
› File Shares
› Servers
› Databases
› Email
› Log files
› Etc.
3
6. Why is it important
• GRC focuses on confidentiality, integrity and
availability
• Confidentiality is always focused on “Data”
• Data that is sensitive must be protected, however
the first step of that is to know where the data
resides
• Hence, it is important to identify where sensitive
data resides
4
8. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
5
9. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
6
11. PCI Council Advisory…
• Importance of Updating Scope for PCI DSS Assessments
There have been a number of high profile data compromises in the
press recently. These reports serve as a daily reminder of the
damage caused by compromises and of the need to keep business
environments secure. Businesses evolve and change over time,
and the scope of an entity's cardholder data environment must be
reviewed and verified each time a PCI DSS assessment is
undertaken. As has always been the case, many compromises are
the result of businesses having data they weren't aware of. Please
remember that scoping an assessment includes verifying that no
cardholder data exists outside of the defined cardholder data
environment. By ensuring the scope of an assessment is
appropriate, the risk of data compromise is greatly reduced - a
benefit to everyone involved.
8
13. Challenges
• Deployment and agents
› Can get expensive
› Technologically complicated
› Long deployment cycles
› Databases are a challenge
• False Positives
› Luhn’s formula narrows down but is not full proof
› Many schemes use Luhn’s formula to generate numbers
› Separators and delimiters change
9
14. Challenges
• Performance within production environments
› Database load
› Large number of records in databases
› Active directory scanning
› Emails storing cardholder data
• Tokenization
› Differentiation between tokens and real card numbers
• Exclusions
› Directories
› Files
› Extension types
› Tables/Columns
10