Implementation of isms according to pci dss
Organization is one of the major suppliers of information technologies in Czech and Slovak republic in the area of smart cards systems usage. The main products of the company are the solutions in the field of secured transaction systems and related products such as secured communication and authentication which fulfills the highest security standards. Solutions are used in the banking sector, large retail chains, in private sector and in the government sector as well. The basis of delivered solutions lies in the custom development of SW applications and card personalization activities. The information security was not taken into consideration from neither process nor systematic point of view. Some security rules have been set up however the systematic approach was not conclusive.
This status of information security generated certain problematic areas:
- Time consuming and inconsistent management of information security with different demands in different departments
- Isolated solutions in different departments without a company-wide perspective to information security issues
- Little awareness in regard to security incidents in different departments
- Obtaining data as a basis for finding out the status of company’s information security was problematic
- Absence of responsibility delegation for individual security areas, the absence of the security manager position
The situation arose, that one major client, a banking house, demanded the personalization of banking and payment cards, right away the information security became one of the main objectives and management made a decision to implement information security management system (ISMS) according to ISO/IEC 27001 and also the PCI DSS requirements for logical and physical security. The ISMS implementation according to PCI DSS requirements is not an ordinary project, as is the case with ISMS implementation according to ISO/IEC 27001.
From the implementation of ISMS in accordance with ISO/IEC 27001 and PCI DSS requirements the company expected the following improvements:
- Penetration of new markets and expansion of product portfolio in regard to “sophisticated solutions”
- Integration and unification of the current security practices and policies into a single unified management system
- Creation of central ISMS policy
- Setting up the rules and procedures as required by PCI DSS standard
- The introduction of a systematic approach to risk management based on a documented procedure
- Improving a logical and physical security of personalization area
The ISMS implementation solution was based on the client’s requirements to achieve a compliance with the ISO 27001 requirements and with PCI DSS requirements for logical and physical security so the PCI DSS certification could be obtained and the bank card personalization could begin at 10/2012. Implementation and the follow up ISMS certification according to the PCI DSS requirements is, in many ways, much more difficult than the implementation of the management system just according to ISO/IEC 27001. In terms of process and systematic approach, the implementation procedure is almost the same for the both standards. It can be said that the implementation of the PCI DSS requirements is much strict and more binding in the area of application of the different security controls which are outlined in the Annex A of ISO/IEC 27001. Given that in many cases the client cannot choose the transfer of risk to the third party for specific security controls nor some administrative solutions can’t be applied, the implementation of the PCI DSS requirements is financially demanding not only from the implementation point of view but also from the implementation of technological measures point of view and same goes for the demand of new human resources and definition of new security roles and their substitutability.
The work of the entire project team, which was consisted of various consultants and specialist in the field of ISMS process management, PCI DSS, risk management and technological experts, was based on the PRINCE 2 methodology and MS Project software tools. Detailed project schedule was drawn up based on the outcomes from the ISMS situational (initial) analysis.
Implementation was divided into 9 phases:
- Carrying out the initial (situational) analysis of ISMS – finding out the strength and weaknesses (SWOT) of the current information security system and determining the level of compliance with the ISO/IEC 27001 and PCI DSS requirements. This phase also included the creation of the detailed project schedule of individual activities, including the human resources requirements
- Determining the ISMS scope and structure – right at the beginning of the project it is necessary to determine the ISMS scope and structure meaning, what will be protected and which areas of the organization will apply the ISMS requirements. The fundamental basis for determining the ISMS scope and structure was the initial (situational) analysis. Another source for the above mentioned activity was the list of information assets which are important in terms of information security. At this stage, the Versa Systems consultants together with the company’s staff determined the scope and boundaries of future information security system
- Determining the security policy (ISMS Policy) – at this stage, the ISMS policy was determined so it would cover the ISMS scope and boundaries while at the same time it was based on the results from the initial analysis which is, in practical terms, the indispensable basis for defining the basic principles which are incorporated in the ISMS policy
- Introduction of the systematic approach for the risk management – meaning the creation of the risk assessment methodology and risk management based on the selected threats and vulnerabilities for assets which are within the determined ISMS scope. Part of the methodology was also dedicated for defining the acceptable/unacceptable levels of risk. It was necessary to identify and evaluate all assets of the organization including the assignment of asset owners. Next step was the identification of threats and vulnerabilities for the assets. Consequently it was necessary to determine the likelihood of the occurrence of individual threats. Finally, for each asset the risk was calculated as a product of probability and impact. Risk analysis was carried out through brainstorming sessions involving all the asset owners, Versa Systems consultants and experienced moderator while the “What-If” methodology was used during the process. The risk assessment results were crucial for further implementation progress especially for the selection of risk options and suitable security measures for their elimination.
- The design and selection of options for risk management and the design of individual security controls for elimination of unacceptable risks – the Versa Systems consultants drafted the options for elimination of the risks and designed the risk treatment options based on the results of risk assessment. The outcome from this and previous phase was the detailed report describing the unacceptable risks and proposing the risk treatment plans for risk reduction/elimination. This report was presented to the company’s management. Management representatives along with the Security Council members chose the best options how to deal with the individual unacceptable risks. When choosing the right security controls they based their priorities primarily on the:
- Conscious acceptance of risk if it is in compliance with the security policy and risk management system (acceptable risk)
- Avoiding the risks
- Transfer or distribution of the risk to another party (e.g. supplier, insurance)
- Meeting the requirements of the applicable laws, regulations, PCI DSS requirements, applicable norms and other regulations
- Planned development of company’s activities and its ISMS
- Application of “best practices”
- Implementation and operations of ISMS – Implementation of security controls and their testing. This was the longest and most complex phase of the project. At the beginning of this phase it was necessary to select measures for risk reduction and to create the plans for implementation of such chosen controls, so called Risk treatment plans (RTP). These plans had to be put into daily operations. Simultaneously, the documented procedures, operating manuals, security and testing procedures, directives and policies were drafted and introduced into day to day operations, as is prescribe by the PCI DSS’s requirements. Versa Systems consultants created all the drafts of security documentation, templates and forms for each individual document and record, so the entire life cycle of logical and physical security was covered, as is required by the PCI DSS. Core documents – Manual for logical security, manual for physical security, operating rules for transaction system, for personalization system and for KSM system (system for encryption keys generation) and some other documents were produced bilingually for the needs of foreign auditors. Since this is a fairly complex issue the documents were translated into English by the Versa Systems experts. As part of the created documentation, the procedures for emergency response, recovery plans and description of the incident management process were drafted. Design and creation of documentation, including the working procedures, for security testing, vulnerability and penetration tests, were created as a separate activity. At this stage it was necessary, in particular:
- To allocate necessary human and financial resources for the implementation of the individual programs for risk management, operation and implementation of ISMS
- To prepare the training programs and to improve the security awareness of company’s employees
- To implement chosen control through risk management programs
- To implement procedures and processes including the necessary controls for daily monitoring and for control of information security
- To implement a system for the rapid detection and response to security incidents and to increase the efficiency of ISMS
- To implement the disaster recovery plans (DRP) for individual systems
- Monitoring and review of ISMS – for proper ISMS function according to the PCI DSS it was necessary to start the necessary controls and testing of individual ISMS areas as soon as possible so the greatest amount of data could be collected from the operations. These data were then processed and prepared as reports for the PCI DSS’s auditors. Basic monitoring and measurement activities which were necessary at this stage were the following:
- Periodic ISMS reviews with respect to the fulfillment of the security policy, objectives and programs for risk treatment with regard to the results of security audits, incidents and if necessary inputs form the customers and other interested parties.
- Regular evaluation of implemented controls for risk reduction with respect to the changes within the organization, technology, business objectives and processes, identifiable changes in the external environment etc.
- Carry out the internal audit of implemented ISMS as one of the basic control tools to determine the status and the level of the implemented ISMS
- Perform the management review of ISMS
- Record all activities and incidents which might have an effect on the efficiency or performance of the implemented ISMS
- Performing the testing of physical and logical perimeter through a series of tests, particularly vulnerability and penetration tests
- Conduct, record and analyze audit logs, records of the administrators’ activities, etc.
All the above mentioned controls, monitoring and testing activities were carried out according to the determined schedule which was prepared by Versa Systems consultants, so called “Plan for security controls and maintenance’”. The final version of this plan included in total 84 activities that must be performed at different intervals (daily, weekly, monthly, quarterly, semi-annually, annually). Vulnerability testing activities were carried out by the Versa Systems consultants with the help of PCI OUTSCAN testing software (which is approved by PCI DSS) to fulfill the PCI DSS requirements. Such a test must be carried out quarterly.
- PCI DSS certification process – this stage took place after 12 months of the project. PCI DSS certification audit is a similar process as ISO/IEC 27001 certification audit with the main difference of the length of the audit and its thoroughness. Since the most PCI DSS auditors are from the abroad, the entire implementation process demands not just the high demands on the technology solution but also on the qualification and language skills of the impacted staff members. Versa Systems consultants were present at this stage of the audit process and provided the necessary support for the company’s personnel, of course within the permitted rules. Certification audit was successful and currently the company holds the certificate which demonstrates the compliance with the PCI DSS requirements and their name is entered in the approved PCI DSS suppliers
- Maintenance and improvement of ISMS – this is the phase of maintenance and further improvement of implemented and certified system. Currently the Versa Systems has a signed SLA contract for ISMS maintenance with the client.
Benefits of the solution
- The customer has implemented and certified ISMS according to the PCI DSS requirements
- This solution enables the organization to personalize and deliver payment cards for the banking sector
- Introducing the ISMS into the company’s environment the systematic and process approach was set up with respect to the information security with clear defined responsibilities for individual ISMS areas, with clearly described ISMS procedures and rules
- Established information security system significantly eliminates the possibility of leakage of information, or compromise the confidentiality, integrity and availability of information assets within the organization
- With implemented and certified ISMS the organization became a qualified supplier in the area of banking payment cards which opens her the new possibilities for introduction of her products into the banking environment. The organization gain more reputation within the banking industry.
- Implemented ISMS is also economically suitable since the expenses for dealing with potential security incidents or economical losses due to the compromised information are reduced to a minimum. The cost of implementation is also returned due to the realization of new businesses or supply of products which are subjected to the PCI DSS certification.