SecureWorks Provides Solutions to Help with Payment Card Industry (PCI) Data Security Standard (DSS) Version 1.2
ATLANTA, Oct. 2 -- SecureWorks, a leading Security as a Service Provider (SaaS), announced today that they remain committed to helping organizations meet the Data Security Standard (DSS) version 1.2 released Oct. 1st by the Payment Card Industry (PCI) Security Standards Council. The revised standard provides clarification and changes intended to help organizations more effectively protect cardholder data.
SecureWorks is a Qualified Security Assessor Company (QSAC) and also an Approved Scanning Vendor (ASV) for PCI which enables SecureWorks to provide Reports on Compliance (ROCs) and to provide external and/or internal vulnerability scanning services required as part of the DSS version 1.2 specification. In addition, SecureWorks provides many other services that help companies meet various requirements of PCI DSS v1.2.
"We are pleased with the thoughtful modifications made by the Security Council," states Kathy Jaques, Chief Marketing Officer of SecureWorks. "The clarifications provide both assessors and companies with a better understanding of the intent of each section and, in some cases, create more flexibility to economically do what is needed to protect cardholder data while still meeting regulatory requirements. The PCI Community meeting held on September 22-24th, 2008 in Orlando, Fla. offered a helpful opportunity for assessors, vendors and merchants to ask additional questions to clarify intent."
The following is a subset of the changes made by the PCI Security Standards Council that most directly affect typical SecureWorks clients as well as a brief description of how SecureWorks can help companies meet each specific requirement as appropriate:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
SecureWorks provides firewall and other device reporting, monitoring and management services that can ensure that technologies are appropriately placed to segment the network to protect cardholder data from internet and internal threats. Our workflow and reporting provide an audit trail that firewall policies are reviewed as needed and no less often than required by PCI. PCI DSS version 1.2 changed the requirement to review firewall policies from every quarter to every six months.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Although ensuring that default passwords are re-set is largely a manual effort for merchants and other PCI organizations, SecureWorks helps companies meet section 2.2 by ensuring that the cardholder systems are regularly scanned for vulnerabilities and promoted for remediation according to the company's policy.
Requirement 3: Protect stored cardholder data
Requirement 3 speaks to the need to minimize storage of cardholder data and to use "strong cryptography" (updated from the previous specification to use "encryption") to protect cardholder data and to follow guidelines for secure cryptographic key generation, distribution and storage. As a QSAC, SecureWorks can work with companies to architect cryptographic controls that fit the business.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
The PCI DSS v1.2 specification restricts the implementation of new wireless networks using WEP after March 31, 2009 and requires that current wireless implementations discontinue use of WEP after June 30, 2010. In addition, requirement 4 speaks to using strong cryptography and security protocols to protect data during transmission over open public networks and also speaks to protection of data communicated via standard messaging technologies such as email, chat and instant messaging. SecureWorks helps with a small piece of this requirement by providing an encrypted email solution to safeguard the email channel. This solution prevents cardholder data or personal confidential information from leaving or entering the company according to the company's policies - and without the need to alter business processes.
Requirement 5: Use and regularly update anti-virus software or programs
Companies are required to deploy and keep current software that detects and defends against malicious software. With PCI DSS version 1.2, the definition of anti-virus is expanded to include protection against all known types of malicious software, not just viruses. SecureWorks' Intrusion Prevention services protect companies at both the host and the network edge to ensure that desktop users are protected with a sound "defense-in-depth" solution. These rapidly deployed countermeasures provide protection even while desktop measures are being updated.
Requirement 6: Develop and maintain secure systems and applications
Requirement 6 is about staying informed on the threat landscape, ensuring systems are patched for vulnerabilities and following a sound software development lifecycle (SDLC) that is disciplined and provides for secure code review. SecureWorks provides a Threat Intelligence Service to help satisfy the requirement to "implement a process to identify newly discovered vulnerabilities" as stated in 6.2. In addition, SecureWorks is an Approved Scanning Vendor (ASV) and can provide internal and external scans of systems to determine where they are vulnerable. SecureWorks' scanning service prioritizes remediation efforts to support a risk-based approach to remediation with a necessary audit trail. PCI DSS version 1.2 6.6 requires that either web application vulnerability scanning or web application firewall tools be implemented to protect internet-facing web applications. Both of these services are available from SecureWorks. Finally, SecureWorks provides professional services to perform application code reviews as specified in sections 6.3.7 and 6.5.
Requirement 7: Restrict access to cardholder data by business need-to-know
Section 7 of PCI DSS 1.2 focuses on restricting access to systems with cardholder data to those who "need to know." SecureWorks provides log monitoring and retention solutions to track actual logins and failed login attempts in addition to other logs to ensure that policies are being followed. In addition, the professional services team of SecureWorks can work with companies to identify and document which systems require what level of access and where "default accept" access is the default so that these systems can be changed.
Requirement 8: Assign a unique ID to each person with computer access
Requirement 8 ensures that each user has a unique ID making it possible for actions taken on cardholder data to be associated with a specific user. SecureWorks' professional services team can help define the policies and processes needed and can test whether those policies and processes are being followed consistently.
Requirement 9: Restrict physical access to cardholder data
PCI DSS version 1.2 requirement 9 focuses on ensuring that physical access to cardholder data is restricted and monitored and that physical locations where data is stored are periodically inspected. SecureWorks' professional services organization can help develop policies and procedures to ensure physical security of cardholder data and can test whether those policies and procedures are being followed consistently.
Requirement 10: Track and monitor all access to network resources and cardholder data
Companies must demonstrate that they are logging and tracking all user access to cardholder data to provide early identification of problems and essential information to resolve problems. SecureWorks provides log monitoring and log retention services to capture all information required by section 10 and to meet the requirement for daily log reviews (either by technology or by security analysts) and log retention with immediate access to archived logs should it be required. This is offered as a managed service and also as a SaaS-delivered solution.
Requirement 11: Regularly test security systems and processes
Requirement 11 of PCI DSS version 1.2 clarifies that both internal and external penetration testing is a yearly requirement for PCI compliance. Penetration testing is different than performing a vulnerability assessment (a point of confusion for many companies) in that vulnerability scanning is automated and is done regularly to identify where patches are required while penetration testing is done periodically and includes manual methods to both find vulnerabilities and attempt exploits. Penetration testing can include methods such as phishing and social engineering that test other aspects of a company's readiness for hacking techniques. Penetration testing must include testing of the application layer. SecureWorks offers a PCI compliant penetration test.
Requirement 11.4 requires the use of intrusion prevention systems (host and/or network) that can monitor network traffic and alert staff to suspected compromises. SecureWorks provides Network Intrusion Prevention and Host Intrusion Prevention monitoring and management services that can either alert on or block malicious activity. Leveraging visibility across a large client population (2,000+) and a robust Attacker Database (patent pending), SecureWorks protects clients from electronic perpetrators.
Requirement 12: Maintain a policy that addresses information security for employees and contractors
Requirement 12 requires a robust security policy that is well-communicated to all employees and significant partners and vendors. In addition, companies are required to implement security awareness training programs that provide documentation for assessors of an effective and unilateral education program. Companies must also have an incident response plan in place and a thorough vendor/partner management program to ensure that risk is not introduced by connected entities. SecureWorks offers Security Awareness Training Programs, incident response planning, and is launching a new service called Compliance Central(TM) that will aid with vendor and partner security management. We also have a PCI policy package to help speed along compliance efforts.
"The PCI Security Council made several other important changes to the standard to clarify scope, third parties, sampling and compensating controls," continued Jaques. "In addition, the Council is implementing a Quality Assurance program that will provide for regular audits of QSA and ASV providers to ensure that they are providing services that fully meet the intent of the PCI DSS standard. SecureWorks is committed to providing high-quality and high-integrity services to serve the PCI community and applauds the PCI Security Standards Council for implementing Quality Assurance controls."
For detailed information on PCI DSS Requirements and Security Assessment Procedures Version 1.2 and for additional guidance on changes made in version 1.2, please visit https://www.pcisecuritystandards.org/.
About SecureWorks
With over 2,000 clients, SecureWorks is one of the market's leading Security as a Service providers. Organizations are protected from external and internal cyber-threats through SecureWorks' On-Demand Security Information and Event Management (SIEM) platform, the SecureWorks Counter Threat Unit(TM) and three fully synchronous Security Operations Centers (SOCs) staffed with SANS GIAC certified analysts working 24x7 to safeguard client systems. SecureWorks has won SC Magazine's "Best Managed Security Service" award for 2006, 2007 & 2008, Best Intrusion Prevention 2006 and has been named to the Inc 500 and Deloitte lists of fastest-growing companies.
www.secureworks.com.
