ZenGRC

Simply Powerful GRC

ZenGRC Team

June News Round-Up: More Data Breach News, Crypto Wars 2.0, and Acer Hack

· ·

June Compliance News Round-Up

Biggest Data Attacks of 2016 (So Far)

Data attacks, breaches and vulnerability disclosures continue to dominate headlines this year. Dark Reading has compiled an overview of the largest attacks to date in 2016. A key takeaway from the report is that anyone can become a target, and the consequences of an attack can be dire.

Everyone’s trying to do more with less, and as security budgets continue to get squeezed, you’ll need to make sure you’re getting the most value for your compliance dollars. Simplifying risk management and compliance activities can help you achieve a better return on investment and make the best use of limited compliance resources.

The full article from Dark Reading can be found at the following link:

Biggest Attacks Of 2016 (So Far)

Crypto Wars 2.0

In the wake of Apple’s battle with the FBI over the San Bernadino iPhone, a new Crypto Wars has begun and the US is once again the center of a new privacy vs. security debate. Lawmakers have released a new bill that would force companies to comply with a court order to assist or decrypt data for the government when necessary. Many tech and encryption specialist who oppose the bill say it blatantly ignores the lessons learned from the first Crypto Wars from the early 90’s.

The ramifications of changes to cryptography legislation reach far beyond the boundaries of compliance. New legal requirements will force changes not only to your compliance programs but also changes to technical architectures, audit requirements, and even entire business models. Regardless of which side you stand on the debate, legislation changes will have an impact on your business and you should be prepared to adapt accordingly.

The following article gives more insight into Crypto Wars 2.0 and lays out the various perspectives:

Crypto Wars 2.0 – A US Perspective

PSA from the FBI on Business Email Compromise Scams

The FBI recently released a new PSA warning businesses of an increase in Business Email Compromise (BEC) scams. The scams have cost businesses $3.1 billion in losses globally, $960 million of that being to US companies in the last three years alone. The FBI shared the 5 common scenarios that tend to drive the scams which include, data theft, working with a foreign supplier, and wire transfers. Recommendations around safeguarding your business against these types of scams include, deleting spam, avoiding free web-based email accounts, and limiting the types of info posted to social media sites.

As a company, preventing attacks like these are where you should be focusing your limited risk management resources. A unified compliance and risk management tool can help you achieve a better ROI for these resources, and also make sure that your staff is spending more time addressing high criticality issues like phishing scams and less time checking compliance boxes.

For more information, you can view the full article here:

Business Email Compromise Scams Have Cost Victims $3B, Reports FBI

Acer Hack

Taiwanese hardware giant Acer recently announced it suffered a data breach via its e-commerce site that had been going on for nearly a year. The data compromise included customer names, addresses, credit card numbers and security codes for potentially all online customers who shopped on the site from May 2015 through April 2016.

Data breaches like this latest one seem to be increasingly commonplace. The majority of data breaches happen due to human error, so one way to manage risk is to instill a culture of security throughout your workforce. Training your employees to create strong passwords and to securely share information is critical. Additionally, ensure each individual understands what he or she is responsible for, as employees with well-defined roles are able to implement technology to create an effective security program.

For more details on the Acer Hack, you can view the full article here:

Hackers Harvest Card Details from Acer for Almost a Year

5 Common Mistakes That Will Make or Break Your Compliance Program

· ·

5 Common Compliance Program Mistakes

Starting a compliance program can be a daunting process, especially if you are new to the GRC landscape. With that in mind, we have put together this list of common mistakes to watch out for when embarking on compliance that can mean the difference between success and failure.

1. Missing Stakeholder Buy-in

Securing early stakeholder buy-in when establishing your compliance program is critical to ongoing success. These initial, high visibility champions should be involved in driving the compliance program and socializing it to others in the company. Stakeholders need to be viewed within the organization as ongoing owners of the compliance program.

2. Lack of Adequate Training

Training and educational efforts often fall short. Successfully implementing a compliance program requires that the users and stakeholders receive adequate training on the company’s GRC goals, as well as how to use any tools being implemented. Ensure that members of your organization are aware of the role they play in meeting those goals. Spending a little extra effort upfront on training and educational efforts will help ensure the success of your compliance program.

3. Failure to Clearly Identify Goals

The goals and requirements of your compliance program must be clearly identified and communicated to your stakeholders as early as possible. One of the main pitfalls that organizations have with implementing a compliance program is failure to clearly define goals and not being able to track progress towards reaching those goals.

4. Scope Creep

While compliance is an ongoing process, it’s important to initially set up a usable system of record and expand upon it as needed. Avoid falling into the “one more feature” roadblock whereby the entire project is delayed because a non-core feature can’t be immediately satisfied. Starting with a solid system of record and expanding in measurable, achievable steps is a key component to standing up a successful compliance program.

5. Ongoing Updates

The inverse of scope creep is the idea that a compliance program is static and once implemented, no longer requires attention. Compliance is ongoing, and your programs require regular updates and maintenance in order to remain effective. Ongoing updates to standards, new regulations, and changes in the organization all need to be reflected in the overall compliance program in order to be effective.

The complicated path towards compliance takes thought and planning. By being aware of what to look for when you are starting out, you will be better positioned to be in control of the process and better influence the outcome.

 

ZenGRC v2.2 Release Features New System of Record Dashboard, Tree View Updates

· ·

In the latest ZenGRC product release we continue to add new and enhanced capabilities designed to make it easier and more efficient to manage your compliance program. Enhancements in v2.2 are now available and include:

A New System of Record Dashboard


The System of Record Dashboard tracks your progress as you build out ZenGRC as your compliance system of record, and allows you to monitor the status of ongoing updates to the system as requirements and business needs change. It shows the status of three ZenGRC objects: controls, objectives, and programs. The dashboard displays the completion status of each of these objects as they move from draft to final, and help you determine if controls are in scope. The System of Record dashboard gives you visibility into the following:

Control Set Analysis

This summary view gives you a quick overview of the completeness of your System of Record and shows which controls still need to be addressed. For a more detailed view, simply click on any number and this will lead you to a list of these controls within ZenGRC.

ZenGRC System of Record Control Set Analysis

Objectives Analysis

The information reported in Objectives Analysis helps guide decisions for future projects or audits. It shows your status towards completions and the objectives and controls that still need to be finalized. It also gives you a single click view into the list of gaps in ZenGRC. This allows you to manage existing projects and tasks to determine the project or audit tasks that need attention.

Zen GRC System of Record Objectives Analysis

Future Gap Analysis

This view displays your compatibility with other programs you have planned in ZenGRC and shows how close you are to meeting the objectives related to those programs.

Link sharing

By clicking on Program, Control, or Objective names and on numbers of these objects in the reports you are redirected to a page with more details on the selected object. You can easily share this view with a coworker by simply copying and sharing the URL. As long as they have access to ZenGRC they will be able to access the exact same view.

PCI-DSS v3.2 Content Ready for Upgrade


Our GRC Expert team has prepared the new version of PCI-DSS for general availability import. Please contact support@zengrc.com to receive an upgrade memo describing the summary of changes, and instructions for upgrading your current PCI program.

Tree View Updates


We have added the ability to view creators and assessors on Assessment’s tree view. If there are multiple users in one role, they are all displayed and separated with commas. Users can also use filters to see just assessments with relevant users (use the “~” filter).

ZenGRC Tree View Updates

Need help or have questions about v2.2 of ZenGRC? Contact us at support@zengrc.com.

The New PCI-DSS v3.2 and What It Means For You

· ·

The PCI Security Standards Council released an update to the PCI Data Security Standard (PCI-DSS) at the end of April. The current version of PCI-DSS is now v3.2. If your organization is required to be PCI compliant, here are some key things to know that will help in the transition to the updated version:

1. Sunrise Period

The new standard has a sunrise period of six months. This means if you have a PCI audit scheduled between now and October 31, 2016, you may choose to have the audit conducted against the PCI-DSS v.3.1 (old version), or v3.2 (current version). After October 31, you must use v3.2.

2. New Requirement Deadlines

A number of new requirements are considered best practices (or recommended) until January 31, 2018, after which they become a requirement. Audits conducted before February 1, 2018 may include an auditor’s note regarding your compliance against these best practices, but they will not affect your certification.

3. SSL/Early TLS 1.0 to TLS 1.2 Deadline

The deadline for moving from SSL/early TLS 1.0 to TLS 1.2 has been extended to June 30, 2018 for all service providers. Prior to June 30, 2018, existing implementations must have a formal Risk Mitigation and Migration Plan in place. The PCI Council created a new appendix (Appendix A2- Additional PCI DSS Requirements for Entities using SSL/Early TLS) to give organizations more clarity on what is required in the interim.

4. Multi-Factor Authentication Requirements

Although not a requirement until January 31, 2018, Requirement 8.3.1 will require all non-console access to have multi-factor authentication. Having previously only required multi-factor authentication for remote access to the CDE, this will likely impact most organizations.

If your organization requires PCI compliance, you should perform your own due diligence and read PCI-DSS 3.2 and the Summary of Changes document to ensure you understand the full scope of changes. We recommend reviewing these new requirements and documenting a roadmap for implementation. Some of them could require significant time and budget due to technological or organizational changes required.

If you are a current ZenGRC customer, please email your ZenGRC Customer Success Manager (support@zengrc.com), who is available for support if you have any questions.

Blog-CTA-Banner_PCI-demo

PCI DSS 3.2.1 Changes and What’s to Come From Version 4.0

· ·

PCI Compliance & Network Segmentation

Being compliant with the Payment Card Industry Data Security Standard 3.2.1, (PCI DSS version 3.2.1), launched in 2019, soon won’t be good enough for organizations accepting payments using the major credit card brands. That’s because the Payment Card Industry Security Standards Council (PCI SSC) has nearly completed a new version, PCI DSS 4.0, slated for launch in mid-2021.

Noncompliance with this update, as with the previous versions, is not an option. If your organization accepts credit card or debit card payments either as ecommerce transactions or in person, it must demonstrate PCI DSS compliance

Why Update PCI DSS?

When new technologies come along or hackers shift tactics, security controls need to change, as well. That’s why the PCI Security Standards Council so frequently updates the PCI Data Security Standard (PCI DSS), which governs the protection of cardholder data and the cardholder data environment (CDE).

For the version 4.0 update, the council has been considering how to continue protecting card data in the face of technological advancements and emerging security threats. 

The council will take into account new techniques for risk mitigation and today’s challenges, such as such as an increased need for remote access control for online payments. 

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework intended to help merchants and service providers protect credit and debit card transactions from data breaches.

PCI DSS is not a law or regulation, but an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must comply with PCI DSS. If there’s a data breach and your security controls are found to be out of PCI compliance, the penalty could be steep fines and even a loss of card-payment privileges.

Highly prescriptive, the standard includes six goals, 12 PCI DSS requirements and 251 sub-requirements, all designed to help your PCI DSS compliance program enact appropriate security policies

PCI DSS requires that payment service providers, such as payment applications, be compliant, as well. 

And it allows for businesses of various sizes to meet different requirements. Those with the most payment transactions per year (Level 1) must undergo quarterly reviews, or vulnerability scans, and a full-blown annual audit of their critical security control systems. The requirements change for Levels 2 and 3. Those at the bottom of the rung, Level 4, can choose to complete a self-assessment questionnaire (SAQ) instead of undergoing an audit.

PCI DSS: A Brief History

PCI DSS’s origins date to 1999, when Visa developed a Cardholder Information Security Program in response to rampant increases in credit card fraud via the (new) Internet. Other major credit-card brands—Mastercard, Discover, American Express, and JCB—followed suit with their own security programs. In 2004 these five jointly launched PCI DSS 1.0.

In 2006, the card brands added financial institutions, merchants, processor companies, software developers, point-of-sale vendors, and others to their security initiative, forming the PCI Security Standards Council (PCI SSC). The council made the first revisions to the standard, PCI DSS 1.1.

Subsequent revisions have been issued since, all the way to PCI DSS 3.2.1, which took effect Jan. 1, 2019. All merchants as well as payment and internet service providers that process, store, or transmit transactions involving any of these cards must comply with PCI DSS 3.2.1.

What Was New in 3.2.1?

The previous PCI DSS update, PCI DSS 3.2.1, made only very minor changes to PCI version 3.2. It didn’t impose new requirements, but only clarifications.

It changed or removed dates in PCI DSS version 3.2 because those dates had passed. For instance, it eliminated PCI DSS 3.2‘s reference to a deadline for service providers to move from SSL/early TLS 1.0 to TLS 1.2.

It made clarifications to Appendix B, making a wording change and removing multi-factor authentication (MFA) from a “compensating control” example because MFA is required for all non-console administrative access to payment card systems. It also added the use of one-time passwords as an alternative control for this type of access.

Now, the PCI SSC is preparing to release another update–PCI DSS 4.0, scheduled to take effect mid-2021.

What to Expect from PCI DSS 4.0?

Although the most recent update to PCI DSS just took effect in 2019, some of its security controls are 10 years old. The last major changes to the standard took place in 2015, so most experts expect major revisions to PCI DSS 4.0. 

The security goals of PCI DSS 4.0 include:

  • Continue to meet the security needs of the payments industry for the protection of cardholder data such as primary account number, card number, and other payment data
  • Add flexibility and support of additional methodologies to achieve security 
  • Promote security as a continuous process
  • Improve validation methods and procedures

What’s new in 4.0? Here’s a sneak peek. 

A more flexible, customizable framework

Up to now, PCI DSS has provided specific, detailed requirements telling organizations exactly what they must do to comply with the standard. It provides not merely the “what” of CDE security, but also the “how.” If you can’t meet a requirement in the way prescribed, you must implement a “compensating control,” which can be difficult and burdensome.

PCI-DSS 4.0 replaces “compensating controls” with “customized implementation.” It states the objectives and allows you to design your own security controls to meet them–with the approval of your Qualified Security Auditor (QSA). This assessor will review your documentation and test each custom control.

This added flexibility may save your organization time and money by enabling you to use the technologies of your choice to achieve PCI DSS compliance.

More stringent security requirements

PCI DSS 4.0’s Summary of Changes is expected to include new requirements for the security of your CDE. Already, for example, your security systems should be using network segmentation to separate your CDE from the rest of your system components. This is not only good security, but it also can limit the scope of your PCI DSS audit, making it faster, easier to achieve, and less costly. Your executive management should be planning ahead for the implementation of more stringent security controls, and budget accordingly.

NIST MFA/password authentication

The Europay, Mastercard, and Visa consortium (EMVco) and the PCI SSC are working together to add authentication standards for process-access logins and payment processes. These authentication processes are also expected to be more flexible while enabling more secure customer authentication. 

More guidance on encryption

Blocking malicious code from hijacking your CDE and stealing cardholder data is increasingly important. Securing network transmissions using such tools as encryption is key, and v4.0 is expected to provide guidance for doing so. 

Expanded DESV requirements

Until now, only enterprises that have experienced a security breach have needed to meet  Designated Entities Supplemental Validation (DESV) requirements regarding the frequency of testing of critical controls and the addition of controls. Some expect that v4.0 will apply these requirements to all businesses.

Stay on Top of Changes to PCI DSS

Organizations that use ZenGRC to manage their PCI DSS compliance don’t need to worry or fret over meeting the new requirements in PCI DSS 4.0. 

They’ll know as soon as the new version is launched what they need to do to maintain compliance.

They’ll see on Zen’s user-friendly, color-coded dashboards where compliance gaps exist and how to fill them. 

They can conduct unlimited self-audits to ensure that they pass their external audits with flying colors. 

Their PCI DSS compliance assured they’ll sleep better at night, and can devote their days to other, more pressing tasks.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.