PCI specifications are merely the beginning, change and configuration auditing must be added on top
Recent PCI-DSS (Payment Card Industry – Data Security Standard) compliance incidents have been costing companies millions of pounds in fines and losses and inflicting damage to valuable brand reputations.
This has spurred change and configuration auditing specialist Netwrix to urge organisations processing payment cards to follow six best practices to safeguard against security incidents.
To support the need to follow its best practices, the company has pointed to the recent eBay breach that forced the company to advise 145 million users to change their passwords to avoid financial information loss, while the breach at US retailer Target resulted in 40 million stolen credit card numbers and compromised the personal information of more than 70 million customers.
To help organisations avoid similar data breaches and their consequences, Netwrix has recommended six essential rules around change and configuration auditing:
- Separate Environments – Minimise risks by reducing PCI scope within your systems and enforce separation of environments by continuously auditing access and changes to the systems where cardholder data is stored.
- Audit Access Control – Ensure that permissions are adequate and access to sensitive data is limited only to people who need it. Change and configuration auditing can help by giving you precise information about the state of access rights and all changes to it, alerting you to critical issues and helping with investigation in the event of unauthorised access.
- Audit Provisioning and De-Provisioning of Users – Organisations should establish control over user creations and removals. A comprehensive change and configuration auditing solution will provide daily and on-demand reports as well as real-time alerts on these critical modifications.
- Audit of Privileged Users’ Activities – A particular emphasis should be placed on changes made by administrative accounts: changes to user access rights, elevation of privileges, mistakenly changed permissions and other security related events. Daily and on-demand reports and real-time alerts provided by change auditing solutions will help organisations to stay secure.
- Document Everything – You never know what part of your system activities or during what period you will be required to demonstrate to the auditor, so keep it all. In addition to a complete audit trail, some of the more advanced change and configuration auditing solutions allow you to record video of user activities on critical systems, along with metadata, and provide search and replay capabilities. A regular review of audit trails may also assist in preventing breaches before they occur.
- Monitor and Test – Change and configuration auditing solutions will provide a complete audit trail with detailed information on access and changes with ‘who, what, where, and when’ details, including after and before values for each event. This will simplify root-cause analysis and allow proactive prevention of malicious activities.
“Recent examples show that it is not enough to align your processes and policies with PCI-DSS guidance,” said Alex Vovk (pictured), president of Netwrix. “You must also establish mechanisms to verify these processes actually work and be able to prove that to all stakeholders: IT management, executives, and auditors. Essentially, change auditing is what makes your compliance efforts provable.”