Strategic guidance for applying PCI-DSS tactics.

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.- Sun Tzu

With the new year upon us, I reflect on all the “fun” security professionals had in 2009.  With all the incidents that have expanded our catalog of war stories, I think that the misapplication of compliance standards is one of the themes that caused our eyes to twitch.The Payment Card Industry Data Security Standard (PCI DSS), is “a set of comprehensive requirements for enhancing payment account data security.”  In other words, PCI provides a set of tactics to protect the confidentiality and integrity of data.  Great place to start – but it’s only part of the picture.  Applying them appropriately requires situational awareness and knowledge of the company’s core values and strategy.  Sun Tzu’s approach at assessing an army’s readiness for battle can be applied to the attaining this knowledge in a business environment.

The ground gives rise to measurements, measurements give rise to assessments, assessments give rise to calculations, calculations give rise to comparisons, comparisons give rise to victories.– Sun Tzu

1. Measure the Scope

   “The number one PCI piece that companies don’t do well is around scoping,” said Verisign’s Branden Williams. Given the limited resources available for any IT project, scoping is required in order to manage a project effectively and deliver on time and within budget. Data flow diagrams  and business case/process mapping is one way to determine scope. Williams cautions that many companies “assume they can apply PCI to their entire environment.  This is a foolish assumption, especially in the case of legacy applications.”  Once the scope of the implementation is determined through measurement, the assessment of business risk can be performed.

2. Assess the Risk

   “Regulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today,” said Edward Schwartz, CSO of NetWitness.  He recommends that risk be assessed in the context of the processes that utilize the data being protected.  Sun Tzu suggests a five-point risk assessment approach.

   1) The Way – refers to the culture of an organization.  A risk assessment must examine the impact of values and behavior on the overall security posture.  This information will be extremely useful when selecting effective controls.

   2) The Weather – refers to seasonal changes in organizational priorities.    A risk assessment must take patterns of organizational behavior into account.  This steps in the process is facilitated by alliances with business stakeholders.

   3) The Terrain – refers to the competitive landscape both within and without the organization.  Most security professionals are used to examine through external terrain; focusing on the external threats.  The internal landscape, however, presents greater issues, obstacles, and opportunities of which we must be aware.  Of particular concern are the behaviors that are incentivized by management priorities – they may focused on business expendiency at the expense of security. 4) The Leadership – refers to those who promote the corporate goals and enable those goals through tactical and operational initiatives.  We must assess what role those leaders will play in the PCI implementation and how they impact the overall risk posture.  By understanding our end-client – the business – you can architect a control strategy, and supporting tactics, that address risk while supporting management priorities.

   5) The Discipline – refers to the enforcement of security policies and procedures.  A risk assessment must consider the human factors that enable threats. 

3. Calculate the Impact of Controls

   After assessing the risks, we must review the benefits and constraints of control options in order to select the appropriate.  According to Sun Tzu, “those who are not thoroughly aware of the disadvantages in the use of arms cannot be thoroughly aware of the advantages.”  We must apply our knowledge of the corporate organism in order to select controls that will allow it to thrive.

 If Generals do not know how to adapt advantageously, even if they know the lay of the land they cannot take advantage of it.

Standards like PCI serve an important role in creating a baseline for data protection and a common language for the discussion of the related issues.  However, they are not designed to contribute to market responsiveness/agility.  The enlightened business creates synergies between the tactics communicated in these standards/regulations and their core competencies/strategies.