Mapping Out a Strategy for PCI DSS
Now that we've looked at the particulars of the PCI requirements for protecting cardholder data, and discussed some of the technologies and methods available to achieve compliance, let's take a step back and briefly discuss your approach.
In many cases, organizations involved in handling PCI data existed and were involved with it before the PCI DSS came out. So, networks and architecture processes already existed. If you were designing your network and your plan from the ground up with PCI DSS in mind, you'd do it differently. Attempting to apply specific security standards after the fact is a different (and more difficult) proposition.
By utilizing some of the fundamental principles of developing a sound information management practice, you can avoid a haphazard approach that can lead to problems such as inefficiency, unnecessary cost, insufficient controls, or controls that are more restrictive than necessary.
Step 1.Identify and Classify Information
The first step in achieving your data privacy goals is to identify what data you have and classify it in terms of its sensitivity. There are multiple levels that data can be classified on, but for the purposes of PCI, you need to determine what is and is not cardholder data, and then break down the elements further in terms of sensitivity. You might break it down such as
- Customer Information
- PAN
- Personal Identification Number (PIN) number
- Non-customer-related data.
You can classify your data in any way that makes sense to you, but the most important thing to be aware of is the requirements in PCI DSS Requirement 3 in terms of what is required to be treated as sensitive or not.Your subsequent steps of organization will be based on your decisions here.
Step 2.Identify Where the Sensitive Data is Located
Databases will house cardholder data, but where else might it be Flat files that are results of batch processing, log files, backup tapes, and storage networks may all house sensitive information. Ask the following questions
- Where is it located
- What format is it in (e.g., database, flat file)
- What is the size of the data.
Answers to these questions will determine if you have to make changes in your architecture to minimize the cost and work to protect the data.
Step 3.Determine Who and What Needs Access
Too often, data breaches take place simply because people and applications have access to data they do not need. You have to balance the need for access with the proper control on that access to keep doing business.
Answer these questions
- Who currently has access to sensitive data
- Do they need access to do their job
- What format is it in (e.g., database, flat file)
- What is the size of the data
- What applications such as backup applications or Web sites need access.
Step 4.Develop Policies Based On What You Have Identified
Now that you have identified what data you have, where your data is located, and who and what needs to access it, you can define information-handling policies based on what, where, who, and how. This is where you establish such things as policies, standards, guidelines, and procedures. The details of implementing this are beyond the scope of this book, but numerous resources exist which provide help on how to approach this in an organized way. It may also be of help for you to engage a professional organization or consultant versed in this to help you write and publish these. This will be the cornerstone of your approach to your information assurance plan.
