ATLANTA, Oct. 2 GA-SecureWorks-DSS1.2
ATLANTA, Oct. 2 /PRNewswire/ -- SecureWorks, a leading Security as a
Service Provider (SaaS), announced today that they remain committed to helping
organizations meet the Data Security Standard (DSS) version 1.2 released Oct.
1st by the Payment Card Industry (PCI) Security Standards Council. The
revised standard provides clarification and changes intended to help
organizations more effectively protect cardholder data.
SecureWorks is a Qualified Security Assessor Company (QSAC) and also an
Approved Scanning Vendor (ASV) for PCI which enables SecureWorks to provide
Reports on Compliance (ROCs) and to provide external and/or internal
vulnerability scanning services required as part of the DSS version 1.2
specification. In addition, SecureWorks provides many other services that
help companies meet various requirements of PCI DSS v1.2.
"We are pleased with the thoughtful modifications made by the Security
Council," states Kathy Jaques, Chief Marketing Officer of SecureWorks. "The
clarifications provide both assessors and companies with a better
understanding of the intent of each section and, in some cases, create more
flexibility to economically do what is needed to protect cardholder data while
still meeting regulatory requirements. The PCI Community meeting held on
September 22-24th, 2008 in Orlando, Fla. offered a helpful opportunity for
assessors, vendors and merchants to ask additional questions to clarify
intent."
The following is a subset of the changes made by the PCI Security
Standards Council that most directly affect typical SecureWorks clients as
well as a brief description of how SecureWorks can help companies meet each
specific requirement as appropriate:
Requirement 1: Install and maintain a firewall configuration to protect
cardholder data
SecureWorks provides firewall and other device reporting, monitoring and
management services that can ensure that technologies are appropriately placed
to segment the network to protect cardholder data from internet and internal
threats. Our workflow and reporting provide an audit trail that firewall
policies are reviewed as needed and no less often than required by PCI. PCI
DSS version 1.2 changed the requirement to review firewall policies from every
quarter to every six months.
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
Although ensuring that default passwords are re-set is largely a manual
effort for merchants and other PCI organizations, SecureWorks helps companies
meet section 2.2 by ensuring that the cardholder systems are regularly scanned
for vulnerabilities and promoted for remediation according to the company's
policy.
Requirement 3: Protect stored cardholder data
Requirement 3 speaks to the need to minimize storage of cardholder data
and to use "strong cryptography" (updated from the previous specification to
use "encryption") to protect cardholder data and to follow guidelines for
secure cryptographic key generation, distribution and storage. As a QSAC,
SecureWorks can work with companies to architect cryptographic controls that
fit the business.
Requirement 4: Encrypt transmission of cardholder data across open, public
networks
The PCI DSS v1.2 specification restricts the implementation of new
wireless networks using WEP after March 31, 2009 and requires that current
wireless implementations discontinue use of WEP after June 30, 2010. In
addition, requirement 4 speaks to using strong cryptography and security
protocols to protect data during transmission over open public networks and
also speaks to protection of data communicated via standard messaging
technologies such as email, chat and instant messaging. SecureWorks helps
with a small piece of this requirement by providing an encrypted email
solution to safeguard the email channel. This solution prevents cardholder
data or personal confidential information from leaving or entering the company
according to the company's policies - and without the need to alter business
processes.
Requirement 5: Use and regularly update anti-virus software or programs
Companies are required to deploy and keep current software that detects
and defends against malicious software. With PCI DSS version 1.2, the
definition of anti-virus is expanded to include protection against all known
types of malicious software, not just viruses. SecureWorks' Intrusion
Prevention services protect companies at both the host and the network edge to
ensure that desktop users are protected with a sound "defense-in-depth"
solution. These rapidly deployed countermeasures provide protection even
while desktop measures are being updated.
Requirement 6: Develop and maintain secure systems and applications
Requirement 6 is about staying informed on the threat landscape, ensuring
systems are patched for vulnerabilities and following a sound software
development lifecycle (SDLC) that is disciplined and provides for secure code
review. SecureWorks provides a Threat Intelligence Service to help satisfy
the requirement to "implement a process to identify newly discovered
vulnerabilities" as stated in 6.2. In addition, SecureWorks is an Approved
Scanning Vendor (ASV) and can provide internal and external scans of systems
to determine where they are vulnerable. SecureWorks' scanning service
prioritizes remediation efforts to support a risk-based approach to
remediation with a necessary audit trail. PCI DSS version 1.2 6.6 requires
that either web application vulnerability scanning or web application firewall
tools be implemented to protect internet-facing web applications. Both of
these services are available from SecureWorks. Finally, SecureWorks provides
professional services to perform application code reviews as specified in
sections 6.3.7 and 6.5.
Requirement 7: Restrict access to cardholder data by business need-to-know
Section 7 of PCI DSS 1.2 focuses on restricting access to systems with
cardholder data to those who "need to know." SecureWorks provides log
monitoring and retention solutions to track actual logins and failed login
attempts in addition to other logs to ensure that policies are being followed.
In addition, the professional services team of SecureWorks can work with
companies to identify and document which systems require what level of access
and where "default accept" access is the default so that these systems can be
changed.
Requirement 8: Assign a unique ID to each person with computer access
Requirement 8 ensures that each user has a unique ID making it possible
for actions taken on cardholder data to be associated with a specific user.
SecureWorks' professional services team can help define the policies and
processes needed and can test whether those policies and processes are being
followed consistently.
Requirement 9: Restrict physical access to cardholder data
PCI DSS version 1.2 requirement 9 focuses on ensuring that physical access
to cardholder data is restricted and monitored and that physical locations
where data is stored are periodically inspected. SecureWorks' professional
services organization can help develop policies and procedures to ensure
physical security of cardholder data and can test whether those policies and
procedures are being followed consistently.
Requirement 10: Track and monitor all access to network resources and
cardholder data
Companies must demonstrate that they are logging and tracking all user
access to cardholder data to provide early identification of problems and
essential information to resolve problems. SecureWorks provides log
monitoring and log retention services to capture all information required by
section 10 and to meet the requirement for daily log reviews (either by
technology or by security analysts) and log retention with immediate access to
archived logs should it be required. This is offered as a managed service and
also as a SaaS-delivered solution.
Requirement 11: Regularly test security systems and processes
Requirement 11 of PCI DSS version 1.2 clarifies that both internal and
external penetration testing is a yearly requirement for PCI compliance.
Penetration testing is different than performing a vulnerability assessment (a
point of confusion for many companies) in that vulnerability scanning is
automated and is done regularly to identify where patches are required while
penetration testing is done periodically and includes manual methods to both
find vulnerabilities and attempt exploits. Penetration testing can include
methods such as phishing and social engineering that test other aspects of a
company's readiness for hacking techniques. Penetration testing must include
testing of the application layer. SecureWorks offers a PCI compliant
penetration test.
Requirement 11.4 requires the use of intrusion prevention systems (host
and/or network) that can monitor network traffic and alert staff to suspected
compromises. SecureWorks provides Network Intrusion Prevention and Host
Intrusion Prevention monitoring and management services that can either alert
on or block malicious activity. Leveraging visibility across a large client
population (2,000+) and a robust Attacker Database (patent pending),
SecureWorks protects clients from electronic perpetrators.
Requirement 12: Maintain a policy that addresses information security for
employees and contractors
Requirement 12 requires a robust security policy that is well-communicated
to all employees and significant partners and vendors. In addition, companies
are required to implement security awareness training programs that provide
documentation for assessors of an effective and unilateral education program.
Companies must also have an incident response plan in place and a thorough
vendor/partner management program to ensure that risk is not introduced by
connected entities. SecureWorks offers Security Awareness Training Programs,
incident response planning, and is launching a new service called Compliance
Central(TM) that will aid with vendor and partner security management. We
also have a PCI policy package to help speed along compliance efforts.
"The PCI Security Council made several other important changes to the
standard to clarify scope, third parties, sampling and compensating controls,"
continued Jaques. "In addition, the Council is implementing a Quality
Assurance program that will provide for regular audits of QSA and ASV
providers to ensure that they are providing services that fully meet the
intent of the PCI DSS standard. SecureWorks is committed to providing
high-quality and high-integrity services to serve the PCI community and
applauds the PCI Security Standards Council for implementing Quality Assurance
controls."
For detailed information on PCI DSS Requirements and Security Assessment
Procedures Version 1.2 and for additional guidance on changes made in version
1.2, please visit https://www.pcisecuritystandards.org.
About SecureWorks
With over 2,000 clients, SecureWorks is one of the market's leading
Security as a Service providers. Organizations are protected from external and
internal cyber-threats through SecureWorks' On-Demand Security Information and
Event Management (SIEM) platform, the SecureWorks Counter Threat Unit(TM) and
three fully synchronous Security Operations Centers (SOCs) staffed with SANS
GIAC certified analysts working 24x7 to safeguard client systems. SecureWorks
has won SC Magazine's "Best Managed Security Service" award for 2006, 2007 &
2008, Best Intrusion Prevention 2006 and has been named to the Inc 500 and
Deloitte lists of fastest-growing companies.
www.secureworks.com.
SOURCE SecureWorks
