The Payment Card Industry Data Security Standard ( PCI-DSS )
The PCI DSS forces companies to protect cardholder data throughout the entire information life cycle. The implications, however, are broader: organizations must know where the data exists across an often distributed enterprise; they must fully understand their current state of PCI compliance to develop improvement plans; and they must have the ability to remediate as necessary.
Beyond these challenges, though, lies opportunity: as businesses focus time and resources on addressing PCI compliance, there is an opportunity to extend these investments into long-term programs for compliance that make companies more proactive than reactive, help businesses improve their overall IT security posture, and maximize the return on their security investment.
Fastwave offers a range of services & solutions that help customers achieve these objectives. In addition, Fastwave has capabilities to address core PCI DSS requirements, such as application security and IT Security policy development.
As organizations begin to approach PCI DSS compliance they must first understand any gaps that exist in order to identify remediation needs. Through a PCI Assessment, Fastwave helps customers understand their current PCI posture and develop a remediation roadmap prior to undergoing a formal PCI audit. This service does not replace or serve as a PCI audit, but rather helps merchants to identify and address weaknesses prior to undergoing a PCI audit.
As a key deliverable, Fastwave recommends a comprehensive reference architecture for proper handling of cardholder data. Fastwave consultants deliver this proposed architecture by:
- Evaluating your current levels of compliance with the PCI DSS standard by reviewing current architectures for infrastructure elements (Networks, Applications, Servers and Storage) that handle and process cardholder data.
- Reviewing current policies and processes for handling cardholder data and comparing them with the PCI DSS standard, as well as best practices from Fastwaveâ€™s consulting experience.
- Producing a report to document gaps between the current state of infrastructure, policies and procedures and the state desired to achieve PCI DSS compliance.
- Developing a remediation road-map that provides a step-by-step time line of recommended technology improvements and process changes to ensure PCI DSS compliance while recognizing budgetary, staffing and information management limitations and technological dependencies.
- Effectively manage cardholder information and other key business data throughout the information life-cycle.
- Understand current PCI DSS posture and develop remediation plans that will help you pass the audit.
- Create and maintain security policies that help address compliance while improving IT security.
- Develop programs that enable PCI compliance initiatives to become business-as-usual, rather than reactive, and position you to focus on more strategic business enabler initiatives.
ISO 27001 is an internationally recognized certification standard for information security management systems. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is used as a benchmark for the protection of sensitive information and one of the most widely recognized, customer-valued certifications for a cloud service.
In combination with ISO 27002, ISO 27001 outlines potential security controls and control mechanisms and provides a best practice framework for establishing, implementing, maintaining and improving an organization’s information security management system (ISMS). The presence of a robust ISMS—a critical business platform—helps to safeguard an enterprise’s information systems from cyber attacks, which are a growing threat to any organization with a data center and/or an online presence.
The Purpose And Value Of The ISO 27001 Security Standard
Addressing the need to maintain the confidentiality, integrity and availability of information systems, ISO 27001 requires management to identify information assets and assess risks to physical security, network security, host security, application security and database security. The international standard establishes guidelines for designing and executing risk-appropriate security controls and adopting management procedures to continually review the effectiveness of existing security processes.
Organizations that choose to adopt ISO 27001 are able to:
- Proactively manage info security while increasing security awareness throughout the organization
- Cost-effectively manage risk by formulating suitable security objectives and requirements
- Demonstrate their commitment to a superior level of information security
- Provide confidence and assurance to investors, clients, and prospective partners and customers
- Differentiate their business, services and products in the marketplace
- Ensure compliance with certain laws and regulations
- Achieve ISO 27001 Certification Faster with a Compliance
We offer our customers a range of solutions/services to help streamline security compliance initiatives such as PCI DSS, ITIL, and NIST standards, giving you comprehensive support well beyond a simple ISO or PCI compliance checklist. Through our ISO services, we can provide your company with tools and documentation to accelerate compliance validation for ISO 27001 and ISO 27002.
Security Information and Event Management (SIEM)
SIEM (Security Information and Event Management) based on IBM Qradar technology aggregates event data produced by security devices, network infrastructure, systems and applications. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.
SIEM can also correlate system vulnerabilities with event and network data, helping to prioritize security incidents.
- Provides near real-time visibility
- Helps detect inappropriate use of applications, insider fraud, and advanced low and slow threats that can be lost among millions of events.
- Collects logs and events from several resources including security devices, operating systems, applications, databases, and identity and access management products.
- Collects network flow data, including Layer 7 (application-layer) data, from switches and routers.
- Obtains information from identity and access management products and infrastructure services such as Dynamic Host Configuration Protocol (DHCP); and receives vulnerability information from network and application vulnerability scanners.
- Reduces and prioritizes alerts
- Performs immediate event normalization and correlation with other data for threat detection and compliance reporting and auditing.
- Reduces billions of events and flows into a handful of actionable offenses and prioritizes them according to their business impact.
- Performs activity baselining and anomaly detection to identify changes in behavior associated with applications, hosts, users and areas of the network.
- Enables more effective threat management
- Tracks significant incidents and threats, providing links to all supporting data and context for easier investigation.
- erforms events and flow data searches in near real-time streaming mode or on a historical basis to enhance investigation.
- Deep insight and visibility into applications (such as enterprise resource management), databases, collaboration products and social media through Layer 7 network flow collection.
- Helps detect off-hours or unusual use of an application or cloud-based service, or network activity patterns that are inconsistent with historical usage patterns.
- Performs federated searches throughout large, geographically distributed environments.
- Delivers security intelligence in cloud environments
- Provides Soft Layer cloud installation capability.
- Collects events and flows from applications running both in the cloud and on premise.
- Produces detailed data access and user activity reports
- Tracks all access to customer data by username and IP address to ensure enforcement of data-privacy policies.
- Includes an intuitive reporting engine that does not require advanced database and report-writing skills.
- Provides the transparency, accountability and measurability to meet regulatory mandates and compliance reporting.
- Offers multi-tenancy and a master console
- Allows Managed Service Providers to cost-effectively deliver security intelligence using a single console that supports multiple customers.
- Leverages either on-premise or cloud based deployments
The Challenges With Legacy Vulnerability Management Programs
- Protecting from advanced malware and identifying malicious communications in real-time cannot be done through static reports
- Remediation of vulnerabilities is delayed and ineffective due to lack of visibility and proper context
- Compliance audits are not enough or are inaccurate
- Technologies such as mobile, virtual and cloud, cannot be adequately secured by periodic scanning alone
- A list of vulnerabilities without context guarantees that critical assets will not be patched in time
- Manually correlating risk across point security products is costly
- 100% asset discovery ensures all assets that connections to your network are identified, classified, and evaluated for vulnerabilities
- Non-intrusive vulnerability assessment between scans ensures minimal impact to assets
- Real-time continuous monitoring provides instant identification of vulnerabilities – without waiting for the next scheduled scan
- Attack paths analysis provides prioritization based on severity of vulnerability, exploitability of the vulnerability, and accessibility from outside attackers.
- Malware detection identifies active connections to botnets and compromised hosts communicating with malicious sites.
- Advanced threats detection identifies rapidly changing malware that anti-virus software may miss and identifies new threats that may not be publicly known.
- Integration with patch management systems validates detected vulnerabilities to patching to identify accurate remediation and detect conflicts.
- Context from Network Infrastructure, Patch Management Systems, MDM Systems, and Configuration Management Systems for accurate assessment of vulnerabilities
- Detection of mobile devices to identify, classify, and capture vulnerabilities
- MDM integration ensures that vulnerability management accounts for mobile device
Targeted attacks and advanced threats are customized to infiltrate your unique IT Infrastructure, evade conventional defenses, and remain hidden while stealing your Corporate data.
The advanced malware and evasive techniques used in these attacks is typically invisible to standard security solutions. Only virtual analysis, also known as Sandboxing, can reliably detect and analyze this malware by executing and observing suspicious files in a secure, isolated environment.
By integrating sandboxing analysis into your standard security products you can enhance their protection value and create a unified defense against targeted attacks.
Incident handling platform
Robust response to the day-to-day events that security teams must contend with is a growing challenge shared by organizations of all sizes, across all industries, globally. And responding well in the face of a cyber-crisis is harder as the stakes have gotten higher and the actors more sophisticated.
Our Incident Response Platform features Dynamic Playbooks, which automatically adapts to real-time incident conditions to ensure a fast and complete response for the entire organization and for all incident types (from malware to DDoS to lost devices). This agile, intelligent, and sophisticated response capability ensures organizations can meet the complex attacks of today and tomorrow.
IR teams can manage and collaborate on their response directly within the platform. Unlike ticketing systems and other general-purpose IT tools, our IRP is secure, fully configurable, and purpose-built for incident response. Comprehensive analysis, customizable dashboards, and robust reporting features ensure senior leadership can access key information when they need it.
Financial fraud is a serious risk with damaging consequences if not properly addressed. Year on year this risk becomes more complex with organized gangs of criminals using increasingly sophisticated techniques to compromise financial transactions and steal money. These attacks consist of multiple stages. Some of these stages, such as malware infections and social engineering scams take place on the client side and some – such as fraudulent transactions and unauthorized withdrawal of funds – on the service side e.g. within an organization’s infrastructure.
Advanced cyber threats targeting global and national financial institutions are growing in frequency and sophistication. Regulatory and market pressures, regardless of geographic region, further strain Banks’ ability to dedicate the necessary time and resources to properly defend against malicious malware and advanced fraud threats.
Until recently it was almost impossible to fully address these risks. The tools to protect customers utilizing online financial services were just not available. Standard banking measures (such as multifactor authentication) or anti-malware solutions are not enough because they do not protect all types of actions which are performed by a user of online financial services. And when it comes to financial transactions, it is of paramount importance to protect each stage of the mobile and online banking journey.
Fastwave solutions is based on technologies from leading Fraud Management vendors with integration with other key solutions like database encryption and multi-factor authentication.
Database security solutions
- prevents leaks from databases, data warehouses and Big Data environments such as Hadoop, ensures the integrity of information and automates compliance controls across heterogeneous environments
- It protects structured and unstructured data in databases, big data environments and file systems against threats and ensures compliance
- Prevent data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls.
- It provides a scalable platform that enables continuous monitoring of structured and unstructured data traffic as well as enforcement of policies for sensitive data access enterprise-wide.
- A secure, centralized audit repository combined with an integrated workflow automation platform streamlines compliance validation activities across a wide variety of mandates.
- It leverages integration with IT management and other security management solutions to provide comprehensive data protection across the enterprise.
- They are intended to enable continuous monitoring of heterogeneous database and document-sharing infrastructures, as well as enforcement of your policies for sensitive data access across the enterprise, utilizing a scalable platform. A centralized audit repository designed to maximize security, combined with an integrated compliance workflow automation application, enables the products to streamline compliance validation activities across a wide variety of mandates.
Our products can help you
- Automatically locate databases and discover and classify sensitive information within them;
- Automatically assess database vulnerabilities and configuration flaws;
- Ensure that configurations are locked down after recommended changes are implemented;
- Enable high visibility at a granular level into database transactions that involve sensitive data;
- Track activities of end users who access data indirectly through enterprise applications;
- Monitor and enforce a wide range of policies, including sensitive data access, database change control, and privileged user actions;
- Create a single, secure centralized audit repository for large numbers of heterogeneous systems and databases; and
Automate the entire compliance auditing process, including creating and distributing reports as well as capturing comments and signatures
Multi Factor Authentication
Today’s enterprise is falling victim to unrelenting attacks that target physical and logical infrastructures, mobile platforms, user identities, network devices and more. To help defend against malicious assaults on corporate data and identities, organizations must look to an intelligent platform approach that provides proven security technology, Which helps simplify management efforts, enable seamless technology advances and ensures the company’s security measures can evolve as requirements of the organization change over time.
- Serves as a single management platform to secure mobile, cloud, physical and logical access
- Offers widest range of authentication methods from a single software platform, including smartcards and mobile solutions
- Protects leading applications like Core banking, Internet banking, Oracle, SAP, IP-SEC and SSL VPNs, Microsoft® Windows® desktops and enterprise Web applications like Microsoft® Outlook® Web Access
- Offers the widest range of authenticators on the market and all from a single, cost-effective software platform. And the addition of smartcards, mobile smart credentials, biometrics and digital certificates extends the platform’s versatility, scalability and cost-effectiveness.
- The solution’s authentication capabilities include IP-geolocation, device, questions and answers, out-of-band one-time passcode with transaction details for verification (delivered via voice, SMS, email or Mobile), grid and eGrid cards, biometrics, digital certificates (in software or on smartcards/USB Tokens), mobile smart credentials and a range of One-time-passcode tokens
- Open API architecture allows for tight integration with today’s leading mobile device management (MDM), identity access management (IAM) and public key infrastructure (PKI) vendors. This enables solution to work with new and existing enterprise implementations, plus adds the ability to integrate in-house or managed service-based digital certificates
- Provides proven protection against man-in-the-browser attacks
- Cost-effective for large deployments in consumer, enterprise or business-banking environments
- Built on decades of experience in securing identities for the world’s largest banks and governments
A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-users’ adherence to security policies.
Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
Intelligently Manage Vulnerabilities
Penetration testing provides detailed information on actual, exploitable security threats. By performing a penetration test, you can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows your organization to more intelligently prioritize remediation, apply needed security patches and allocate security resources more efficiently to ensure that they are available when and where they are needed most.
Avoid The Cost Of Network Downtime
Recovering from a security breach can cost an organization millions of dollars related to IT remediation efforts, customer protection and retention programs, legal activities, discouraged business partners, lowered employee productivity and reduced revenue. Penetration testing helps you to avoid these financial pitfalls by proactively identifying and addressing risks before attacks or security breaches occur.
Meet Regulatory Requirements And Avoid Fines
Penetration testing helps organizations address the general auditing/compliance aspects of regulations such as GLBA, HIPAA and Sarbanes-Oxley, and specifically addresses testing requirements documented in the PCI-DSS and federal FISMA/NIST mandates. The detailed reports that penetration tests generate can help organizations avoid significant fines for non-compliance and allow them to illustrate ongoing due diligence in to assessors by maintaining required security controls to auditors.
Preserve Corporate Image And Customer Loyalty
Even a single incident of compromised customer data can be costly in terms of both negatively affecting sales and tarnishing an organization’s public image. With customer retention costs higher than ever, no one wants to lose the loyal users that they’ve worked hard to earn, and data breaches are likely to turn off new clients. Penetration testing helps you avoid data incidents that put your organization’s reputation and trustworthiness at stake.
configuration reviews help ensure that corporate system builds for servers, workstations, laptops, and other network infrastructure are configured securely and in line with security best practices and standards. It is important to have robust and secure standardized builds that are consistently deployed, as this provides assurance that business-critical systems are protected from both a network and a local perspective.
Our consultants are able to review the security configuration of different types of systems, servers and devices. We will provide a detailed report that includes the risks to your business and recommendations for remedial actions. This helps to ensure that your IT assets are aligned to the latest industry and vendor guidance and thus hardened against attack.
Desktop and server builds
We can carry out desktop and server build reviews to rectify flaws in an organization’s processes that could be contributing to security problems. Context has a range of experience in reviewing the configuration of desktop and server builds against industry good practices and vendor guidelines.
We are able to review the configuration of a wide range of application servers, including common web servers, database servers, application servers and virtualization technologies, as well as their underlying operating systems.
Firewalls and network devices
Many organizations have come to rely on firewalls and network devices as a keystone of their defenses, so it is important to ensure that they are fit for purpose. We have a tried-and-tested methodology for reviewing the configuration and rules of firewalls and network devices such as switches, load balancers, and security appliances. We review devices from mainstream vendors such as Cisco, Check Point, F5, Juniper, Blue Coat and Palo Alto. Our testing is designed to identify security vulnerabilities, such as failure to achieve best practice, or instances of incorrect firewall configuration and the scope of each review can be adjusted to suit individual circumstances.
Mobile devices are increasingly used by employees within organizations to access sensitive enterprise data so it is vital that these devices are secure. This can be achieved by having a robust Mobile Device Management (MDM) solution to manage all devices that have access to enterprise resources. Context can perform security reviews to assess your deployed MDM solution configuration, the supporting network architecture, as well as the mobile device security policies and management processes.
We can also test your mobile devices to verify that the deployed policy and configuration options provide the expected security. This provides assurance that corporate MDM systems and BYOD set-ups are secure and that risks relating to lost or stolen devices and data are mitigated.
Policy & Procedures Development
Security miter, will review, revise, modify and document existing information security policies and procedures, and draft additional policies and procedures as necessary to enhance and organize our clients’ written policies and procedures utilizing a three-tiered compliance model.
INFORMATION SECURITY POLICIES
The Information Security Policy, approved by the Board of Directors, is the compliance-oriented document that provides the strategic direction for your institution and delegates to management the responsibility and authority to implement the Information Security Program.
INFORMATION SECURITY STANDARDS AND PROCEDURES
The Standards document will define the principles, values and environment. Standards also define the authorized use of information and compliance requirements. Procedures specify step-by-step directions for compliance with standards.
Employee Guidelines consist of those elements of the institution’s standards and procedures that affect every employee and are augmented with the institution’s appropriate use standards. The Employee Guidelines do not contain elements of the standards and procedures that are designed for management and IT staff. The Employee Guidelines provide a guide for meeting mandated training requirements.
POLICIES AND PROCEDURES MAINTENANCE
Throughout the term of the contract, security miter will modify the institution’s policy and procedure as necessary to keep pace with changes in law or regulation, changes in technology, changes in management and/or changes in operations that may impact the institution’s Information Security Policies and Procedures.