Mapping PCI DSS v2.0 With COBIT 4.1 - ISACA

Volume 2, April 2011

Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT—Use It Effectively topic beginning 21 April 2011.

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma In today’s era, every organization across the globe, regardless of its size or industry, faces security issues pertaining to new and evolving threats, vulnerabilities, risks or regulatory/compliance landscapes. As such, there arises a need for organizations to make stringent efforts to ensure that their security and enterprise risk management (ERM) programs address multiple compliance requirements. This article contains the results of a mapping of Payment Card Industry Data Security Standard (PCI DSS) v2.0 controls with COBIT 4.1. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This mapping provides guidance to organizations seeking PCI compliance by identifying and highlighting the COBIT areas that should be considered for each requirement within PCI DSS. It also highlights how the processes in COBIT can support PCI DSS compliance activity. As a result, the mapping can be used as a reference for formulating an integrated and customized control framework for an organization. Since COBIT covers the broad spectrum of IT control processes and PCI DSS is strictly focused on protecting cardholder data, any user of COBIT must first determine the relevance and applicability of IT processes and subprocesses within the COBIT framework. COBIT, a framework for the governance of enterprise IT (GEIT), has a broader scope and is applicable to all organizations, whereas PCI DSS v2.0 focuses more on the area of protecting cardholder data and is applicable to all organizations that hold, process or exchange cardholder information. PCI DSS controls are mandatory for organizations that collect credit card data, whereas COBIT has general controls that can be leveraged based on an organization’s requirements. The implicit benefits of mapping PCI DSS v2.0 with COBIT include: • A unique set of controls—Organizations planning to implement PCI DSS can easily manage, measure and provide evidence of satisfying multiple compliance and governance requirements through a single unique set of controls. • Adherence to multiple standards—Organizations can adhere to multiple industry standards for securing credit card data by adopting the unique set of controls and can increase operational efficiency. • Increased performance—Each PCI DSS control and requirement is mapped extensively with COBIT controls after assessing the in-depth objective of the control, which results in increasing the performance efficiency of the security program. • PCI DSS compliance made easy—While compliance with PCI DSS is mandatory for organizations that process financial transactions through payment cards, its scope is limited to protecting cardholder data. However COBIT is like an integrator for best practices and an umbrella framework for IT governance designed to apply across a variety of organizations, and it is universally recognized. For certain enterprises, PCI compliance is mandatory, and COBIT is used as a guideline. Figure 1 provides a mapping of PCI DSS v2.0 to COBIT 4.1. Please note that multiple PCI DSS requirements can map to a single control in COBIT 4.1, as seen in requirements 11 and 12.

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 Requirement Number

PCI DSS v2.0 Control Requirements

COBIT 4.1 Control Objective/Process

AI2.5 Configuration and implementation of acquired application software AI3.2 Infrastructure resource protection and availability 1

Install and maintain a firewall to protect cardholder data.

DS5.5 Security testing, surveillance and monitoring DS5.7 Protection of security technology DS5.10 Network security DS13.3 IT infrastructure monitoring DS5.5 Security testing, surveillance and monitoring

2

Do not use vendor-supplied defaults for system passwords or other security parameters.

DS5.7 Protection of security technology PO2.3 Data classification scheme DS4.9 Offsite backup storage DS5.8 Cryptographic key management DS11.2 Storage and retention arrangements DS11.4 Disposal

3

Protect stored cardholder data. DS11.6 Security requirements for data management DS5.1 Management of IT security DS5.7 Protection of security technology DS5.8 Cryptographic key management DS5.10 Network security

4

Encrypt transmission of cardholders’ data across open public networks.

DS11.6 Security requirements for data management DS5.9 Malicious software prevention, detection and correction PO8.3 Development and acquisition standards

5

Use and regularly update antivirus software on all systems commonly affected by malware.

Volume 2, April 2011

PO9.3 Event identification

Page 2

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued) Requirement Number

PCI DSS v2.0 Control Requirements

COBIT 4.1 Control Objective/Process

PO9.4 Risk assessment AI3.3 Infrastructure maintenance AI3.4 Feasibility test environment AI6.1 Change standards and procedures

6

Develop and maintain secure systems and applications.

AI6.2 Impact assessment, prioritization and authorization AI7.3 Implementation plan AI7.4 Test environment AI7.6 Testing of changes AI7.8 Promotion to production DS5.9 Malicious software prevention, detection and correction

7

8

Restrict access by business to cardholders’ data to need to know. Assign a unique ID to each person with computer access.

DS5.3 Identity management DS5.4 User account management PO2.3 Data classification scheme PO7.8 Job change and termination DS5.3 Identity management DS5.4 User account management

9

Restrict physical access to cardholders’ data.

DS5.7 Protection of security technology PO4.8 Responsibility for risk, security and compliance DS4.9 Offsite backup storage DS5.4 User account management

10

Track and monitor all access to network resource and cardholder data.

DS11.2 Storage and retention arrangements DS11.3 Media library management system DS11.4 Disposal

Volume 2, April 2011

Page 3

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued) Requirement Number

PCI DSS v2.0 Control Requirements

COBIT 4.1 Control Objective/Process

DS11.6 Security requirements for data management DS12.2 Physical security measures DS12.3 Physical access DS5.5 Security testing, surveillance and monitoring DS13.3 IT infrastructure monitoring PO9.3 Event identification DS5.5 Security testing, surveillance and monitoring DS5.6 Security incident definition ME1.2 Definition and collection of monitoring data ME1.3 Monitoring method ME1.4 Performance assessment 11

Regularly track security systems and processes.

ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.3 Control exceptions ME2.4 Control self-assessment ME2.7 Remedial actions PC5 Policy, plans and procedures PO2.3 Data classification scheme PO4.3 IT steering committee PO4.4 Organizational placement of the IT function PO4.6 Establishment of roles and responsibilities

12

Maintain an information security policy. PO4.8 Responsibility for risk, security and compliance PO4.9 Data and system ownership PO6.1 IT policy and control environment

Volume 2, April 2011

Page 4

Figure 1—Mapping PCI DSS v2.0 to COBIT 4.1 (continued) Requirement Number

PCI DSS v2.0 Control Requirements

COBIT 4.1 Control Objective/Process

PO6.3 IT policies management PO6.4 Policy, standard and procedures rollout PO6.5 Communication of IT objectives and direction PO7.1 Personnel recruitment and retention PO7.3 Staffing of roles PO7.4 Personnel training PO7.6 Personnel clearance procedures PO9 Assess and manage IT risks. DS5.1 Management of IT security DS5.2 IT security plan DS5.3 Identity management ME2.1 Monitoring of internal control framework ME2.2 Supervisory review ME2.4 Control self-assessment

Conclusion Information security will always remain a challenge for every organization dealing with customer information. Complying with PCI DSS v2.0 along with COBIT 4.1 controls, the organization can work efficiently with IT compliance and IT governance. PCI DSS v2.0 focuses on the compliance area, and COBIT 4.1 provides the overall governance. PCI DSS v2.0 gives a detailed description of a number of important IT controls that can be applied to achieve compliance for the organization dealing with payment card transactions and storing customer information. COBIT provides managers, auditors and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of IT and in developing appropriate IT governance and control in an organization.

Pritam Bankar, CISA, CISM, is a senior consultant with Infosys Technologies Limited and has more than seven years of experience in information security, IT/information systems (IS) audits, compliance and regulations (e.g., the US Sarbanes-Oxley Act, PCI DSS, SAS 70), and IT governance and strategy. Bankar is part of an IT controls and compliance practice and leads PCI DSS service offerings for Infosys.

Sharad Verma is a senior associate consultant with Infosys Technologies Ltd. and has several years of diversified experience across various domains such as IT and business operations. Verma is certified in COBIT 4.1 and has worked in capability development for PCI DSS and designed a PCI DSS framework for Infosys. He has expertise in the security domain and experience in implementing ISO 27001.

Volume 2, April 2011

Page 5

COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content. © 2011 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at [email protected]..

Framework Committee Patrick Stachtchenko, CISA, CGEIT, CA, France, chair Steven A. Babb, CGEIT, UK Sushil Chatterji, CGEIT, Singapore Sergio Fleginsky, CISA, Uruguay John W. Lainhart IV, CISA, CISM, CGEIT, USA Mario C. Micallef, CGEIT, CPAA, FIA, Malta Derek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UK Robert G. Parker, CISA, CA, CMC, FCA, Canada Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, Australia Robert E. Stroud, CGEIT, USA Rolf M. von Roessing, CISA, CISM, CGEIT, Germany Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at [email protected].

©2011 ISACA. All rights reserved.

Volume 2, April 2011

Page 6