Protective Security: Integration's what you need!
With just 1 month to go until the planned release of my first book (PCI DSS: An Integrated Data Security Standard Guide), I thought I could introduce the concept from which the book has been developed.
To re-use the lyrics from the late Roy Castle, from the Record Breakers:
"If you want to be the best and you want to beat the rest,
Oooo, oooo, INTEGRATION's what you need!"
Yes, I can now imagine that a great many you might now be singing this song or humming this tune.
A common mistake that I have seen businesses make is treating their mitigation controls as separate entities, rather than understanding how they work in harmony to compliment each other.
There is no better example of this than can be seen in the PCI DSS controls framework, which is comprised of a comprehensive catalogue of risk mitigation security controls.
These controls have a strong heritage and should be seen as the cogs, which have connections that ensure that your defensive machine continues to operate effectively in defensive of your payment card operations.
Much like the cogs in a complex machine, the engineers need to understand what purpose the individual cogs serve and how they interact and impact others. Consequently, in PCI DSS (as with other security industry controls frameworks), it is essential that each team member (with their own individual responsibilities) understand how their roles and responsibilities interact and impact other team member roles and responsibilities.
Unique from all other control frameworks, PCI DSS is built upon 6 goals & 12 requirements. This sets this controls framework apart from the others, by clearly applying a structured and layered framework which is focused around a clearly defined scope:
An asset that is involved in the processing, storage or transmission of cardholder data (or that has the potential to impact cardholder data procession, storage or transmission).
Asset definition (CISSP Domain 2):
"An asset is anything that can be important to the organization, such as partners, employees, facilities, equipment, and information.
Information is usually the most important asset to any company or organization and is valuable to every information system.
Information moves via the company’s information system and must be disposed of appropriately after it is no longer of use".
Therefore, any asset identified in supporting (or impacting) a business' payment card operations must (at a minimum) be protected through the application of the appropriate/applicable PCI DSS controls.
This reminds me of a phrase used by my initial PCI QSA instructor:
"PCI DSS compliance should be regarded as being like walking on the floor.
However, you should be aiming to reach for the ceiling".
Never a more relevant phrase, which every business and Cyber/Information Security professional should remember, when looking to protect your customer cardholder data from compromise.
The concept of layered defences (aka Defence In Depth) is a well-known concept and is often attributed to having been invented by the Roman empire. An effective layered defensive model needs each control to act in isolation, but to support other layers in the defensive model. This helps in the prevention of the peeling back of a single layer, resulting in all the layers being compromised and makes it progressively more difficult for an attacker.
Think of it like peeling back the layers of an onion. Each layer needs to be peeled back to reveal the heart of the onion and as each layer is revealed, the thicker the layers become:
Therefore, it is extremely important that each team member has a comprehensive understanding of their controls, pertaining to their roles, but also has an overall understanding of the other team member duties.
Having designed and implemented a secure network infrastructure is not the end for requirements 1 & 2. These systems need to be maintained which can be impacted by other team responsibilities - Requirement 5; 6; 7; 8; 9; 10; 11 & 12.
Teamwork is essential to the success of an effective protective security strategy and can be likened to any successful sports team. Every team has players that are extremely effective in specific roles but they are supported by generalists and there are occasions (perhaps through injury), where players might need to step in and play an effective part in a role that they might not be comfortable with.
There are times in history where sports teams have been successful through the achievements of a single/handful of players (Babe Ruth). However, it is very rare for this approach to be sustainable, in the long term:
"Too bad integration didn't come sooner, because there were so many ballplayers that could have made the major leagues.
That's why, you look back, and - not to take away anything from Babe Ruth or some of those other guys - they didn't play against the greatest ballplayers in the world".
Consequently, it is vital that businesses understand that the protection of payment card operations should not be regarded as a 'Tick Box' exercise or something that can be achieved by having a handful of PCI DSS 'Superstars'.
Try answering the following questions:
What would be the business impact of you PCI DSS 'Superstars' not being available when you need them (e.g. Unavailable through illness (COVID-19))?
If you have PCI DSS 'Superstars', why not encourage them to coach the others on what their roles are and how these may be complimentary to other team members?
Do you understand which controls are complimentary or impacting on others?
Do your security tools/solutions act in isolation or do they act to compliment others?
Do you have any risks remaining after the PCI DSS controls have been applied?
Does your protective security strategy provide you with sufficient assurance?
An effective protection security strategy should now be at the core of any modern, data reliant, business and should not be seen as a daunting prospect, as long as you appreciate the need for a team effort.
Ensure that you have established an integrated approach and that your team/systems can work in harmony with each other to easily identify the ABNORMAL from the NORMAL.