Are you working towards PCI-DSS compliance ? Are you engaged in continuous improvement of your PCI certified processes ? Then it is time to include best practices in Information Rights Management (IRM) as part of your document management (DM) or data leak prevention (DLP) efforts in the security processes.The PCI_DSS standard prescribes 12 principles and an accompanying set of detailed requirements for compliance. Broadly, the standard requires the organization to encrypt data, define and enforce access rights, track and monitor data access and assign unique ID’s to users, among other requirements. The overall goal is to build a high level of security in organizations that are accepting or that transact credit card payments or handle data related to the same.
Such sensitive data is usually at rest in secured databases. However, at times, it is necessary for this data to be shared among various stakeholders in the course of day-to-day business, in the form of documents. To protect these sensitive documents while meeting PCI compliance requirements, a technology enabled solution like Seclore FileSecure will enable the organization to track and manage these documents or emails as they move over the network between internal and external stakeholders, while adhering to the principle of least privilege.
Seclore FileSecure will help the organization meet a number of provisions in PCI requirements 4, 7 and 10 in the process of data transmission and sharing amongst stakeholders. These identified requirements address encryption during transmission; restriction of access based on the user’s need-to-know; and, tracking and monitoring of network resources and cardholder data.
The Seclore IRM solution provides a user friendly method to restrict access to documents with sensitive cardholder data, eliminating the need for resource intensive (and user unfriendly) encryption / decryption of shared documents. Additionally the solution makes it easy for access rights to be assigned on a need-to-know basis at the start of the document lifecycle itself, with the facility to withdraw or add shares.
These features are supported by extensive logging to enable traceability and audit requirements as mandated by PCI. File access and related actions are logged in granular detail. These logs provide information about the document use, edits, machine, location, time of access etc.
Seclore FileSecure helps meet PCI-DSS compliance in the following areas
4. Encrypt transmission of cardholder data across open, public Networks
4.2a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies
7. Restrict access to cardholder data by business need-to-know
7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.4 Implementation of an automated access control system
7.2.3 Default “deny-all” setting
10. Track and monitor all access to network resources and cardholder Data
While getting the benefit of an additional level of compliance assurance with PCI-DSS requirements in respect of the security of documents with sensitive data that are being shared over messaging networks, or in storage, it also serves as a default automated mechanism to deny access to persons who have left the organization or to those moving internally to different roles.
Considering the cost for cardholder data loss, it is imperative for organizations to enable multiple barriers in the form of controls that are business enablers.
IRM technology, though relatively new, addresses multiple concerns from the business perspective and makes it easy for users at all levels to be able to build security controls in at the start of the document lifecycle, and keep it protected throughout.
Posts
0 comments:
Post a Comment