Creating a more efficient and secure organisation

Don’t fall foul of compliance complacency, warns Ross Brewer, vice president and managing director, LogRhythm EMEA & AsiaPacMention Payment Card Industry Data Security Standard (PCI DSS) to a security manager and you can often see their eyes glaze over as they’ve heard it all before. For many, PCI DSS compliance has been hanging over them for a good few years now. In fact, the first PCI DSS standard was released in December 2004, with the most recent revision in 2008, and an updated version due in October 2010. It’s no wonder that everyone’s getting a bit jaded with it all by now. This rings even more true in the public sector where there seems to be a never ending stream of new initiatives and guidelines relating to information management and technology infrastructures, for example GCSx, CoCo compliance and latterly Memo 22 replacement, Good Practice Guide 13 (GPG 13.)
    
It’s complacency such as this that could find public sector organisations lagging behind when it comes to complying with, and getting the most out of, the regulations. At a time when the public sector is in the public eye more than ever regarding data security, the last thing a local authority needs is a card payment security breach incident on its hands.

What is PCI DSS?
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.
    
The collection, management and analysis of log data has always been integral to meeting PCI audit requirements. However, the task of assembling this information can be overwhelming in itself, not to mention the additional requirements of analysing and reporting on the data.
    
Thankfully, technology has progressed significantly since the early days of PCI DSS when two separate systems for File Integrity Monitoring and Security Information Event Management (SIEM) had to be installed in order to meet the stipulated log data requirements.
    
Now integrated SIEM and File Integrity Monitoring solutions such as LogRhythm have transformed how PCI DSS is addressed. Preconfigured options mean that the technology can be installed straight from the box, dramatically speeding up implementation time. Log collection, archive and recovery are fully automated across the entire IT infrastructure and log data categorisation, identification and normalisation facilitate easy analysis and reporting.

Preventing problems
This enhanced control, visibility and reporting shouldn’t be restricted to PCI DSS use. Instead, imagine the value of being able to continually monitor the network so that any irregularities – from attempted hacking or data theft to virus outbreaks or application failure – can automatically be flagged and investigated before they become a problem.
    
Equally, the principles behind initiatives such as GCSx and GPG 13 include the ability to know what’s happening on the network at any one time – Protective Monitoring by any other name. Think of it as the “who’s doing what”, “where they’re doing it”, “what information they’re accessing” and “what the impact is on the organisation”.
    
In today’s budget restrained environment, implementing a solution that can put multiple ticks in the compliance boxes and improve the security posture of an organisation is enough to take the glaze off any security manager’s face. Case study: Cardiff County Council
Cardiff County Council has implemented a log management, log analysis and event management solution from LogRhythm, the company that makes log data useful. The solution ensures that Cardiff County Council complies with the UK Government Connect Secure Extranet (GCSx) initiative while bringing additional benefits of PCI compliance and all-round improved IT best practices.
   
Like all English and Welsh local authorities, Cardiff County Council is being urged to join the UK GCSx initiative, which aims to create a private wide area network for secure communications between connected government organisations. As part of this, local authorities must sign up to the Code of Connection (CoCo), which includes specific requirements on log data.
   
Andrew Horner-Seddon, principal IT consultant – Security, Cardiff County Council, explains: “The Council already had its own manual, decentralised log data solution but it was incredibly complex and time intensive to use. CoCo signalled an opportunity to re-assess our requirements and install a more sophisticated log solution.
   
“Some of the solutions we looked at provided log data indexing but the data could only be searched on by using specific index codes. Not only would this be time consuming but there was a risk that some log data may be excluded from the results if all codes were not known. LogRhythm, however, offered a much more comprehensive and flexible search capability that would make it significantly quicker and easier to find information and run reports. We also liked the fact that LogRhythm provided an integrated hardware and software solution which gave a clear understanding of the total investment needed.”
   
As well as ensuring Cardiff County Council meets the CoCo requirements, the new LogRhythm solution enables the Council to comply with Payment Card Industry Data Security Standards (PCI DSS) that have been established to ensure the protection of credit card data.
   
Additionally, LogRhythm provides the Council with greater insight and control over its IT operations both from a security and capacity management perspective. Mike Selley, IT service delivery manager, Cardiff County Council, adds: “As well as ticking the compliance boxes, LogRhythm will help tighten up the IT infrastructure at the Council to create a more efficient, streamlined and secure organisation for the citizens of Cardiff.”

For more information
Tel: 01628 509 070
Web: www.logrhythm.com