GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for more information on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing.

ISO 17024 – Conformity Assessment – General Requirements for Bodies Operating Certification of Persons only covers the “principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons.” and the IBITGQ (International Body for IT Governance Qualifications) are only “dedicated to the provision of training, qualifications and the continued professional development of information security, business resilience and IT governance professionals.”

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
    o
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the  challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contract lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and awareness they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

PCI L1 Service Provider

From FinTech Concept to PCI Compliant in 6 Months?

Anyone wanting to start a new business in FinTech/payments – digital wallets for example – has to address PCI. Like it not, payment cards are still the dominant form of non-cash payment on the planet. By far.

So what if you have a great idea in this amazing world of opportunity, but your skill-set is in payments and innovation, and not IT or cybersecurity. How do you get your service to market, AND play by the rules? Can you do this in time to be ahead of game given the incredibly short timeframe of today’s competitive advantage?

Well, you could just self assess, but you are restricting yourself to a maximum of 300,000 transaction annually.  But more importantly, would you trust your money to a service provider who self assesses? No, neither would I.

However, I’m talking about full Level 1 Service Provider compliance through a reputable QSA (yes, there are some out there). How can you set up the infrastructure, get all the documentation in place, AND get all the way through a PCI DSS Level 1 assessment in 6 months? And if you do, have you really done it properly?

The answer is yes, you can, but there are MANY caveats, and if you deviate from these steps you will not get there. I am only interested in helping organisations get compliant properly, I have no interest in adding more crap service providers to the ecosystem.

First, you have to completely ignore the PCI DSS. Any plans you make to design both your physical infrastructure and your security program from scratch must be with real security in mind. Never compliance alone. For that, many organisations turn to the ISO 27001 standard. There are others, but try finding affordable consultants who can help you implement them. As long as you realise they are all just frameworks, not step-by-step instructions, then you’re ready to start asking questions.

So What Are the Steps to Compliance?

o

  1. Get Help – This should be no surprise. I don’t perform emergency appendectomies, I’m not remotely qualified, why would you try to achieve compliance when that’s not your experience or skill-set. Yes, is can be expensive, but nowhere near as expensive as any of the alternatives. There are some very good consultants out there, do your homework and find the best one for you.
    o
  2. Outsource the Infrastructure – Unless you’re an expert in everything from hardened operating systems, to logging and monitoring, to firewall management, you will want to outsource as much of the platform as you possibly can. Unfortunately, finding a single provider who can take on anything more than physical hosting and some networking stuff is still ridiculously difficult. Amazon Web Services (AWS) for example is about as bad as you can get. Unless of course you want a dozen or so independent service providers to manage along with Amazon.
    You MUST ask the right questions, and this is where your  consultant comes into play. S/he will write your RFP, interview providers, and eventually produce a responsibility mapping of services against the PCI DSS. This will match their Attestation of Compliance, as YOU should only do business with L1 PCI compliant service providers.
    o
    You are welcome to use my mapping if you don’t have one: PCI DSS v3.2 SP Responsibility Mapping
    o
  3. Policies, Standards & Procedures – You have to start somewhere, so you will likely want to buy a Policy Set. Once again, you have to be very careful as there are dozens of options but few will be fit for purpose. In this case, ‘fit for purpose’ means the service must 1) get you through compliance, 2) provide a platform for your unique culture, and 3) be self-sustainable for the long-term.
    If you buy a Policy Set with ‘PCI’ in the title, you have already failed. Buy one that your consultant can customise on your behalf, and then teach you to manage yourself. Get one that; 1) Is already mapped to both the PCI DSS and your chosen framework (usually ISO 27001), 2) has document management built in (numbering, content standards, assigned coordination etc.), and 3) is easily distributed to the subject matter experts best placed to maintain them.
    o
    I have written a quasi-white paper on how to choose the right the right service, you use the questions as an RFP: ‘Selecting the Right Policy Set
    o
  4. Hire a Completely Independent QSA – While it may be very tempting to have your consultant take care of all the ‘PCI stuff’, bite the bullet and keep these separate. No, you don’t have to be an expert in this stuff, but if you are relying completely on your consultant you are building in a single source of failure. By all means have your consultant run with the assessment, but be involved. If you don’t, you’ll have no idea what you paid for in the first place. In fact, you may even want to build in some SLAs regarding how much remediation is required from by QSA. There will always be some, but if it involves significant scope creep or capital cost, your consultant has failed you. Remember, you have outsourced almost the entire function of PCI to your platform provider, validation of compliance should be a formality.

Of course this is oversimplified, but I’m already way over my self-imposed word limit. However, while I haven’t included any of the inevitable challenges, the process is a simple as security itself, it’s up to you to find someone who can make it simple.

[If you liked this article, please share! Want more like it, subscribe!]

Forget Cyber, Forget Cloud, It’s ALL About the Data!

Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavours of what is basically the same sugary mess, and why they’ve changed their slogan FORTY SEVEN times in their 125 year history;

To keep things fresh, to keep you thinking about them, and of course, to help you spend money.

So is this necessarily a bad thing for the field of information security? The answer clearly is no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services, but a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.

Too many vendors and self-interested lobby groups are frighteningly good at demand generation; new buzz-phrases, invention of perceived needs, and playing on an organisation’s fear of losing a competitive edge, have all been the cause of many bad purchase decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.

For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first publish in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.

And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:

1. Governance – The Business side and the IT side having meaningful conversations;

2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;

3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;

4. Asset Management – You can’t manage what you don’t even know you have, and;

5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.

All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.

So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as impactful? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.

Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

‘PCI Compliant’ Service Providers, You Are Warned!

Readers of my blog know I am opinionated, which I why I have so many non-readers I suspect. I find myself now with something of a mission, and that is to either train providers of PCI-related services to perform 12.9 correctly, or I will make available a responsibility mapping matrix of their Attestation of Compliance (AoC)-defined services. Merchants need to perform appropriate due diligence, without full disclosure and guidance from Service Providers (SPs), this is all but impossible for the majority of non-PCI experts.

I  am not saying the SPs are doing anything nefarious,[mostly] they are not, it’s just clear that neither they, nor it would appear their QSAs, have taken the time to produce a responsibility mapping that makes sense.

I will not be posting names, but if you contact me on david@coreconceptsecurity.com and ask about a specific provider, I will tell you whether I have the mapping or not (just started this, so it’s unlikely, but stay tuned…). I am also happy to accept AoCs for your provider if you want a mapping done. Finally, I am also happy to help SPs directly if they would like to get ahead of this.

For Merchants: Regardless of the SAQ you complete, you are responsible for EVERY requirement in the PCI DSS, so any mapping and contract you have in place must be at that requirements level, not that of the SAQ, so if all you get is an AoC, there’s a very good chance your residual responsibility is significantly higher that you would like, and perhaps been led to believe.

At a minimum, your mapping will have 3 columns:

  1. AoC Mapping – This is the only ‘official’ recognition of the requirement numbers included that you have to go by, anything else the SP may say is irrelevant. If it’s not on the AoC, you cannot point your RoC/SAQ to it, and the requirements must still be assessed on your behalf. Note: Be VERY careful re: sub-requirements, if they are not SPECIFICALLY addressed, they are not included (Listing Req. 1.1.5 on the AoC does not necessarily mean Reqs. 1.1.5.a AND 1.1.5.b for example).
    o
  2. Services YOU Require – This is where you specify EVERY requirement you’re looking to outsource, but you need to be reasonable. There are surprisingly few requirements you can fully outsource (depending on the service), and you must detail what partial responsibility must remain with you. For example; you can outsource the changes to your rule-set, but you will usually retain ownership of it (which is the majority of Reqs. 1.X).
    o
  3. Residual Responsibility – This is what’s left for you to cover, and will represent an agreement between you, your service provider, and your QSA (if applicable). Anything NOT handled by your SP, is yours.

The above is not to say that an SP cannot provide significant support outside of their officially assessed services, but whatever they are doing needs to be noted, and included in your report.

For example; regardless of the services provided, EVERY policy requirement is owned by you, and followed by your SP. They may have their own policies, and even have them listed on their AoC, but those policies do not cover you as a merchant from a RoC/SAQ perspective.

Once complete and agreed by both sides, this mapping should form the basis of your contract. It does not matter if it’s an annex, addendum or in the main contract body, but the actual PCI DSS v3.0 requirement numbers must be part of any binding agreement. Whether or not you put SLAs around the services, or require full compliance on an ongoing basis, is a business decision, tying your SP to the DSS requirements they cover on your behalf is a PCI obligation.

I have uploaded an example of a Service Provider Responsibility Mapping that I recently provided to a client – help yourself. Hopefully it makes sense, but you are free to contact me if you would like more guidance.

This is actually a very simple process, as is everything else in security, it’s only not knowing yourself what to do that makes it difficult. So ask for help.

[If you liked this article, please share! Want more like it, subscribe!]

PCI DSS v3.0: Service Provider Agreements (Req. 12.8.X)

There seems to be quite a bit of confusion about the ‘new’ requirements for service provider contracts. I say ‘new’ sarcastically because this should have been part of your vendor due diligence processes from the beginning.

From a merchant’s perspective, unless they have hired a QSA (or other PCI expert) to help define the service requirements and contractual obligation, it’s very difficult for them to ask the right questions. From a  service providers perspective, I’ve seen the gamut from complete ignorance of their obligations, to out-and-out lies in terms of what they are and are not providing.

The DSS v3.0 requirements of 12.8.X go a long way to resolve this, but not far enough in my opinion. The bottom line is that someone has to be responsible for each requirement, and there are only the following choices;

  1. SP agrees to be fully responsible for the requirement;
  2. SP agrees to be partially responsible, and;
  3. SP pushes the entire requirement back on you.

That’s it.

The above list is fairly obvious, but for the service provider’s clients the challenges are now twofold:

  1. If the service provider accepts full responsibility, are they PCI compliant for the service(s)?
  2. If they are only partially responsible, EXACTLY what part of the requirement is left?

Does the service provider need to be fully PCI compliant for you to achieve compliance? The answer is no, but if they are not, you have just doubled your assessment scope. Again, someone has to answer the questions, so if your service provider has not validated compliance for the services they are offering, you need to add them to your validation efforts.

As for the partial responsibility, that’s easy, get your service provider to tell you what they’re doing. For example;

DSS Req. #

Description

Service Provider Responsibility Client Responsibility
1.1.3

Examine data-flow diagram and interview personnel to verify the diagram:

*  Shows all cardholder data flows across systems and networks.

*  Is kept current and updated as needed upon changes to the environment.

SP will provide initial diagrams in Visio format for the pre-production environment but will not own, manage, or keep up-to-date the data-flow diagrams post-production.

 This requirement is not part of SP PCI Report on Compliance dated [Mmm dd, yyyy]

Client must own, manage, and keep up-to-date all data-flow diagrams for inclusion into their own PCI compliance efforts once services have reached a production state.

You must repeat the above for EVERY requirement in the PCI DSS v3.0, then add this as an addendum or annex to your signed service contract. This applies not only for the services they are providing DIRECTLY, but the SP has a responsibility for any SUB-contractor they may bring in, and so on down the line.

Again, SOMEONE has to answer the questions!

However, let’s back up a bit and handle each DSS Requirement in turn:

12.8.1 Maintain a list of service providers

Easy, just maintain a list of Service Providers, with – at a minimum – the following detail;

  • Company Name
  • Service Description
  • Is [CONFIDENTIAL] Data Shared?
  • Regulatory Compliance Date
  • Status Verified By

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Even easier, they wrote it down for you!! Include – again, at a minimum – the language in red in your contracts. You will likely want significantly more than this as there is no declaration of LIABILITY, or even SLAs.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

If you don’t have robust vendor due diligence and vendor on-boarding/off-boarding processes you are really asking for trouble. For PCI services, if you have not ensured they are PCI compliant for the services they are providing AND you have the full details written into contact, then you have created a world of pain for yourself.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

Does this say anything about the service providers actually working towards PCI compliance? No, it doesn’t, so the status could be; “They will never achieve PCI compliance.” and this is good enough for PCI. This should NEVER be good enough for you.

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

This we’ve already covered, all you need is a table, like the above, of every PCI requirement handled by each of your service providers and their sub-contractors. Your QSA can then tell you precisely what is left for you to cover for full compliance.

Whether you’re assessing for the first time, or re-assessing under v3.0, you need to start these conversation with your service providers NOW, as while this may be simple, it is not easy.

Advice for Merchants:

  • Only choose PCI compliant service providers (start here; Visa Europe Merchant Agent List)
  • Only choose service providers who have already addressed 12.8.2 and 12.8.5 up-front. You should not have to ask for this from SP worth their salt
  • If you have existing SPs and don’t know where to start, hire a decent consultant who is familiar with the PCI DSS to help

Advice for Service Providers:

  • Get your responsibility mappings and your contract language sorted out now, BEFORE you are asked
  • If you need help, ask for it, ignorance is not an excuse your clients can accept, nor can the card schemes

Easy huh?