Post on 20-Aug-2015
Executive Alliance, Inc.
October 16, 2008New York, New York
ISE UK and Ireland Summit and Awards
NOMINEE SHOWCASE PRESENTATION
October 22, 2008London, United Kingdom
by
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2
Vladimir JirasekInformation Security & Compliance manage
DSG International plc
Vulnerability scanning for PCI DSS compliance and risk
management
ISE Northeast 2008 Executive Alliance, Inc.
Today’s Discussion Points• About DSG International• PCI DSS programme and beyond compliance• Vulnerability scanning project• Lessons learned
ISE UK and Ireland 2008 Executive Alliance, Inc. 3
ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4
DSG International plc
• Major electrical and computing retailer in Europe with both traditional stores and Web store
• We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop
• No 1 in the UK• Head office in Hemel Hempsted, UK• 40,000 employees in the Group• Annual revenue over £6b• Processes large amounts of customer data
ISE Northeast 2008 Executive Alliance, Inc.
PCI DSS is good but ...• Why good? The first standard that retailers take
seriously• But scope is/can be limited• DSGi started work on PCI DSS in 2007 with
most of the projects kicked off• Requirement 11.2 handled by this project• Limited budget• Although the scope is limited the approach was
to take risk based approach
ISE UK and Ireland 2008 Executive Alliance, Inc. 5
ISE Northeast 2008 Executive Alliance, Inc.
Requirements• Compliant with 11.2, i.e. ASV• Whole group in the scope (regardless of the PCI
DSS scope)• Minimal operational overhead• Potential to satisfy other requirements• Easy to use• Fit for distributed IT teams in the Group
ISE UK and Ireland 2008 Executive Alliance, Inc. 6
ISE Northeast 2008 Executive Alliance, Inc.
Goals• Develop patching and vulnerability scanning
policy• Quick win - find the state of DSGi network
(external then internal)• Deliver first “PASS” PCI DSS scans• Make this activity BAU for IT teams
ISE UK and Ireland 2008 Executive Alliance, Inc. 7
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8
Challenges• Distributed IT teams• No standardised patching policy• Limited budget and overstretched IT resources
in most countries• Missing risk assessment in IT patching• Scepticism and wary of vulnerability scanning
ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9
Project team
ISE UK and Ireland 2008
Accountable and project lead:
Vladimir Jirasek - DSGi Information security manager
Team members:
Matt Leggett - Security project manager (UK)Stelios Kavalaris - Security admin (Greece)Samy Elmalki - Network admin (France)Ana Maria Munoz Ponce - System admin (Spain)Lars-Andre Johannessen - System manager (Nordic group)Oyvind Gulikstad - Security manager (Nordic group)Paolo Asioli - Security manager (Italy)Ed Brown - Systems manager (UK, Techguys)Michael Braid - Systems admins (UK, DSGi Business)
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10
Overcoming challenges• Responsibility for “clean” scans transferred to
business units IT managers• Group wide standardised patching policy agreed• Limited budget addressed by using Software as a
service model• Qualys service is easy to use and understood by IT
teams. Virtually no training required• Business units in Qualys made group wide rollout
easy to manage• Testing of impact of scanning to existing IT systems
ISE Northeast 2008 Executive Alliance, Inc.
Risk based approachInternet
Internal network
Head office
DMZ
POS servermainframe
eBusiness VPN GW
acquirersetlement
Store network
ISE Northeast 2008 Executive Alliance, Inc.
Risk based approach (cont)
ISE UK and Ireland 2008 Executive Alliance, Inc. 14
Critical
Important
High
Medium
Low
5 24 hours 5 days 14 days 20 days 40 days
4 5 days 10 days 20 days 1 month 2 months
3 10 days 20 days 1 month 2 months 3 months
2 6 months* Next release*
Next release
Next release
No fix
1 no fix* no fix* no fix no fix No fix
ISE Northeast 2008 Executive Alliance, Inc.
Project resultsPatching policy agreed buy IT teamsWeekly vulnerability scans carried on all external
and critical internal assets - 14 internal appliances in 7 business units
80% of security issues fixed across the group within first 3 months
Qualys accepted by IT teams as a “good” tool for highlighting security issues
Scanning is now BAU activity
13
ISE Northeast 2008 Executive Alliance, Inc.
Conclusion• Looked beyond PCI DSS and adopted risk
based approach (now compliant with v 1.2)• Each IT team is a separate business unit• Responsibility for scanning and fixing transferred
to IT managers
ISE UK and Ireland 2008 Executive Alliance, Inc. 15
ISE Northeast 2008 Executive Alliance, Inc.
Thank You!• Questions?• Contact Info:
• Vladimir.jirasek@dgiplc.com or Vladimir@Jirasek.eu • +447959040187
ISE UK and Ireland 2008 Executive Alliance, Inc. 16