575 Madison Avenue, Suite 1006 New York, NY 212.937.8443

Data Sheet: Middleware Security Services

Evans Resource Group™ Data Security Standard Compliance Readiness Review Providing organizations with expert advice and gap analysis of existing practices compared to the Payment Card Industry (PCI) Data Security Standard and is applicable to Sarbanes Oxley, HIPAA, FISMA and Gramm Leach Bliley Overview Have you heard of the Hannaford breach? Most companies and auditors don’t understand how it could happen. If the perimeter is secure, how can a hacker possibly get in? After all, they were considered PCI compliant… We want to take a moment and pro-actively inform you of a potential security concern that requires your prompt attention and a free security check that can prevent you from being the next Hannaford. We have been working in conjunction with IBM to raise awareness about the risks of WebSphere MQ networks that have not been fully configured to enable security and the respective impact on regulatory compliance. This is not due to an issue inherent in WebSphere MQ, rather one that happens as a result of System Administrators not applying security correctly, or in some cases not at all. Put simply, your data could be exposed through mis-configuration issues during installation and maintenance of WebSphere MQ. IBM and our security team have found that a vast majority of WebSphere MQ networks have some exposure attributable

to mis-configuration. This is an area (Middleware) that up until recently has not been audited properly for regulatory compliance, yet based on recent breaches is now under scrutiny. ERG works with an Authorizing Officer (CCO, CISO, CFO, etc.) and/or Security officer at your organization to discuss the issue from a regulatory compliance perspective. The review was developed as an efficient two step process that will not require any cost and minimal time. It will ensure your organization is fully aware of the issue, and has conducted the proper due diligence to establish that your data both meets applicable regulatory requirements and is not exposed. Most organizations that handle credit card payments must demonstrate compliance with the Payment Card Industry (PCI) Data Security Standard by completing a variety of card-issuer requirements. However, most auditors are not trained to look over an important part of the network (Middleware), resulting in exposures.

The ERG™ Data Security Compliance Readiness Review helps organizations prepare for PCI, SOX, HIPAA, FISMA and GLB compliance by providing expert advice and gap analysis of existing practices compared to the PCI Data Security Standard. PCI is the high water mark in the industry and organizations employing these middleware standards have less risk associated with their networks. This review helps educate organizations about the PCI Data Security Standard and compliance requirements as they map to middleware exposures. ERG is a member of the PCI Security Council and our security consultants and partners are certified according to Visa® USA’s Qualified Data Security Company (QDSC) requirements and are CAP certified. Leveraging their extensive security and middleware experience, ERG consultants identify and analyze issues of concern, and recommend the solutions and processes necessary for the organization to meet

575 Madison Avenue, Suite 1006 New York, NY 212.937.8443

PCI security requirements. At the conclusion of each review, ERG consultants meet with the organization, outline the necessary next steps to prepare for PCI compliance, and identify areas where improvements may be needed for compliance. Depending on the outcome of the organization’s needs, ERG can also provide consultation and products to help develop and execute remediation plans for any non-compliance issues that are discovered. In addition, ERG’s certified consultants can help articulate the objectives, strategies, and needs related to meeting data governance requirements to the company’s executive management. This collaborative effort helps direct the organization’s readiness activity and strategic planning in preparation for PCI, SOX, HIPAA, FISMA or GLB compliance, and can ultimately significantly reduce the cost of meeting compliance requirements. Key Features

Free Order of Magnitude Assessment to determine if there is an exposure due to mis-configuration or non-configuration of WebSphere MQ.

Educates organizations about the data governance standards including PCI, SOX, HIPAA, FISMA and GLB standards and compliance requirements for Middleware.

Provides a process to initiate, certify, authorize and monitor data security for Middleware. Identifies and analyzes potential deficiencies or lack of controls that could result in failure to

comply with Data Security Standards as they apply to the high water mark of the Payment Card Industry standards and practices.

Provides a preparatory gap analysis that identifies potential areas of non-compliance. Recommends the solutions and processes necessary to meet PCI requirements prior to

completing the self-assessment questionnaire or commencing an on-site security audit. Reviews policy and procedure documentation, system and network device configuration details,

and network and application architecture guidelines as it relates to the Middleware network. Delivered by world-class ERG security consultants, who are certified according to Visa® USA’s

Qualified Data Security Company (QDSC) requirements. Facilitates the organization’s understanding of data security requirements and how existing

information security controls measure up to the standard. Key Benefits

Facilitates the organization’s understanding of data security including PCI, SOX, HIPAA, GLB and FISMA as they apply to your organizations security requirements and how existing information security controls measure up to the standard.

Helps compliance and audit managers articulate to executive management the objectives, strategies, and needs related to data security (PCI, SOX, HIPAA, GLB, or FISMA) requirements for budgetary and resource planning purposes.

Clarifies the potential impact of PCI requirements on an organization’s existing IT infrastructure, business operations, and strategic activities.

Remediates WebSphere MQ exposures as they relate to administrative, application and data exposures

More information Visit our Web site http://www.evansresourcegroup.com About Evans Resource Group Evans Resource Group is the leader in Middleware information security and systems integration methodologies providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT Enterprise Integration Infrastructure. Headquartered in New York, NY, ERG has operations in more than 10 countries.