an open sign hanging on the door of a shop

Compliance assessment leads to multiple security vulnerability findings for global retailer

Our client, a leading fashion specialty retailer with support locations across the United States and Canada, accepts millions of credit card transactions annually through multiple channels; e-commerce, phone orders with live agents, and hundreds of brick & mortar retail stores located in countries around the globe.

Challenge

Our client is required to validate compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and Sarbanes Oxley (SOX) Act.

Breaches in compliance for a retailer can incur financial penalties including increased transaction fees, substantial fines, financial liabilities, and the possibility of not being able to process credit card transactions.

Our client had struggled to achieve compliance with applicable regulatory standards and has not been able to meet all requirements to demonstrate controls in place at specified intervals.

At least twice per year, the security and compliance team performs the primarily manual processes of collecting and preparing data for external security audits. Without visibility into systems, the security & compliance team is forced to rely upon system owners providing security configuration data and key process evidence.

The client asked Kalles Group to provide subject matter expertise to improve information security control visibility, consistent PCI and SOX regulatory compliance, and solution options for security and compliance automation.

Approach

Kalles Group integrated with our client’s security and compliance team to develop a contextual understanding of the security and compliance cultures and priorities in order to offer actionable recommendations and strategies toward replacing, improving, or extending their security and compliance protocols.

Compliance Gap Analysis: The client’s most recent SOX & PCI compliance assessments identified common deficiencies; configuration / end-point management, incident response, and user administration. Additionally, the client was informed by their assessor that they were not adequately validating their compliance scope and would have to provide evidence of a more thorough compliance scope validation for their next assessment.

Compliance scoping falls in the highest priority category for PCI remediation, as it includes network & data flow diagrams, data discovery scanning, and network segmentation validation. An entity needs to know and be able to document where sensitive data is handled, transmitted, and how it’s protected.
Kalles Group was able to identify a significant number of existing gaps along with several continuing areas of non-compliance. A thorough identification of compliance gaps was hindered by the client’s inability to provide a complete inventory of systems or current representative network & data flow diagrams. Using the PCI-SSC’s Prioritized Approach tool, Kalles Group mapped the dozens of identified current PCI compliance gaps to priority / risk.

The highest population of gaps was in the high priority category – related to end point management and security incident detection & response.

The second highest population of gaps are related to monitoring and controlling network access.

An important part of PCI standard involves configuration and vulnerability management. The client had previously outsourced vulnerability scanning to a 3rd party and had recently made the decision to bring the function in-house. In order to complete required time-sensitive scans, the client was forced to deploy a new scanning tool and the associated processes right away. While vulnerability scanning is centralized, the configuration and patch management processes have been a distributed responsibility of the system administration teams for their designated hosts, network devices, POS systems, and corporate endpoints. The new vulnerability scanning tool identified many serious vulnerabilities on all scanned systems and highlighted a significant compliance gap in the scope of the previous quarterly scans.

Without an enterprise logging strategy, many of the client’s systems are not connected to detection & alerting mechanisms. Without log feeds into a central aggregation point and correlation through a SIEM, the client is unable to adequately detect and respond to potential security events/incidents. The client’s computer security incident response plan also did not include required timelines.

The client’s manual user administration processes are inconsistent and increase potential security risks. Manual user administration processes were cited for most of the SOX deficiency findings. PCI pre-assessment by the security & compliance team found that user list reviews are not performed per PCI requirements, consistently across all in-scope platforms. Single sign-on (SSO) is not employed on all critical platforms and multi-factor authentication (MFA) is not required for all privileged access. User administration is not included in current change management system resulting in some users being provisioned without approvals.

While the client has some systems are in place to facilitate configuration & compliance management ticketing processes, they are not populated with enterprise-wide system configuration data, nor configured with available integrated GRC tools. Vulnerability scanning tools are providing current configuration & compliance visibility and a separate GRC tool is used solely for risk management.

Solution

Gap Analysis: Utilizing the PCI-SSC’s prioritized approach tool, Kalles Group provided multiple views of current PCI control gaps by priority and team, along with specific remediation guidance for each requirement gap.

The common gaps across different systems highlighted symptomatic indicators of two key areas needing organizational attention:

  • Configuration, vulnerability, and network management
  • User administration, incident response, and compliance management

Scoping: To facilitate the security & compliance team’s discussions with stakeholders, Kalles Group developed a PCI environment overview diagram. Additionally, as a baseline for the development of final diagrams, we developed PCI data flow diagrams for brick & mortar stores, and live representative orders (phone & chat). To help automate the validation of the client’s PCI scope, we identified several scope validation options including sensitive data discovery scanning tools.

Quick hit recommendations: Kalles Group identified a list of nine quick-win recommendations for implementing controls using existing technology & resources. These included recommendations for process improvements to address gaps related to vulnerability and user management, and incident detection & response.

Focus Areas: We provided recommendations for focus areas to improve program consistency including:

  • Increasing focus on endpoint and user controls,
  • Increasing security & compliance visibility into systems’ configuration, and
  • Anticipating increasing requirements.

Strategic Recommendations: We developed a set of strategic recommendations for the client’s security and compliance program including:

  • Implementing risk-based security & compliance program strategies & standards
  • Establishing a culture of recognizing the individual’s contribution to IT risk management
  • Increasing security & compliance resources
  • Allocate compliance accountability through stakeholder process changes

Phased Roadmap: Kalles Group developed a phased roadmap to implementing controls & systems to reach a future state goal of GRC automation on the current ticketing platform and, ultimately SecOps integration.

  • Compliance Roadmap and Future State
  • Phase I – Endpoint & User Management
  • Phase II – Monitoring, Incident Detection & Response
  • Phase III – Governance Automation
  • Phase IV – Audit & Risk Management
  • Phase V – SecOps

Results

As a result of our review, our client’s security leadership recognized:

  • The breadth and priorities of current compliance gaps,
  • The urgent need for compliant vulnerability & patch management processes,
  • The need for increasing focus on endpoint controls (especially considering the current situation),
  • The benefit of additional scope reduction mechanisms, and
  • The need for comprehensive configuration & compliance monitoring capabilities.

Subsequent projects have been initiated for endpoint controls management, endpoint process changes, and additional P2PE scope reduction.

Overall, there is now more visibility into the risk to the company presented by inadequate controls on and visibility of host systems, endpoints & users.