ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
0 likes417 views
This document summarizes a presentation given by Vladimir Jirasek on a vulnerability scanning project conducted at DSG International plc to meet PCI DSS compliance requirements and manage risk. DSG International is a major European retailer with both physical and online stores. The project team implemented weekly vulnerability scans of external and critical internal assets across DSG International's distributed IT infrastructure using Qualys. This helped identify and fix 80% of security issues within three months. The scanning is now a routine activity and has helped standardize patching policies while meeting PCI requirements in a cost effective manner.
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
- 1. Executive Alliance, Inc. October 16, 2008 New York, New York ISE UK and Ireland Summit and Awards NOMINEE SHOWCASE PRESENTATION October 22, 2008 London, United Kingdom
- 2. by ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2 Vladimir Jirasek Information Security & Compliance manage DSG International plc Vulnerability scanning for PCI DSS compliance and risk management
- 3. ISE Northeast 2008 Executive Alliance, Inc. Today’s Discussion Points • About DSG International • PCI DSS programme and beyond compliance • Vulnerability scanning project • Lessons learned ISE UK and Ireland 2008 Executive Alliance, Inc. 3
- 4. ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4 DSG International plc • Major electrical and computing retailer in Europe with both traditional stores and Web store • We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop • No 1 in the UK • Head office in Hemel Hempsted, UK • 40,000 employees in the Group • Annual revenue over £6b • Processes large amounts of customer data
- 5. ISE Northeast 2008 Executive Alliance, Inc. PCI DSS is good but ... • Why good? The first standard that retailers take seriously • But scope is/can be limited • DSGi started work on PCI DSS in 2007 with most of the projects kicked off • Requirement 11.2 handled by this project • Limited budget • Although the scope is limited the approach was to take risk based approach ISE UK and Ireland 2008 Executive Alliance, Inc. 5
- 6. ISE Northeast 2008 Executive Alliance, Inc. Requirements • Compliant with 11.2, i.e. ASV • Whole group in the scope (regardless of the PCI DSS scope) • Minimal operational overhead • Potential to satisfy other requirements • Easy to use • Fit for distributed IT teams in the Group ISE UK and Ireland 2008 Executive Alliance, Inc. 6
- 7. ISE Northeast 2008 Executive Alliance, Inc. Goals • Develop patching and vulnerability scanning policy • Quick win - find the state of DSGi network (external then internal) • Deliver first “PASS” PCI DSS scans • Make this activity BAU for IT teams ISE UK and Ireland 2008 Executive Alliance, Inc. 7
- 8. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8 Challenges • Distributed IT teams • No standardised patching policy • Limited budget and overstretched IT resources in most countries • Missing risk assessment in IT patching • Scepticism and wary of vulnerability scanning
- 9. ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9 Project team ISE UK and Ireland 2008 Accountable and project lead: Vladimir Jirasek - DSGi Information security manager Team members: Matt Leggett - Security project manager (UK) Stelios Kavalaris - Security admin (Greece) Samy Elmalki - Network admin (France) Ana Maria Munoz Ponce - System admin (Spain) Lars-Andre Johannessen - System manager (Nordic group) Oyvind Gulikstad - Security manager (Nordic group) Paolo Asioli - Security manager (Italy) Ed Brown - Systems manager (UK, Techguys) Michael Braid - Systems admins (UK, DSGi Business)
- 10. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10 Overcoming challenges • Responsibility for “clean” scans transferred to business units IT managers • Group wide standardised patching policy agreed • Limited budget addressed by using Software as a service model • Qualys service is easy to use and understood by IT teams. Virtually no training required • Business units in Qualys made group wide rollout easy to manage • Testing of impact of scanning to existing IT systems
- 11. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach Internet Internal network Head office DMZ mainframe eBusiness VPN GW acquirer setlement Store network
- 12. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach (cont) ISE UK and Ireland 2008 Executive Alliance, Inc. 14 Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix
- 13. ISE Northeast 2008 Executive Alliance, Inc. Project results Patching policy agreed buy IT teams Weekly vulnerability scans carried on all external and critical internal assets - 14 internal appliances in 7 business units 80% of security issues fixed across the group within first 3 months Qualys accepted by IT teams as a “good” tool for highlighting security issues Scanning is now BAU activity 13
- 14. ISE Northeast 2008 Executive Alliance, Inc. Conclusion • Looked beyond PCI DSS and adopted risk based approach (now compliant with v 1.2) • Each IT team is a separate business unit • Responsibility for scanning and fixing transferred to IT managers ISE UK and Ireland 2008 Executive Alliance, Inc. 15
- 15. ISE Northeast 2008 Executive Alliance, Inc. Thank You! • Questions? • Contact Info: • [email protected] or [email protected] • +447959040187 ISE UK and Ireland 2008 Executive Alliance, Inc. 16