How to implement security standard? In simple words

Case Overview

Security standards are different and might be complex from implementation perspective. Steps in this article are generic, but in order to make it practical, let’s use PCI DSS as a reference case. PCI DSS is an important standard designed to ensure customers' payment card data is stored, processed, and transferred securely. The standard was originally established in 2004 by credit card companies like MasterCard, Visa, Discover, American Express, and JCB. It's important to understand that PCI DSS is not a legal or regulatory requirement, but rather a contractual obligation businesses need to follow when storing and processing debit, credit, and payment card transactions in general. There are 4 compliance levels organized by volumes of transactions processed by business: (L1) 6M+ transactions; (L2) 1M to 6M transactions; (L3) 20K to 1M transactions; (L4) Less than 20K transactions. Cloud can simplify regular PCI DSS audits for infrastructure with existing security controls, compliant services, and products. Cloud service providers focus on security of the cloud, while the customer focuses on security in the cloud, in other words Shared Responsibility Model (ex. AWS, Azure and GCP).

Implementation Steps

PCI DSS has six directions which requires companies attention: infrastructure security, card data protection, vulnerability management process, robust access control mechanism, regular monitoring and maintaining information security policies. In order to implement proper controls at these directions, there are multiple steps which needs to be done.

Step 1 - Create Artifacts

Organizations need to fully understand their environment, including system and networking architecture diagrams, and data flow documentation. This step is crucial and requires significant resource investment.

Step 2 - Review Scope

Companies must identify their cardholder data environment, including all system components that process, transmit, or store card data directly or indirectly. Components can be excluded if they: 1/ Don't process, transmit, or store card data; 2/ Cannot connect to systems that handle card data; 3/ Are not in the same network (subnet or VLAN);

Step 3 - Define Segmentation and Required Changes

System architecture evolves over time and may have technical debt and inconsistencies with the original design due to various constraints (ex time, budget and scope). Based on identified artifacts and scope, companies can define environment segmentation and boundaries for PCI DSS audit, and determine necessary changes.

Step 4 - Implement Requirements

PCI DSS requirements are practical but require proper interpretation within the assessment scope. Companies should conduct a self-audit using the original standard before proceeding with the formal audit. Cloud services can assist by providing professional guides for implementing specific requirements (ex from AWS).
Education of employees is crucial. Internal trainings and knowledge sharing are great accelerators for future audits.

Summary

PCI DSS implementation becomes manageable when approached systematically. The framework's four compliance levels have clear requirements, from comprehensive on-site audits for L1 to self-assessment questionnaires for lower levels. By following these steps, defining timeline and utilizing available cloud resources, organizations can effectively implement the necessary security controls and meet PCI DSS requirements. We’ve used PCI DSS as a reference case, but in general, the steps can be applied to other security standards as well.