MetricStream offers a comprehensive solution for sustainable PCI compliance based on industry best practices. The solution enables identifying key risks across the enterprise, conducting investigation for root cause analysis, defining controls for mitigating risks, and evaluating the effectiveness of controls through assessment plans while lowering the overall cost of compliance.Download a Solution Brief
A proven framework for complying with PCI standards
Significant rise in the number of credit card holders has led to a proportionate increase in the online transactions. These transac- tions, however, are increasingly making card holders vulnerable to credit card scams, identity frauds and hacking. To protect sensi- tive information from such security breaches, PCI DSS (Payment Card Industry Data security Act) has introduced the PCI guide- lines. Failure to comply with these standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
Achieving PCI compliance is, however, complex and costly as merchants and service providers have to address approximately 180 individual PCI requirements in 12 categories to avoid non- conformance. And most companies which manage to comply with PCI standards have significant gaps in their compliance strategy.
MetricStream offers a comprehensive solution for sustainable PCI compliance based on industry best practices. The solution enables identifying key risks across the enterprise, conducting investiga- tion for root cause analysis, defining controls for mitigating risks, and evaluating the effectiveness of controls through assessment plans while lowering the overall cost of compliance.
FEATURES AND FUNCTIONALITY:
Building and Maintaining a Secure Network
The MetricStream solution provides tools and processes to monitor security mechanisms and network defenses that protect cardholder’s data from security breaches. It supports monitoring of network elements like firewalls and puts a formal network assessment process in place. It maintains a repository of security and configuration policies to assess their implementation and helps identify gaps and highlighting them in real time by sending alerts. For instance, at the time of installation of any new system, the solution ensures the security credentials and passwords are implemented as per the set configuration policies. The solution also provides periodic, enterprise wide self assessment surveys to provide a view of the company’s position on the PCI compliance continuum.These surveys also come in handy while completing the annual PCI Self-Assessment Questionnaire (SAQ) as mandated by the PCI guidelines.
MONITORING SECURITY BREACHES
Protecting Cardholder’s Data
To protect cardholder’s data the MetricStream solution provides monitoring of breaches against the defined data retention and disposal policies of the company. The solution’s in-built capability automatically sends alerts in the event of policy breach or exposure of some sensitive information. For instance, if a report highlights sensitive information like a PAN number, the solution’s inbuilt mechanism triggers a real- time alert to the concerned authority and prevents it from getting published without appropri- ate authorization. The solution enables companies to track, monitor and analyze such alerts across the enterprise through a single dashboard for a comprehensive view of the existing compliance strategy. It further provides complete documentation on the encryption policy adopted and the changes made to it over a period of time.
VULNERABILITY AND INCIDENT MANAGEMENT
Maintaining a Vulnerability Management Program
The MetricStream solution tracks vulnerabilities in a network to mitigate security risks. It captures alerts of software up-grada- tion and reports the changes required to predefined stakeholders. It monitors the process for capturing, tracking and prioritizing non- compliance incidents to help establish and document consistent procedures. The solution includes an annual process that identifies threats and vulnerabilities, and aides in a formal risk assessment. The system executes internal and external network vulnerability assessments and once these weaknesses are identified and corrected, it repeats the scan to confirm the results. The system can be setup to schedule both periodic and ad-hoc assessments of the network. For instance, an ad-hoc assessment can be done every time a significant change is made in the network.
The solution also streamlines the up-gradation and change management process of the network by establishing a robust change control process. The solution enables documentation of not only the changes but the impact thereof. This change assessment is automatically routed for approval to the senior management. It also facilitates electronic signoffs for faster approvals. The solution provides complete visibility into the change requests’ database and lifecycle with comprehensive aggregate reporting and individual request status tracking. This gives the users the ability to associate various types of changes for identifying trends or common categories for change requests – helping implement foolproof security initiatives.
ACCESS CONTROL MANAGEMENT
Implementing Strong Access Control Measures
The MetricStream solution ensures that the network system works in accordance with the organization’s access control policy and processes. The solution monitors and tracks all access to network resources, cardholder data and other sensitive files -confirming the compliance of access controls with the defined policies. For instance, it alerts the concerned personnel in the event of an account being inactive beyond the desired number of days and also reports of any unwarranted access attempts. It notifies the concerned stakeholders about the status of access controls - mapped to various roles in the organization, at periodic intervals. The solution generates in-depth reports with drill-down capability, enabling proactive action and forecasting for enhanced access control measures.
Monitoring and Testing Networks
The MetricStream solution enables real-time tracking of audit logs of the cardholder data environment to prevent, detect, and minimize the impact of a data compromise. It provides a closed loop audit cycle by recording findings from these logs and develop- ing recommendations for implementing action plans. It also generates reports on breaches for better visibility into the company’s security initiatives. The solution is also capable of performing ad hoc audits. It monitors file integrity software to alert personnel about unauthorized modification of critical system files, configuration files, or content files, and aides in performing critical file comparisons at predefined time intervals.
Advanced capabilities like built-in remediation workflows, time tracking, email based notifications and alerts, risk assessment methodologies, and offline functionality for conducting at remote field sites allow organizations to implement audit best practices for efficient PCI compliance.
POLICY ESTABLISHMENT AND DEPLOYMENT
Maintaining Information Security Policy
The MetricStream solution offers an integrated information
security policy management process with change control capabili- ties to keep compliance initiatives and their documentation processes in sync and updated. Integrated collaboration and workflow tools can be used to access, create, modify, review, and approve the information security policy globally; while inbuilt role based access control mechanism ensures complete protection. The solution enables enforcement of the security policy on remote and offline computers as well for seamless compliance execution. It generates reports to track security breaches, their root cause analysis and the remedial action undertaken together with the ownership details for complete visibility into the security environ- ment. It creates a repository of established security policies and the security response and escalation procedures for enhanced security initiatives. It makes all employees aware of the impor- tance of cardholder data security by conducting automated periodic surveys. The solution facilitates periodic reviews and automatic updates when changes are made to the cardholder data environment.
The solution maintains a program to monitor service providers’ PCI DSS compliance status. It maintains a list of service providers and their written agreements on their role in the security of cardholder data they possess. The solution facilitates risk assessment based on service providers PCI compliance, prior to establishing a formal relationship with the service provider.
METRICSTREAM IT GRC SOLUTION
IT GRC is emerging as an integral part of security landscape today - managing the lifecycle of IT policies, assessing and responding to IT risks, and measuring and reporting compliance with IT controls and regulatory requirements. Implementing an IT GRC solution, however, requires organizations to streamline their IT Governance, Risk and Compliance process; enable visibility and control for multiple stakeholders; and provide a single system of record for IT management.
MetricStream provides a comprehensive IT-GRC software solution for IT risk and compliance management. Designed to support the COBIT framework, the solution ensures sustained compliance of IT controls at significantly lower costs. By deploying the MetricStream solution, organizations can streamline their IT risk and compliance management processes and enable multiple stakeholders to have visibility and control. It also provides a single system of record for IT GRC by integrating with the various solutions that have already been implemented to automate the testing of various controls.
- Ensure cost-effective compliance with streamlined and automated workflows, assessments and testing, and remediation assignments.
- Gain enterprise-wide visibility into the compliance manage- ment process through detailed auditing and reporting on ongoing basis.
- Get real-time updates and alerts for proactive compliance management.
- Manage risks, security and controls with a user-friendly interface.
- Create policies for risk and compliance management and trigger proactive remediation