So what should you be doing? Well there are a number of steps to consider. And an excellent guideline to follow is the standard, developed by MasterCard and VISA and also being enforced by American Express, and which is designed to protect cardholder information and must be implemented by members, merchants and service providers. So if you fall into any of these categories, and that will apply to most, then this is important:
1. Build and Maintain a Secure Network – Maybe an obvious comment, but it is important to understand what this means. You need to have a firewall configuration to protect data and not use vendor-supplied defaults for system passwords and other security parameters. In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones. An interesting point to note here is that the requirement for the firewall is to “protect data”, not to secure the perimeter.
Far too often, administrators use the default passwords on systems as important as servers and network devices for ease of use or simply because they forgot to change them. A list of these default passwords can easily be found on the Internet and are often how hackers access the network. To best meet this requirement, it all starts with a formal password control program that expands upon best-practice policies with technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program marries policies with controls, changes and audits, to ensure best practices.
2. Protect Data – In order to achieve this goal, it is necessary to ensure that data is protected when it is stored – and wherever it is stored, and that the data is encrypted when being transmitted across public networks. Although most will probably employ some type of VPN technology for transmission, the secure storage is often overlooked. An effective solution will provide a comprehensive environment to securely store sensitive data, featuring strong firewall, strong authentication, session encryption, storage encryption, extensive auditing, access control, dual control and other security measures to ensure the security and confidentiality of data.
Data at rest is frequently left sitting without any form of encryption attached to it. If an intruder is able to hack past the firewall or walk off with a server, there is no protection for the data inside if it lays unencrypted. It is essential that the solution selected to meet this requirement features built-in encryption and key management mechanisms that ensure data is always secure, while at rest and while being transmitted.
3. Maintain a Vulnerability Management Program – This is primarily to ensure that you use and regularly update anti-virus software and secondly, that you develop and maintain secure systems and applications. All applications, as well as the network itself, should be protected by an anti-virus solution. And secure systems and applications exclude those that have embedded user credentials, often the case in many database applications.
4. Implement Strong Access Control Measures – This can present a challenge since it does not simply define Identity Management measures but also the need to ensure that data is only accessible on a "need to know" basis. Ensuring that users have access only to the level of data that they need is an important step in preventing data theft, particularly internal data theft. A good solution would store data in a highly departmentalized manner, allowing only authenticated users access to data based on their level of authorization. Every user should be assigned an individual account that easily allows them to access the data they need, while restricting them from accessing additional information.