What is PIE FARM?

PIE FARM enables organisations to have clear and timely identification of any potential time and resource commitments, establishing SMART (Specific, Measurable, Achievable, Realistic & Time bound) objectives along the course of a compliance project. Such AS PCI DSS

It has been developed in house by Jim Seaman, a Nettitude Security Consultant and QSA, and will be presented formally at the European PCI DSS Community meeting in November 2015. See more details here.

What is PIE FARM?

PIE FARM is an innovative 7-stage methodical approach, employing a project based ‘Waterfall’ methodology to help organisations meet and maintain their particular information security compliance obligations.

7-Stage Approach

Compliance is often regarded as being extremely difficult to achieve and more importantly, even more difficult to maintain. With multiple locations, technologies, people, documents and threat actors/surfaces, it can be hard to know where to start.

Compliance is the baseline for protecting data assets. PIE FARM provides a methodical project management based approach implementing the Keep It Simple Solution (KISS).

We briefly outlined the 7-stages here so that you can gain a greater understanding of them. This approach will be applied during all of Nettitude’s engagements, from scoping and gap analysis, right through to final assessments and onto the maintenance of your security posture. It can be used far wider than PCI DSS, it directly relates to the requirements and needs within everyone’s approach to compliance.

PIE (Plan, Identify, Evaluate)

The first three stages of PIE are detailed below:

Stage 1: Plan & Prepare

Document and Determine the Business Case

Setting goals and objectives for the project is key, this includes determining the business case for complying with the PCI DSS standards. Why are you holding and handling card holder data in the first place? Does this need to be done? How can the processes and methods used within your environment be changed? How can the number of locations and payment channels be reduced or outsourced? Where you do fundamentally need to store, process or transmit card holder data? Can this be done in smaller, isolated segments away from the rest of the business?

Only once you have determined the reasons and justifications for needing PCI DSS will the project get full buy in and ownership from the relevant business owners.

Set SMART Objectives

Now you know the ‘Why’ you are able to communicate this within the business, defining your objectives under the SMART acronym helps with the ‘what’ and ‘how’.

Specific

  • Specific controls aligned to specific payment channels
  • Baseline controls aligned with PCI DSS specific controls

Measurable

  • Compliance percentage scores can be identified per payment channel

Achievable

  • Provides a formal and staged approach, ensuring that key milestones can be achieved
  • Failure to meet milestones enables strategic re-alignment

Realistic

  • All entities, assets, resources identified and aligned against PCI DSS

TimeBound

  • Project managed approach enables timebound deliverables

Stage 2: Identify & Isolate:

Locations

Knowing all the locations, where you both physically operate from and also where all elements of the processing, storage and transmission of card holder data is within your environment is critical. Mapping the data flow paths through your systems and networks is an essential step in knowing the starting point for the work.

Technologies

What are the key technologies in play within your networks and systems? What versions and types of equipment are in place and where do they reside? Who are the vendors?

  • Completion of a hardware asset inventory.
  • Completion of a software asset inventory.

Personnel

Who is involved? Not just from an operational end users perspective but also administrators, support functions – both internal and external.

  • Completion of Responsibility, Accountability, Consulted, Informed (RACI) matrix.

Payment Channels

How many payment channels are there and how and where are they facilitated? Are any isolated from each other or do they rely on common or shared infrastructure? What Self-Assessment Questionnaires (SAQs) apply?

Applicable Controls

What are the applicable controls that need to be applied to the identified payment channels? What control responsibility has been outsourced to an external organisation?

Outsourced services

What services, supporting the organisation’s payment channels have been outsourced? What legal contracts do we have in place, to ensure that they are delivering a compliant service? What type of due diligence is needed to ensure that they can meet the requirements of the contract? How can the compliancy of the outsourced services be effectively managed?

  • Completion of  a responsibilities matrix.

 Data Assets/Flows

Mapping your data flows is key. Not only the flows of card holder data but also the administration access, communication links, 3rd party access and any user access.

Documentation

Where and what policies and procedures are in place? Where are they located? Who owns them and how are they maintained?  Are they understood?  Are they effective?

  • Completion of document catalogue.
  • Completion of policy tree.

Important Dates

  • What is the target date for compliance? What are the key milestones, against the 7 stages? Complete the schedules matrix.

Stage 3: Evaluate:

Self-Assessment

Self-assessment can be applicable for some merchants and service providers, so being familiar with the standards and requirements and knowing the right level of SAQ to complete for each part of your business is key.

QSA Gap Analysis

A gap analysis is a stake in the ground at the beginning of a project. It will show the current state of affairs and gives you a strong indicator of your readiness for full compliance. Very often it will highlight where changes in strategy or approach should be considered and from this; it will help to plan a road map to compliance that meets your business objectives.

FARM (Fix, Assess, Report, Maintain)

The next four stages of FARM are detailed below:

Stage 4: Fix

Prioritised Remediation

Now you have a road map and stake in the ground, how do you know where to start? Which controls or issues do you address first? What is the priority of the requirements and dependencies between them?

This is where a prioritised approach to the work can help. A detailed project plan will be created that shows the steps, order and priority of the work. A staged approach can be delivered for some organisations, addressing different payment channels or environments based on calculated risk decisions.

Continual Progress Feedback

Once you have started this process, regular reviews and updates are essential. Feedback from each part of the work will reshape and adapt the plan to meet the needs of the challenges uncovered.

Stage 5: Assess

Formal assessment can take place in two ways, depending on your reporting obligations.

Formal Assessment

This will be conducted by a Qualified Security Assessor (QSA) on an annual basis and will be a snapshot in time of your compliance state. They will look back at how you have maintained compliance, dealt with change and delivered the ongoing needs of the requirements.

This is very much an evidence based process that requires you to demonstrate through a combination of interviews, process observations, systems reviews and document reviews, that the requirements are being met.

Self-Assessment

For some, a self-assessment is required where you will be able to attest to each of the relevant controls being in place and effectiveness of them.

Stage 6: Report

QSA Formal Report on Compliance (roc)

Under a formal assessment the deliverable at the end will be a RoC. This is often a lengthy document attesting to the evidence and security posture observed. It will be accompanied by an Attestation of Compliance (AoC) form that both you and the QSA will sign.

Self-Assessment Questionnaire (SAQ)

Under self-assessment you will have a SAQ form to complete and submit. It will also be accompanied by an Attestation of Compliance (AoC) form that you will sign.

Submission

The RoC and AoC, or the SAQ and AoC will be submitted to the relevant bodies. Either the Merchant bank or the card brands directly, as required.

Stage 7: Maintain

This final stage is one of the most important and one of the most overlooked. Now you have reached your first compliance milestone, how are you going to maintain and keep the requirements and security posture in place? How will you gain assurance that the systems you have will retain the high level of security as you move forwards.

Developing a maintenance plan and process throughout the previous six stages, and building an effective governance process is essential.

Why deploy and use the PIE FARM methodology?

There are many reasons why PIE FARM can deliver real tangible benefits to your compliance process. These include:

Simplified – It reduces a complex problem to a much more straightforward challenge.

Formalised – It is structured and is repeatable and scalable.

Methodical – It is process driven and can be followed by many people.

Project Managed Approach – Ownership and control is maintained through strong project management – enabling the identification of key milestones to allow for timely input from specialist support (e.g. QSA).

Alignment to Business Strategies – are you focused on delivering against your business needs – not just compliance tick box exercises.

Actionable Intelligence – Provides you with informed intelligence that you can act on in a timely manner.

Informed Decision Making – Means you can make the right decisions at the right time.

Delivers Results – Goal and results driven.

Reduces Unexpected Occurrences – Minimises the times when things go off course or down the wrong path.

Intelligent Cyber Security and Risk Management   0345 5200 085    solutions@nettitude.co.uk