This year has been a rough one for companies who have been impacted by major data breaches. We’re talking data breaches that have cost companies millions, and put their customers’ private information at risk. Just this week, Yahoo has been investigating claims that a hacker, linked to other breaches at MySpace and LinkedIn, has posted the information of 200 million Yahoo account users on the dark web. In light of these events, we want to share a few points from a well-crafted white paper published by Trustwave® that highlights the most important principles of a well-established database security program.
While many companies have spent time and money installing cybersecurity technology to protect themselves and their customers, according to Trustwave, technology alone will not reduce the risk of database compromise.
"A complete program incorporates people, process and technology. Determining and establishing the appropriate policies, roles, accountability, workflow, mitigation, reporting and ongoing management will set all stakeholders on a course to achieve your program goals."
Trustwave outlines the below principles as necessary points of a security program that businesses should consider:
1. Describe a database security program with actionable processes
2. Clarify a scope baseline through database discovery and inventory
3. Define standards, security and compliance policies
4. Conduct vulnerability and configuration assessments
5. Identify excessively privileged user accounts
6. Implement risk mitigation and compensating controls
7. Establish acceptable user and activity policies
8. Audit privileged user behavior in real-time
9. Deploy policy-based activity monitoring
10. Detect, alert, and respond to policy violations in real time
Though all 10 principles may not always be applicable to your business, the ideal program outlined by Trustwave very closely resembles the CardConnect model and components of our security solution, CardSecure. CardConnect also works closely with Trustwave to provide businesses a solution for easily managing PCI compliance, and passing all requirements as quickly as possible.
Are you a customer of CardConnect? Be sure to visit the My Account section in CardPointe to see if your merchant account is registered as PCI compliant. If it shows up as non-compliant, click the link and you'll be automatically signed into Trustwave's PCI portal to complete your self-assessment questionnaire (SAQ).