PKF AvantEdge

Page 35 of 40

Don’t Break the Bank for PCI-DSS

June 10, 2013 / / 0 Comments

Over the past couple of months, the team has been busy working on PCI-DSS related projects. Since 2010, we’ve been in touch with Control Case International, an international QSA based in Virgina, USA, that has its center of excellence in Mumbai, India to serve the ME and Asia Regions.

Back in 2010, nobody really cared too much about PCI-DSS. We’ve heard it bandied around our clients, and after researching on it, decided as a company to move forward with it as one of our core services. The first thing we did was to clarify our agreement with Control Case. While remaining independent of their audit, reports and opinion, we also want to know how they work so that we can assist our customers better in our project management services. Things like submission of evidences format, scheduling, expectation setting and budgeting were just as critical as the actual audit performed by the QSA.  We then trained and shadowed Control Case on assignments, eventually building up the technical skill base for consultancy and advisory work.

PCI-DSS isn’t rocket science. Neither is it a stroll in the park. But with proper planning, understanding and project management, you will be able to navigate PCI-DSS without breaking the bank.

Invariably, one of the first things our potential clients ask us is: How much will it cost?

While there is no simple answer, most will skirt the subject and says that it depends. And they are right. It really depends. However, the ballpark figure, from our perspective should still make economic sense. The first thing really is to figure out what is in scope and try to get only the necessary items in scope: cardholder data environment (CDE). The simplest suggestion is to move any function not related to card processing out of scope: either through plunking it into another network segment or moving it out altogether. Once done, you should be able to elicit some sort of price estimation from your QSA or consulting provider.

The rule we try to impose is to keep the gap assessment and certification below RM50K. This is a tall order, but quite possible, especially if the scope has been narrowed down to firewall->DMZ->App Server/Database server concept, without too complicated a CDE. But you shouldn’t be looking over 100K for gap and certification. Of course this applies to generally payment service providers, not banks. For banks, you’re probably looking out at forking RM100 – RM200K for gap and certification. Recurring fees are also applicable, so remember to ask as well…each year, there is a review, how much would that be? There should also be supplementary services like pentest, ASV scans etc. It generally should be the same or slightly less than first year compliance.

The reason why I write this post is that I’ve seen fees bandied around for service providers to the excess of RM120 – RM160K and for banks RM400 – RM500K. Now, I know things are varied, but some of these are just ridiculously high, after knowing the scope. And this is not including the remediation and implementation portion! The implementation portion is variable of course, depending on how much involvement we’re looking at. For instance we just completed a policies and procedures project between 30 – 35K for roughly one month, starting from scratch for a medium service provider. Your mileage may vary in implementation, but again, if you have in house expertise, then do it, else, look for consultants…and make sure the consultants include training and workshops to pass down their capability to you!

The short of the matter is, shop around and get quotes. Get references as well, and make sure they have local partners to help out and assist during the remediation period…you will need it. Oh, also, if you get external providers to help, keep in mind the with holding tax involved. That’s why we’ve evolved PKF  to be the PCI-DSS advisory of choice from gap to certification for Malaysia payment service providers looking for a cost effective and quality PCI-DSS services. While we do work with Control Case in a lot of our projects, there are many times we have worked with other QSAs or ControlCase  worked with other advisory, making us truly independent.

Drop us an email at avantedge@pkfmalaysia.com and we can work out a PCI-DSS package for you that won’t break your bank!

PKF IT Opportunities

May 20, 2013 / / 0 Comments

One of the main reasons we moved the IT advisory function out of internal audit was the fact that IT encompassed so much more than just doing an audit.

I believed in the exponential growth of IT based on the simple belief: IT is integral to efficient and effective businesses. Businesses that do not leverage on IT will go nowhere. So it only makes sense that IT will get more complex and more critical as each year goes by.

Back in 2010, PKF Malaysia realised this pattern. By staying stagnant and doing what the other firms were doing: Internal Auditors doing IT audits, we were going to simply die off. The first thing we realised was that, while Internal Auditors were OK doing IT audits, these were two different animals. We didn’t want to do checklist audits. We didn’t want someone  doing IT audit who didn’t even know what the heck was an AAA server or how to do a simple VLAN config on a Cisco router. We didn’t want someone who would go up to the Audit Committee, put someone else’s career at stake by giving ridiculous recommendations and reports, based on ‘previous experience’ and ‘industry best practices’, when they don’t even know head or tail on what Active Directory is used for, or what’s the basics of DNS poisoning or IP spoofing. We needed serious technical people who have been on both customer and consulting end, and we needed to separate from the Internal Audit group….simply because we want an audit to be done differently.

We moved quickly into ISO27001 (ISMS) and PCI-DSS, we went through ISO27005 for risk assessment, we did COBIT 4.1 training and enablement and got everyone at least CISA certified. Most of us, like me, have multiple certs, for instance in IT forensics, IT ethical hacking, IT management, Project management and so forth.

We moved quickly to become MSC status to be a serious player in 2011, and we started strategic collaborations for different purposes. We joined workgroups with government and private agencies, opening channels to MOSTI, MIMOS, Bank Negara and so on, to conduct knowledge sharing sessions. For free. I am a great believer that contribution back to the industry should be done as part of our professional duty, and not as an engagement service.

So here we are, at the precipice of change. PKF itself has undergone some tremendous changes over 2012 and 2013. This week, we had our PKF Asia Pac Conference, where different countries got together, to explore different areas and opportunities. We’re excited, as we see the work we’ve done in the past 3 years to build our knowledge and reputation, possibly coming to fruition. I am also a big believer that PKF requires an IT function regionally. There should be a Center of Excellence, not just to do IT audit but to do Technical Services like penetration testing and forensics, or troubleshooting and service management; and also project management.

This is where we are. We still have a long way to go, but with the extension of our services into the other firms in PKF, we’re set to stay for a long while.

Here is the link to the presentation we did to the other PKF Firms last week.

PKF Avant Edge – Partner Presentation

Forensics Steps: Imaging

May 1, 2013 / / 0 Comments

Over the past 18 months, our profile in IT forensics has been raised a bit. What started out sometime back as a call to me on a Saturday from another partner, asking “Can you guys recover deleted files from a computer?”, turned into another journey that eventually created our relatively new technical services group catering to IT forensics and penetration testing services. So aside from CISA for auditors and assurance, we ended up with CHFI guys, and CEH guys. More acronyms usually make us more technical sounding.

On a serious note, IT forensics is relatively new; and we didn’t go into it totally without guidance. We’ve worked with Cybersecurity, and still do, especially during the acquisitions and analysis. Recently, we’ve got in a few devices ourselves, namely the Tableu TD2 and writeblocker to do some serious work with imaging. Before this, we primarily used FTK and USB based imaging, and using software writeblocking through the registry. It was fine, but it wasn’t something that we could do long term, especially looking at a job where we had to image 30 hard drives in 2 days. While we roped in our partners to help out, we also used our TD2 to good effect, and happy to add, that we’re ready for bigger projects.

Imaging itself is simply half the job done. In fact it’s just a part of it. We’ve also had to physically tag, inventorise, chain of custody, secure the physical evidence through tamper proof tapes and bags. Once imaged, we have to verify the image for integrity through a hash check and then secure the original evidence under lock and key. The original evidence, in this case, we sent back to the owners, along with the chain of custodies.

While you might think imaging is relatively simple, it’s tedious. In this case, we had a server where we had to image live, in order not to break the RAID. Live imaging is a pain, because it takes enormous amount of time to get it done. Sometimes, we face hours of imaging and at the end of it, it says that the disk is corrupted.

But overall, get the documentation right, and make sure the images are secured. These will be the images where we will run analysis with, so take it as seriously as a primary evidence.

Once this portion is done, we are looking at analysis, which constitutes a whole other chapter. CSI, this is not, I guarantee you. Most of the time, we’re looking for a needle in a barnyard of haystacks. The proverbial smoking gun. Usually we don’t find it, so I don’t quite believe how CSI New York can solve a case in 45 minutes, built on a hair found conveniently trapped within the car door. Which has been burnt and sunk. And scrapped into a million pieces and left in the trash for 20 years. Seriously, Hollywood.

From the hours of bleary eyed reviews of thousands of lines of files and emails and patched up text files, we can use bits and pieces, but it’s usually not as rewarding as our CSI bedfellows.

If you need any more information or services regarding IT forensics or data recovery, do let us know at avantedge@pkfmalaysia.com.

 

Free Project Management Workshop

April 27, 2013 / / 0 Comments

All good things come to an end, and another good thing begins.

Our PDPA workshops have received overwhelming response, not just from our clients but from the public. We have reached out to more than a dozen plus companies in our workshops, done not just on our premise, but with our clients, in hotels and most recently in the MSC incubator hall. It was fun and really gave us a chance to open our channels to other companies.

As I’ve said in the workshop, we’re not lawyers. This whole PDPA workshop started out because we had low months in December and January due to the CNY, and we decided to just give a free workshop based on our collective experiences dealing with PDPA under our ISO27001 compliance requirements. One thing led to another, and soon the public wanted to hear us speak and we had arranged sessions centered on IT, and others with our law firm partners.

We extended the free PDPA workshops 2 months, to end of April, and we’re coming to it. While we still can give workshops, we can’t offer it for free anymore, as the company now has other paid engagements taking priority.

However, while the free PDPA has ended, our PMO group is offering a free talk on Project Management basics and essentials. We will cover the general PMO framework according to PMBOK version 4 and how this helps you in managing projects. We will look at organisational fit for PMO as well as case studies to walkthrough. We have PMP certified consultants providing this talk, for the month of May and June. So if you have any project managers, or aspiring PMPs who will want to know more on project management, contact us at

avantedge@pkfmalaysia.com

We’ll arrange a free session for you on our premise.

 

Personal Data Protection Act Roadshow

April 26, 2013 / / 0 Comments

Has sort of ended.

Over the past few weeks, we’ve done a number of workshops on Personal Data Protection Act, and invariably, the questions are more than answers. Some workshops with C-Levels went to levels of near hostility as if we were actually the perpetrators of said act; other workshops went relatively well, and some workshops had only half hour of airtime before the questions came in like a flood of water.

Here’s the deal: We don’t know any much more on the act except for what is given.

We partnered with a law firm and they dispense their legal opinions, but at the end, the act is still an act. It’s a legal document. It is what it is. It was quite funny sometimes that our workshop attendance actually thought we were lawyers promoting the act…and that’s why the next workshop we do (which won’t be any for some time), we’re going to dress down in jeans and t-shirt that says “The Geek shall Inherit the Earth.” We’re tech guys, and how we came about this Act was during our compliance assessments where regulatory compliance is the highest risk and control to address. And also the fact that aside from the first two principles, Technology plays a vital role to facilitate compliance for the Act, especially in the principle of Security and Retention.

So anyways, it’s been an extremely hectic few weeks. If we were a full time training company, it would be fine. Except we’re not. We have projects running here and there and everywhere, and we have to juggle all these. I was at Sarawak giving a talk on Cybercrime during the IIAM’s Corporate Fraud Conference 2013, and I managed to snap this shot in:

It’s nice to see your name up there once in a while. It was a good turn out, although I only touched briefly on PDPA, it still managed to garner questions after my presentation. Many people are a little worried about the Act and they have all the reason to be. But if we prepare ourselves now, do the gap, have a strategy to address it, and put in place controls to address the obvious low hanging fruits first, and address the gray areas later…we’ll be ready.

For the most recent PDPA presentation I did with the Incubator at MSC, here’s the link to it.

http://www.pkfmalaysia.com/publications/PDPA%20Presentation%20v2.0_MAD_Web.pdf

 

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑