In this blog series, I have been examining how each of the following three steps from the PCI Council and how they apply to you, your organization and your firewalls:
Firewalls are a primary gateway into your company and therefore are a great place to start. For the purposes of this specific blog post, we'll dig into step three.
Step Three – Report
The PCI Council describes Step Three as the following: “Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with.”
Now, you might be thinking, “Well PCI compliance doesn’t apply to me and I don’t do business with acquiring banks or payment brands” and that’s fine. That doesn’t mean that these guidelines can’t help you though.
Security is a never ending job (which is good for those of you working in security!). Every day new vulnerabilities and potentially threats are introduced into your network. At change made to your firewalls that opened up an unknown hole, a new device brought into your network without your knowledge, the latest malware, etc.
So how do you deal with all of this change and all of this insecurity? You learn about the issues in your network, you fix the issues in your network, you report on the current state of security within your network… AND THEN YOU START ALL OVER AGAIN!
Reporting is an often overlooked but important part of network security. Many security professionals look at reporting as more wasted paper or something to keep your boss off your back, but it actually has a lot of value, even to a technical person down in the trenches.
Solid reporting enables you to easily compare your assessment to your remediation tactics and modify anything that can be improved. It allows you to always have a quick, accurate and current view of your network security posture. Additionally, it provides you with historical views of your network security (a lot more important than some may think) and perhaps most important, it arms you with the capability to quickly, simply and accurately show others in your organization what you do on a daily basis!
Looking back on this three-part series, it seems like a very simple concept and something that you might think you’re already doing, but as someone that’s been responsible for network security before, trust me, you may have let this three-part motto slip. I suggest you take a good look at your vulnerability process (or lack of!) and make sure you’re following these guidelines. The PCI Council has struck gold here!