1. Data Sheet: Middleware Security Services
Evans Resource Group™ Data Security
Standard Compliance Readiness Review
Providing organizations with expert advice and gap analysis of existing
practices compared to the Payment Card Industry (PCI) Data Security
Standard and is applicable to Sarbanes Oxley, HIPAA, FISMA and Gramm
Leach Bliley
Overview to mis-configuration. This is an area
(Middleware) that up until recently has not
Have you heard of the Hannaford breach? been audited properly for regulatory
Most companies and auditors don’t compliance, yet based on recent breaches is
understand how it could happen. If the now under scrutiny.
perimeter is secure, how can a hacker
possibly get in? After all, they were ERG works with an Authorizing
considered PCI compliant… We want to Officer (CCO, CISO, CFO, etc.) and/or
take a moment and pro-actively inform you Security officer at your organization to
of a potential security concern that requires discuss the issue from a regulatory
your prompt attention and a free security compliance perspective. The review was
check that can prevent you from being the developed as an efficient two step process
next Hannaford. We have been working in that will not require any cost and minimal
conjunction with IBM to raise awareness time. It will ensure your organization is fully
about the risks of WebSphere MQ networks aware of the issue, and has conducted the
that have not been fully configured to enable proper due diligence to establish that your
security and the respective impact on data both meets applicable regulatory
regulatory compliance. This is not due to an requirements and is not exposed.
issue inherent in WebSphere MQ, rather
one that happens as a result of System Most organizations that handle credit card
Administrators not applying security payments must demonstrate compliance
correctly, or in some cases not at all. with the Payment Card Industry (PCI) Data
Security Standard by completing a variety of
Put simply, your data could be exposed card-issuer requirements. However, most
through mis-configuration issues during auditors are not trained to look over an
installation and maintenance of WebSphere important part of the network (Middleware),
MQ. IBM and our security team have found resulting in exposures.
that a vast majority of WebSphere MQ
networks have some exposure attributable
The ERG™ Data Security Compliance Readiness Review helps organizations prepare for PCI, SOX,
HIPAA, FISMA and GLB compliance by providing expert advice and gap analysis of existing practices
compared to the PCI Data Security Standard. PCI is the high water mark in the industry and organizations
employing these middleware standards have less risk associated with their networks. This review helps
educate organizations about the PCI Data Security Standard and compliance requirements as they map
to middleware exposures. ERG is a member of the PCI Security Council and our security consultants and
partners are certified according to Visa® USA’s Qualified Data Security Company (QDSC) requirements
and are CAP certified.
Leveraging their extensive security and middleware experience, ERG consultants identify and analyze
issues of concern, and recommend the solutions and processes necessary for the organization to meet
575 Madison Avenue, Suite 1006 New York, NY 212.937.8443
2. PCI security requirements. At the conclusion of each review, ERG consultants meet with the organization,
outline the necessary next steps to prepare for PCI compliance, and identify areas where improvements
may be needed for compliance.
Depending on the outcome of the organization’s needs, ERG can also provide consultation and products
to help develop and execute remediation plans for any non-compliance issues that are discovered.
In addition, ERG’s certified consultants can help articulate the objectives, strategies, and needs related to
meeting data governance requirements to the company’s executive management. This collaborative effort
helps direct the organization’s readiness activity and strategic planning in preparation for PCI, SOX,
HIPAA, FISMA or GLB compliance, and can ultimately significantly reduce the cost of meeting
compliance requirements.
Key Features
Free Order of Magnitude Assessment to determine if there is an exposure due to mis-
configuration or non-configuration of WebSphere MQ.
Educates organizations about the data governance standards including PCI, SOX, HIPAA,
FISMA and GLB standards and compliance requirements for Middleware.
Provides a process to initiate, certify, authorize and monitor data security for Middleware.
Identifies and analyzes potential deficiencies or lack of controls that could result in failure to
comply with Data Security Standards as they apply to the high water mark of the Payment Card
Industry standards and practices.
Provides a preparatory gap analysis that identifies potential areas of non-compliance.
Recommends the solutions and processes necessary to meet PCI requirements prior to
completing the self-assessment questionnaire or commencing an on-site security audit.
Reviews policy and procedure documentation, system and network device configuration details,
and network and application architecture guidelines as it relates to the Middleware network.
Delivered by world-class ERG security consultants, who are certified according to Visa® USA’s
Qualified Data Security Company (QDSC) requirements.
Facilitates the organization’s understanding of data security requirements and how existing
information security controls measure up to the standard.
Key Benefits
Facilitates the organization’s understanding of data security including PCI, SOX, HIPAA, GLB and
FISMA as they apply to your organizations security requirements and how existing information
security controls measure up to the standard.
Helps compliance and audit managers articulate to executive management the objectives,
strategies, and needs related to data security (PCI, SOX, HIPAA, GLB, or FISMA) requirements
for budgetary and resource planning purposes.
Clarifies the potential impact of PCI requirements on an organization’s existing IT infrastructure,
business operations, and strategic activities.
Remediates WebSphere MQ exposures as they relate to administrative, application and data
exposures
More information
Visit our Web site http://www.evansresourcegroup.com
About Evans Resource Group
Evans Resource Group is the leader in Middleware information security and systems integration
methodologies providing a broad range of software, appliances and services designed to help individuals,
small and mid-sized businesses, and large enterprises secure and manage their IT Enterprise Integration
Infrastructure. Headquartered in New York, NY, ERG has operations in more than 10 countries.
575 Madison Avenue, Suite 1006 New York, NY 212.937.8443