Governance, risk, and compliance (GRC) IT security frameworks are implemented to facilitate the management of the business and other organizational IT governance practices, enterprise risk assessment, issue mitigation, and compliance with applicable regulations and industry standards. GRC ‘regulatory standards’ are implemented as required by government mandates. Compliance with ‘industry standards’ requirements are not mandated by law, but are de facto requirements imposed by various industry-specific organizations to help maintain minimum acceptable levels of professionalism and excellence in performance. One overall directive they both have in common is the protection and preservation of critical information assets and intellectual capital.
There are numerous IT GRC standards being implemented today. Some of the most influential and widely embraced are as follows:
- Payment Card Industry Data Security Standard (PCI DSS)
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR)
- Open Web Application Security Project (OWASP)
- Center for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
- MITRE ATT&CK
Let’s take a high-level look at each one and discuss the implications of meeting the requirements for each as it relates to the impacts of the injection of 3rd party, side-loaded code and scripts into client-side browser interactions with web application architectures.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is a set of de facto industry-standard requirements that businesses and other organizations must comply with if they store, process, or transmit cardholder data. Compliance with the PCI DSS is mandatory for entities who are processing payment card data from the five (5) major payment card brands; AMEX, VISA, MasterCard, Discover, and Japanese Central Bank (JCB)
The intent of the PCI DSS is to protect critical data elements associated with payment card transactions as follows:
Type I cardholder data (CHD) elements—Primary account number (PAN), cardholder name, and various service codes. The most critical data element of this type is the PAN; the PAN determines the actual scope of PCI DSS requirements compliance. Type I CHD has to be stored or transmitted using strong, industry-standard encryption or mathematical hashing, truncation or masking of the PAN.
Type II cardholder data elements—Card validation values (CVVs) and magnetic track or chip equivalent data that are unique to each card (also sometimes referred to as ‘sensitive authentication data SAD). Sensitive authentication data must never be stored following transaction authorization except for some extremely rare and special circumstances. If it is going to be stored prior to authorization, it must be protected via strong encryption and securely deleted when no longer needed.
Entities processing payment transactions often do so via web-based e-commerce architectures. Per PCI DSS section 6.x, only securely developed and administered applications are considered PCI DSS compliant in order to process such transactions. In addition, the PCI DSS requires that such applications be developed and maintained in accordance with OWASP Top 10 requirements (more on OWASP in a bit).
California Consumer Privacy Act (CCPA)
California was one of the first states to enact personal data protection regulations. Now, many other states in the US have followed suit in passing and enforcing their own personally identifiable information (PII) and personal health information (PHI) privacy regulations. Per CCPA, any business or entity conducting e-commerce transactions or storing/transmitting PII-PHI via web-based architectures must do so only if the proper protections are in place.
General Data Protection Regulation (GDPR)
GDPR is a regulation imposed by the European Union that focuses on data protection and privacy with respect to specified PII.
Data Protection And Privacy Regulations
Open Web Application Security Project (OWASP)
Open Web Application Top 10 Security Risks
OWASP is an online affiliation of web application developers that produce methodologies, documentation, tools, and techniques to support industry-wide secure web application development and administrative best practices.
OWASP principles and practices are supported by many GRC frameworks, and compliance with OWASP attributes is mandated by others. For example, compliance with OWASP Top 10 web application vulnerability mitigation requirements is mandatory for in-scope PCI DSS environments. The OWASP Top 10 is a standards-based awareness document for web application developers and administrators. It represents a broad consensus with respect to the most critical risks to applications, based upon a three-year rolling tally of the most critical web breaches found in the real-world web architecture implementations.
National Institute of Standards and Technology (NIST)
NIST is a physical sciences laboratory and a non-regulatory agency of the US Department of Commerce. NIST supplies industry, academia, government entities, and other organizations 1,300+ standard reference materials. In some instances, US organizations require compliance with NIST recommendations. For other entities, alignment with NIST recommendations is considered to be a best practice.
NIST has published a multitude of guideline documents including the 800 series of special publications. This series presents information that is of specific interest to the computer security community. NIST has also published SP 800-95: Guide to Secure Web Services.
Center for Internet Security (CIS)
CIS is a non-profit entity that helps to establish minimum acceptable secure baseline configurations for computer operating systems and other IT system attributes. Minimum secure baseline system configurations are mandated for compliance by some industry standards such as the PCI DSS.
MITRE ATT&CK and Client-Side Security of Web Applications
MITRE ATT&CK™ and framework – SaaS Matrix
Detection and/or protection of the client-side against a number of tactics including:
MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat hunters, penetration testing teams, and social engineers to better classify attacks and help assess risk.
Additional Important Information to Protect Sensitive Data
Some e-commerce applications often process data elements deemed GRC sensitive or even restricted via some payment or payment redirection web pages. As such, those web pages should only present and support those services necessary to securely facilitate the payment transaction and nothing more. Additional code, scripts, *.html tags, etc., that are used for gathering business intelligence, browser user interaction telemetry, or info sharing with web marketing entities should not be present on payment or payment redirection pages. Feroot technologies are unique in the industry in providing visibility and mitigation support for enforcing these requirements.
Conclusion
Developing and maintaining a GRC strategy is critical for any business involved in third-party web client interactions, particularly if the business uses and stores PII, PHI, or credit card information. An effective and strategic GRC approach helps businesses reduce risk and improve security and compliance by linking strategy and risk and integrating the key elements of governance, risk, and compliance into one comprehensive and single strategy.
