We currently live in a world of technology today and almost everything we do the efficiencies we would like to achieve revolve tech.
If you have an an organization or family of users of various technologies, there’s a difficult balance between security and user friendliness of the security measures you want to implement..
Before you choose a security architecture, you need to understand exactly what you like it to accomplish. This will depend on what your company or family thinks is most important. It will probably have a way it wants different information types to be handled and stored including the physical equipment. You also need to know if your family or company has any legal requirements when it comes to security. If you handle credit card payments maybe in the family business, then you have to follow the PCI DSS or Payment Card Industry Data Security Standard depending on local laws.
The first objective is to build and maintain a secure network and systems. This includes the requirements to install and maintain a firewall configuration to protect cardholder data and to not use vendor supply default for system passwords and other security parameters.
As you can already tell, the requirements are related to the objective. The objective is the end goal or what we’d like to achieve and the requirements are the actions that can help achieve that goal. PCI DSS goes into more detailed actions for each requirement. It provides more specific guidance around what a firewall configuration should control. For example, a secure firewall configuration should restrict connections between untrusted networks and any systems in the cardholder data environment.
That’s a little generic on a global scale, but it does give you some guidance on how to meet the requirements. The second objective category is to protect cardholder data. In this objective, the first requirement is to protect stored cardholder data.
The second objective is to encrypt the transmission of cardholder data across open public networks. The requirements give you specific guidelines on how to get this done. The specifics of these requirements help clarify some of the points like what an open network is. They also recommend using strong cryptography and offer some examples. But not all requirements are technical in nature. For example the requirement to protect stored cardholder data , it has requirements for data retention policies to make sure that sensitive payment information isn’t stored beyond the time it’s required. Once payment is authorized, authentication data shouldn’t be needed anymore and it should be securely deleted. This highlights the fact that good security defenses aren’t just technical in nature, they’re also procedural and policy-based.
The third objective is to maintain a vulnerability management program. The first requirement is to protect all systems against malware and regularly update antivirus software or programs. The second is to develop and maintain secure systems and applications.