Explain the purpose of PCI DSS Analyze business factors that influence PCI DSS compliance Describe potential consequences of failing to demonstrate PCI DS

Purpose

This project provides an opportunity for you to apply principles related to auditing to ensure information systems are in compliance with pertinent laws and regulations, as well as industry requirements.

Required Source Information and Tools

 To complete the project, you will need the following: 

1.  eBook | Cover  
2. Access to the Internet to perform research for the project 
   1. PCI Security Standards Council: https://www.pcisecuritystandards.org
   2. Important PCI Compliance Information for Merchants: https://www.bigcommerce.com/blog/pci-compliance/#weve-successfully-achieved-pci-compliance-whats-next 
   3. COSO Internal Control—Integrated Framework Executive Summary (2013): https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
   4. COSO Internal Control—Integrated Framework PowerPoint (2013): https://www.coso.org/documents/COSOOutreachDeckMay2013.pptx
   5. COSO Internal Control—Integrated Framework (2013) whitepaper: https://assets.kpmg/content/dam/kpmg/pdf/2016/05/2750-New-COSO-2013-Framework-WHITEPAPER-V4.pdf

Note: The 2013 version of the framework is also available for purchase, or you may be able to retrieve it through your school. 

Learning Objectives and Outcomes

 You will be able to:

• Explain the purpose of PCI DSS
• Analyze business factors that influence PCI DSS compliance
• Describe potential consequences of failing to demonstrate PCI DSS compliance
• Apply standards and frameworks to the development of information security internal control systems
• Analyze the use of information security controls within IT infrastructure domains

Introduction 

Public and private sector companies are expected to comply with many laws and regulations as well as industry requirements to promote information security. Assessments and audits of the information technology (IT) environment help to ensure a company is in compliance. A successful information security professional must be able to assess a business’s needs, evaluate various standards and frameworks, and develop a customized, integrated internal control system that addresses the company’s compliance responsibilities. Furthermore, the professional must be able to communicate with various people—both inside and outside the organization—to facilitate awareness of how control activities mitigate weaknesses or potential losses that could compromise the company’s information security. 

Scenario 

S&H Aquariums’ board of directors reviewed the report you submitted on PCI DSS compliance (in Project Part 1), and they were grateful for the background and analysis you provided. After discussing the information, they realized that PCI DSS compliance is but one aspect of the overarching information security system needed to launch and sustain the new business.

The board would like to understand the bigger picture of how you will develop the control system needed to protect credit card data and document compliance with the PCI DSS requirements. You know this will be a rather complex process. You are planning to use a combination of frameworks and standards to guide the development of the control system. Furthermore, you are making it a priority to design an integrated system so the company can efficiently prepare for multiple types of audits, not just those related to PCI DSS compliance.

After explaining to the board that, realistically, you and your team will need much more time to research, discuss, plan, and implement the company’s control system, you agree to write a report that highlights some of the key principles and procedures involved in this undertaking.

Tasks

• Review information about the following frameworks or standards introduced in the textbook: COSO, COBIT, SOC, ISO, and NIST. Consider how you may use some or all of these frameworks/standards to guide the creation of an internal control system at S&H Aquariums. Note the similarities or overlaps among each set of frameworks/standards, as well as the differences.
• Using the Internet resources listed for this project, examine the specifics of the COSO framework, which outlines five components of internal control and 17 principles.
• Create a table or other visual aid to map the 17 principles of COSO to the 12 primary PCI DSS requirements. Use your table or visual aid to assess how specific elements of COSO and PCI DSS correspond with one another, as this will inform forthcoming decisions about which controls S&H Aquariums should implement.

Write a report for the board of directors. Include the following:

• Introduction
• Plan for Developing an Integrated Internal Control System
  • Explain how and why you will use multiple frameworks and standards to guide your development of this control system.
  • Explain how you will ensure the control system can be used to demonstrate PCI DSS and other forms of compliance.
  • Table (or Visual Aid) Showing COSO – PCI DSS Alignment
    • In addition, explain how creating this table/visual aid—as well as other, more complex tables with multiple standards/frameworks—would be useful for designing an integrated internal control system.
  • Conclusion

As a reminder, you may use the textbook for this course and the Internet to conduct research. You are encouraged to respond creatively, but you must cite credible sources to support your work. 

Sample Visual Aid: 

SS in files below.

Submission Requirements

• Format: Microsoft Word
• Font: Arial, 12-point, double-space
• Citation Style: APA
• Length: 2-3 pages

Review of frameworks or standards:

Overview COSO, COBIT, SOC, ISO, and NIST (Compare/Contrast)

Maximum score25

Discuss how you will make sure that COSO can demonstrate PCI/DSS compliance:

Explain specifically, how you will ensure that the COSO framework (which outlines five components of internal control and 17 principles) can be used to demonstrate compliance.

Maximum score25

Table / Visual

Table (or Visual Aid) Showing COSO – PCI DSS Alignment / You should have at least one COSO for each PCI/DSS

Maximum score50