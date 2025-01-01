Compliance management software

How Federal and State Government Agencies can Prepare for New PCI DSS Compliance Business

Author: Christopher Tozzi,Public sector agencies that process credit and debit card transactions the framework and maintain PCI DSS compliance. However, a new version of those regulations, , is set to take effect in 2024. These new regulations require agencies to adapt to updated and additional PCI DSS compliance requirements. This is the most significant update to the PCI DSS since its initial release in 2004. What are the new requirements that will impact how government agencies collect and process credit and debit card transactions?,And what can public sector organizations begin doing to maintain compliance with ?,What is PCI DSS?,The PCI DSS framework contains a catalog of baseline security requirements to help to develop and maintain a secure environment to protect payment card account data against unauthorized access and compromise. Any organization—including businesses and public sector agencies—that accepts credit or debit card payments from companies such as Mastercard and Visa should . Failure to meet PCI DSS compliance rules can trigger significant fines, and it can eventually result in card processors choosing to block non-compliant organizations . PCI DSS v4.0 is the latest set of requirements for the public sector,The release of PCI DSS v4.0 is the most substantial update to the PCI Standard in 17 years—since the release of DSS 1.0 in 2004. At first glance, organizations will notice several significant changes introduced by PCI DSS v4.0. While v4.0 doesn't alter the fundamental structure of the PCI Standard, and PCI DSS v4.0 still has the familiar Control Objectives and 12 Key Requirements introduced in 2006, the new version enacts multiple changes to reflect the aims of evolving objectives and requirements. The PCI DSS v4.0 was released in 2022 and , with some requirements not mandated until March 2025. PCI DSS v4.0 includes dozens of that did not exist in earlier releases of the Standard. Ten significant PCI DSS v4.0 requirement changes,Here are some of the changes most likely to impact public sector organizations. Anti-phishing rules,PCI DSS v4.0 Requirement 5.4.1 mandates that organizations take steps to mitigate the risk of phishing. Phishing attacks—in which in a bid to trick employees into handing over sensitive information—present a particular risk for public sector agencies because the names and contact information of public organization employees are often readily available through websites or public databases. This makes it particularly easy for attackers to identify employees that they can attempt to impersonate and then target as part of a phishing campaign. In response to this risk, implementing both can help public sector agencies meet the new anti-phishing requirements of PCI DSS v4.0. Public agencies should ensure that they to recognize and resist phishing attacks. In addition, installing anti-phishing tools within IT systems can help to mitigate phishing risks by detecting suspicious communications sent to public employees via email, text or other systems. Patch management,According to Requirement 6.3.2, which takes effect in March 2025, organizations must maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management. Here again, this requirement is likely to pose a special challenge for government agencies, which, according to the website Government Technology, have historically programs and Agencies will likely need a more . They may need to implement new tools and processes to ensure they know the hardware and software assets they have, when patches are available for their software and how they can quickly apply patches to minimize the risk of vulnerabilities that attackers could exploit. Web application security,Another new rule that goes into effect in March 2025—Requirement 6.4.2—mandates that organizations deploy cybersecurity software that continually detects and prevents web-based attacks against web applications. Some public sector agencies may already have this type of solution in place to protect their websites. Those that do not may need to build stronger defenses in order to comply with PCI DSS v4.0. This requires them to first understand the multiple —which include malicious hacks, malware, social engineering and other types of risks. Once the causes are understood, these agencies must then implement tools that can keep their applications safe—such as performing web application vulnerability scanning, , scanners and . Stronger network security,In addition to enhancing application security, the new PCI DSS requirements include updated network security rules. Keeping certificates up to date has long been a network security best practice, but public sector agencies sometimes struggle to and update them continuously. Going forward, it will be essential to correct certificate management weaknesses in order to maintain . According to Requirement 4.2.1, all organizations must maintain up-to-date digital certificates to help authenticate secure devices that connect to their networks and that . How to get ready for PCI DSS v4.0,Here are some helpful steps to get started:,This edition of the PSR explores a toolbox of management methods, models and frameworks to help your organization simplify the complexities of payment security while adapting to the new PSS DSS requirements. CJIS Compliance And Mobile Device Security

Author: Jamie Italiano,Date modified: September 16, 2024,Time is running out. As of October 1, 2024, the Federal Bureau of Investigation (FBI) requires that organizations who access criminal justice information (CJI) must implement multi-factor authentication (MFA) on all systems that contain CJI. That includes smartphones, tablets, computers and any device or system that is used to access arrest records, forensic evidence, criminal investigation data, and other digital information. This makes the security of these devices, systems and digital transactions paramount to fighting crime and protecting the public. is strict, requiring anyone who has access to CJIS data to undergo security awareness training within six months of their first assignment, and training must be updated every two years. All smartphones and tablets or other devices must use a CJIS-compliant multi-factor authentication (MFA) process, and they must also be enrolled in an agency-controlled capable of remotely locking a device or, if needed, erasing the memory of a lost or compromised device. All work-related data transmitted or stored on a device needs to be encrypted. Come October 1, 2024, any agency that is accessing criminal justice information (CJI) - for example arrest records, digital evidence, text communications - or criminal justice systems and applications must implement multi-factor authentication (MFA). CJIS Security Policy Version 5.9.2 requires that individuals must provide at least two authentication factors to prove they are who they say they are. Failure to comply could result in monetary fines and denial of access to FBI CJIS resources. No matter if your organization has a bring your own device (BYOD) program or if they are , non-compliance with CJIS security requirements could result in phishing attacks or other breaches of confidential information. MFA is a security control that requires a user to provide a combination of two or more different authenticators - an authenticator could be something you know (a password), a biometric (a fingerprint or face ID), or something you have (a security token). This provides two layers of protection in the event one is compromised, like a password is guessed. This makes it harder for unauthorized users or bad actors to gain access to CJI. Mobile device management (MDM), a requirement of CJIS security policy, provides increased security and remote management of devices and applications set by your IT administrators. Meaning, MDM's can help your organization adhere to compliance policies and management functions, like adhere to CJIS security policy. Mobile devices are critical to law enforcement (LE) agencies dedicated to keeping citizens safe and the data used is extremely sensitive, making stringent mobile device security a must. Because law enforcement agencies must adhere to a different set of compliance rules than other industries, it's important to note that BYOD creates the possibility that your personal phone, with your personal information contained within, could potentially become evidence and subject to discovery in court proceedings. Any device accessing any criminal data used by law enforcement must follow (CJIS) compliance for mobile device security. The stringent policies of CJIS compliance makes BYOD among LE difficult—but not impossible. Many organizations have accepted or embraced bring your own device (BYOD) as part of their workplace culture. Some states, require the employer to compensate their employees for the use of their device when conducting agency business. Compliance regulations including CJIS compliance will dictate how—or if—an organization can adopt BYOD. BYOD policies can be uniquely tailored to each individual organization. Here is a list of what is included in most mobile threat detection policies:,BYOD policy will have a slightly different look for law enforcement under CJIS compliance. BYOD carries the same threats and risks that corporate-owned devices face; the difference is where responsibility lands. Who is responsible for the mobile device management around those threats, the deployment of mobile threat detection or the mitigation of any cyber incident that occurs? Mobile threats—such as phishing, unsecured Wi-Fi usage or excessive permissions in apps—are potentially a big concern because they can lead to data leakage or data loss, which could result in a significant security issue for LE. Unique to BYOD are threats caused by cross-contamination. When a mobile device holds both professional and personal credentials, it tends to make mobile device security more difficult. It may even be used by other family members for personal use. That simple action could potentially put you and your agency in violation of CJIS compliance. If an agent or officer's personal device was lost or stolen, would your IT team be notified? Do you trust your employees to be honest if an important database was manipulated because a family member accessing BYOD thought it was a different application? Do those using BYOD recognize what constitutes a data breach and what types of incidents should be reported?,Of course, these mobile threat detection and device management guidelines should be included in LE BYOD policy, but that doesn't mean the employee will follow the directive. If the device is lost or stolen, they may not worry about the organization's security concerns; they may instead react to their personal losses. If there is another type of incident that is a more clear breach, they may be too afraid of the repercussions to come forward with the truth. As previously mentioned, all BYOD and mobile device management policies should include clear language outlining the division between personal and work material on mobile devices. That way, when the worst case scenario happens, there are no questions of responsibility. For example, the organization should have the right—and the ability—to remotely wipe any device holding corporate information. There should be a clear reporting policy without intimidation. Rules for working with an employee post-breach should be the same for both BYOD and department-owned devices whenever possible. An officer frightened of losing their job because they lost their phone may remain silent for as long as possible, which could lead to greater risk of compromise for data and assets. In other industries, BYOD is seen as a cost-saving measure, but don't expect this to be the case in law enforcement. First, devices used by LE need to be reliable; LE shouldn't use a phone/data service plan that has spotty coverage and limited range. They need devices that are able to handle the mobile device security measures necessary to meet CJIS compliance. Official help to enhance both the security and functionality for law enforcement and agencies. Modern 5G-enabled provide fast, secure, reliable communications and there are many applications designed specifically for first responders. For example, in 2023, the for expenses related to a ransomware attack. the MOVEit global supply chain attack spanned 790 organizations including 200 government agencies leaking personal identifiable information (PII) including social security numbers, home addresses, income information, medical records, and more. The attack surface will continue to expand the more we connect: meaning the connection between devices, people, places, partners, applications, and things. Maintaining security is only as strong as your weakest link, which is typically the result of according to the 2024 DBIR. The Cybersecurity and Infrastructure Security Agency (CISA) provides on implementing phishing-resistant MFA which helps make it more difficult for criminals or threat actors to gain access to networks and information systems for instance if passwords or personal identification numbers (PINs) are compromised through phishing or other means. Devices used by LE are valuable to criminals, and not just cyber criminals. The FBI has well-defined parameters of what constitutes (PII), and PII's protection is a priority in tandem with protecting CJI. Any time a LE device or computer is used, it puts the user's PII at risk, especially if the device ends up in the hands of a criminal. Author: Zeus Kerravala, Founder and Principal Analyst, ZK Research,For years, mobile employees have constituted a significant portion of the workforce. Since the start of the pandemic in 2020, the move to hybrid (or flexible) work has increased the number of mobile workers significantly. Despite some grumblings to the contrary (and many supporters of the return-to-office movement grabbing the spotlight), hybrid work is here to stay. In fact, the ZK Research 2023 Hybrid Work Study showed that 75% of employees will work remotely at least one day a week for the foreseeable future (Exhibit 1). Ten percent of workers will be remote one day a week, 41% will be remote two to four days a week, and 24% will be remote all the time. Only 25% of workers will be in the office permanently. Employees work at various locations scattered around the globe, and they all rely on a disparate set of tools to keep in touch throughout the day. Consequently, the unified communications (UC) vendor community has responded with unprecedented development. Innovation has been happening at breakneck speed, all with the goal of making hybrid work more effective. Source: ZK Research, 2023,The rise of Zoom during the pandemic (and the endless press coverage that it generated for the company) obscures the work that other providers have done alongside that upstart. Buried in the news clippings of the past few years is a startling fact: Microsoft Teams is now the leading UC platform, with more than 320 million active daily users—a massive expansion from just 8 million five years ago (Exhibit 2). That probably has something to do with Microsoft's broad reach into most enterprise IT departments in the largest companies in the world. In fact, quite a few have standardized on Teams and don't sanction the use of other platforms. Despite Teams' high adoption rate as a collaboration tool, it has not reached the same level of acceptance as a phone system. Even though it's such a broadly accepted tool, Teams has a number of limitations that hinder its usability, especially for remote and mobile workers. Teams can be great for workers who are tied to a desk, but it doesn't deliver such a great experience for mobile workers who are on the go constantly. For example, to use Teams, mobile workers typically need to have the app open on their phone or they miss calls. They also need to manage multiple phone numbers or even multiple devices, which can be a burden if they're on the go. Perhaps the most significant issue is that just making a simple call from Teams on a mobile phone can be a challenge. Out of the box, Teams users can't make external calls. Although Teams is the leading UC solution globally, and it can be the right option for many companies and users, it needs additional functionality to become the complete UC package that many companies are seeking. Most approaches to address these limitations have been Band- Aids that still require multiple apps and really only add another layer of unnecessary complex- ity. ZK Research has talked to enterprises that have been crying for a truly unified solution that simplifies the user experience and blends the native calling abilities of every phone with Teams' calling functionality. Verizon partnered with Microsoft to look at the issues, listened to customers, and engineered a way to improve and simplify the Teams experience. Verizon is the first operator in the United States that offers Teams Phone Mobile—delivered as Verizon Mobile for Microsoft Teams (VMMT)— which facilitates the user experience and brings native mobile calling to Teams. In this report, we'll look at VMMT and how it can benefit enterprises. Plus, we'll share some case studies that show how VMMT is helping companies with very mobile workforces. Finally, we'll make some recommendations for enterprises that are looking for a solution to help improve the overall experience for Teams mobile users. DemandSage and ZK Research, 2023,Verizon is uniquely positioned to mobilize Teams. As of November 2023, the company is currently the only U.S. mobile operator offering a mobile calling solution for Teams and the only provider offering a complete Teams calling suite. With that connection in place, Verizon was able to engineer VMMT, which provides Microsoft Teams calling directly from the Verizon network. As a result, a user's mobile phone can work as a Teams endpoint—in other words, the experience is seamless. With VMMT, a mobile device can use a phone's native dialer to place and receive Teams calls even when the Teams app is not running. Workers just use the familiar native dialer to make and receive calls. The cellular network treats Teams calls as voice calls. As a result, the network prioritizes them over calls that run on data channels, which ensures the highest possible call quality. Because the network sees them as voice calls, even when data coverage is limited, users can make Teams calls. The licensing can be more straightforward, too. VMMT works with all Microsoft 365 and Teams Phone Standard licenses, including E5, E3, F1, and F3. As a result, there's no additional cost from Microsoft to the organization. VMMT is not a walled garden; it works well with other Verizon services that operate with Teams, including Verizon VoIP for Operator Connect and Verizon Calling with Microsoft Teams:,combines the Microsoft Teams Phone System with Verizon's IP trunking solution, known as Verizon VoIP, which makes placing Teams voice calls (both to and from numbers outside of a company network) quicker and easier. expands unified communication capabilities beyond the enterprise network—all on a single platform. Enterprises using Microsoft Teams for collaboration can more simply add enterprise-class calling. VMMT is well suited for companies with front-line workers who are always on the go but require a single company phone number. In addition, companies in industries with strict compliance mandates, such as financial services and healthcare, will also benefit. A global manufacturer headquartered in Europe—with factories in Asia, a call center in India, mobile/field workers in the United States, and a newly acquired subsidiary in Latin America—was looking to connect its global locations and enable external calling around the world using one UC platform. The company also wanted to interconnect factory and call center workers. The results:,A beverage distributor turned to VMMT to improve productivity by extending Teams to its drivers and sales reps. The results:,VMMT offers several benefits that enterprises should consider. First, VMMT takes the term "unified communications" literally. It's a centralized platform that enables all users—including remote and mobile workers, those on the front line, and people in the office—to access Teams. With the integration of Verizon calling within Teams, VMMT provides a unified business communications experience that is significantly simpler for the worker. VMMT also includes several other features, including the following:,The transition between a simple voice call and Teams is impossible with some systems. VMMT makes it easy to switch between a mobile voice call and a Teams meeting. How often are you in transit for the start of a Teams call and then in the office for the end? This seamless transition eases the disruption. VMMT also simplifies the process of moving from a voice call to a Teams video call. Managing multiple phone numbers can be a challenge. And keeping track of the device where a specific call or voicemail came in can be confusing. Having a single number, unified call history, and voicemail simplifies that. Workers can make and receive calls from the smartphone's native dialer or Teams endpoints using one business-owned mobile number while enjoying the simplicity of a single number across devices. The plethora of devices needed to support all the communication tools mobile workers use can be a liability for companies. VMMT can integrate with a company's compliance recording solution for mobile calls without requiring the purchase of additional apps. VMMT can be managed with corporate mobile device management (MDM) solutions such as Microsoft Intune, which enables SecOps teams to apply security policies directly to the device. Consequently, organizations can extend enterprise-grade business policies across mobile devices. Enterprises can configure devices to make calls appear to come from the organization rather than a user's mobile phone so that their direct numbers are not exposed externally. VMMT can lower costs and eliminate redundancies by consolidating mobile, hybrid, and front-line workers onto one mobile number. This removes redundancies and reduces the costs associated with multiple phone numbers and devices as well as duplicate systems. The ZK Research 2023 Hybrid Work Study shows that workers spend up to 40% of their time simply managing their work. Having one phone number for both mobile and Teams can eliminate a chunk of that inefficiency. With VMMT, when a call comes in on Teams, it rings on the smartphone's native dialer—as well as across laptops, tablets, and desk phones. This enables employees to answer and make Teams calls on the device of their choice and to move a call to another device with no delay. With VMMT, there's no need to have the Teams app open. As a result, workers will miss fewer calls and be more productive. Understanding the availability and location of individual employees is a great advantage when planning meetings or trying to get in touch with perennially mobile workers. VMMT turns a mobile phone into a Teams endpoint, so Teams can update presence based on mobile device status. The pandemic underscored the need for UC solutions, but it also revealed their shortcomings. Even as one of the most successful solutions, Teams has opportunities for improvement. Seamlessly blend- ing the mobile, office, and remote experience has proven challenging. That's where Verizon Mobile for Microsoft Teams comes in as a solution that eliminates some of the most troublesome limitations. There are other solutions that enterprises might consider. So, as a guide, ZK Research has several recommendations on what to look for:,Ensure the solution switches between a mobile voice call and a Teams meeting without skipping a beat. In addition, see if the solution can facilitate moving from a voice call to a video call without interruption. Does the solution offer a single number, unified call history, and voice- mail—all from the smartphone's native dialer? This is critical to reduce complexity and expenses. Does the solution utilize popular MDM solutions that help SecOps teams apply security policies directly to the device? This approach enables both the application of enterprise-grade business policies across mobile devices and compliance recording for mobile calls without additional apps. Make sure the solution you choose has this capability. The business world is hybrid and is never going back to the way it was pre-pandemic. Remote and mobile workers will continue to grow in numbers, so building solutions that can make the life of a road warrior as seamless as possible will be critical. ZK Research has evaluated the VMMT solution and thinks it ticks the right boxes. A wealth management firm chose VMMT to provide a single phone number, shared across all their devices, that employees can use to connect with customers wherever they are. The results:,Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides tactical advice and strategic guidance to help his clients in both the current business climate and the long term. 