Phase III

Question 1

Regulatory compliance alludes to an entity adherence to legislation, specifications, and guidelines that are essential to the natural business processes. Thereby, the Payment Card Industry Data Security Standard (PCI DSS) refers to the set of security principles as well as standards designed with the cardinal objective of ensuring that all the entities that accept, store together with those that transmit credit card information continue to maintain secure environment (Central Bank of Ireland, 2016). The Payment Card Industry Security Standards Council (PCI SSC) is the entity that manages the evolution of the credit card industry by setting standards that help in improving the security in the transaction process

The Payment Card Industry Data Security Standard (PCI DSS) denotes to a multidimensional measure, which incorporates the requirements for policies, information security management, procedures, software designs, network architecture along with other critical controls (Evolution, 2017). The underlying intent of the standard mentioned above is to create a platform that enables entities to proactively secure as well as protect consumer accounts and data. In a broad sense, the PCI DSS applies to all the service providers and merchants who capitalize on processing, transmitting, or storing credit card sensitive information. The aforestated comprises of every component or aspect of the payment chain such as from the financial institutions to the merchants or the processors to the service providers (Evolution, 2017). The compliance requirements for PCI DSS are building and maintaining a secure network, protecting cardholder information, maintaining a vulnerability management program and implementing cogent access control measures. Additionally, entities should ensure they regulatory monitor and test networks along with retaining a policy, which addresses information security.

Consequently, the evolvement of PCI DSS started in the early 1990s when losses due to credit card fraud and losses were prevalent. Hacking, phishing and online criminal schemes provided an incentive for Visa to launch the Cardholder Information Security Program, which later becomes the precursor of PCI DSS (Clay, 2017). In December 2004, some of the major credit card entities such as MasterCard, Visa, Discover, and American Express coalesced their effort together to from PCI DSS version 1.0, which created an online credit card protection system for payments (Clay, 2017). PCI DSS 1.0 standardized some of the existing loopholes in the credit card payment system thwarting phishing or hackers. In the recent past, there have been significant improvements and the most notable is the 2005 legislation, which mandates that all merchants be PCI DSS compliant (Clay, 2017). Conversely, PCI DSS 3.2 is the most recent advancement, which contains revised and updated security protocols that are critical in ensuring it performs at the best possible standard. The standard is integral as it provides more flexibility in various aspects such as strict quality control and cogent in-house passwords.

PCI DSS affects all the players in the credit card processing industry. All the entities that focus on processing as well as storing or transmitting payment card information or data need to ensure they are PCI DSS compliant. Non-compliant entities that maintain a working relationship with a single or more card brand, either through an acquirer or directly are at the risk of receiving fines or periodic audits (ASC, 2017). All the entities should validate their compliance yearly. The validation requires accredited auditors known a PCI DSS Qualified Security Assessors. However, smaller entities have the option of using self-certification questionnaire. Payment Card Industry Security Standards Council (PCI SSC) is the entity that sets standards and ensures they ensure compliance with the stipulated regulations that help in preventing hacking, credit card fraud, and other security vulnerabilities.

Specifically, PCI DSS and other associated topics researched will influence SCP’s information governance design and implementation program as it broadens the support activities from a technical focus and provides a multidisciplinary approach that incorporates tactical, strategic and operational issues, which surrounds the planning, design, maintenance as well as the operation of an entity informational security.

Question 2

Setting a robust information governance framework that subsumes well-defined responsibilities and roles is axiomatic practice entities with a data management system. In a nutshell informational governance engirds processes and policies that provide a framework that makes it possible to utilize information more effectively and efficiently (Alreemy, Chang, Walters, & Wills, 2016). The benefits of information governance include secure data, straightforward business access, effective risk management, revamped decision-making and data sharing as well as increased value gained in the information lifecycle and reduces costs (Alreemy, Chang, Walters, & Wills, 2016). Therein, given the salience of information governance, it is crucial to select instrumental members to be in the information governance team that will be responsible for designing along with implementing the entities great informational governance plan.

The team will constitute of an informational governor, system expert, and informational architect along with a developer and subject matter expert. An informational governor helps in understanding the policies and practices that the team need to adhere to in developing an information governance program. An example they help in understating the legislation as well as regulations that the team required to comply with and highlight the importance of the application of retention of information together with the policies associated with the proper disposition of information (Knowles, Colson, & Dezateux, 2016). A system expert is crucial to the team as they have the skills and proficiencies of using the system. A system expert helps the team in designing the information governance system as they have insights and experiences in manipulating to the system is working best to actualize project goals.

On the other hand, the information architect will play the fundamental role of structuring the data repository to meet the requirements as well as the needs of the data that need storage or encryption (Knowles, Colson, & Dezateux, 2016). The developer will help in developing scripts, applications, and interfaces that will lay the groundwork for the informational governance system. Lastly, the system matter expert will ensure on the business systems that the team will need to interface to implement a successful enterprise content management (ECM) program.

Question 3

In ensuring effective design and implementation of the information governance plan some of the significant steps involved include having a compliance program framework that outlines the standards and regulations the program needs to align with as how the team needs to monitor compliance (Fitzgerald, 2016). Second, describe the primary component of the framework such as information management, procedures, policies, and program as well as framework strategy. The third step involves utilizing a comprehensive IG (informational governance) framework by outlining the present and future Information Governance requirements. Lastly, align and integrate the IG areas with the organization.

References Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2016). Critical success factors (CSFs) for information technology governance (ITG). International Journal of Information Management, 36(6), 907-916. ASC. (2017). Whitepaper Impact of PCI DSS on Recording Solutions. Central Bank of Ireland. (2016). Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks. Clay, C. (2017, September 28). The History of PCI Data Security Standard (DSS). Retrieved from https://www.kontrolpayables.com/blog/the-history-of-pci-data-security-standard-dss Evolution. (2017). PCI DSS. Retrieved January 24, 2019, from http://www.evolve-online.com/compliance/pci Fitzgerald, T. (2016). Information security governance simplified: from the boardroom to the keyboard. CRC Press. Knowles, R., Colson, D., & Dezateux, C. (2016). Life Study Ethics and Information Governance Framework.