The Cost of Compliance
Restaurant chain Bertucci’s moved proactively to protect its sensitive data and ensure compliance with reporting requirements. Senior IT Director Kevin Quinlan explains how the Northboro, Mass., company deployed technology and processes to safeguard its data and to ensure that Bertucci’s is compliant with government- and industry-imposed regulations.
With 94 family restaurants stretching from New England to Virginia, Bertucci’s is a mainstay up and down the Eastern Seaboard. The company processes more than 3.7 million credit card transactions annually; employs 6,000 people; and maintains an IT infrastructure spread across more than 350 server nodes, including a mix of point-of-sale systems and both virtual and physical servers.
A major part of my job as senior director of IT is to ensure that the right technology and processes are in place to protect all our sensitive data—including customer financial data generated by all those credit card transactions and our own intellectual property and employee information. My other, and equally critical, responsibility is to make sure Bertucci’s is—and continues to be—compliant with government- and industry-imposed regulations.
The importance of security and compliance can’t be overstated: A failure to adequately address these two issues could have a devastating impact on our organization. The Ponemon Institute recently estimated the cost of noncompliance with regulatory mandates to be $9.4 million. Although it’s harder to estimate the cost of inadequate security, the impact of data breaches in terms of revenue loss
and reputation damage has been widely chronicled.
So, needless to say, I took a deliberate approach to strengthening our security and compliance initiatives. The first step for me and my team, which consists of three full-time IT administrators, was to assess the challenges we faced.
An organization that processes credit card transactions as frequently as Bertucci’s is considered a Level Two merchant, according to the Payment Card Industry Data Security Standard (PCI DSS). To comply with the PCI standard, Level Two merchants need to track changes, create audit trails, and archive any and all issues that have been investigated and resolved. This is a critical step, especially when you consider that according to the most recent Verizon Data Breach Investigations Report, 89 percent of organizations suffering payment card breaches had not been validated as PCI DSS compliant at the time of the breach.
We also must protect our database and its key information; monitor systems for qualifying new users and changes to permissions; and ensure that only authorized individuals can access sys-tems containing sensitive information such as payroll, benefits and accounting data. And because many Bertucci’s restaurants are located in Massachusetts, we must comply with MA 201 CMR 17. This regulation man-dates strong controls to protect personally identifiable information and breach notifi-cations for state residents.
Complying with both regulations requires significant cost, time and effort that must be diverted from other core business operations. What’s particularly notable about the Ponemon study’s findings, however, is that the cost of noncompliance far outweighs the costs associated with achieving and maintaining compliance. That’s not hard to imagine when you consider the costs of recompensing those whose data is compromised, legal fees, unrealized revenue and resources deployed to address problems, among other things.
What became immediately clear was that we lacked visibility into changes that could move us out of compliance. For instance, if an employee were to change file rules to inappropriately grant himself or herself administrative rights, or make a wrongful change to firewall settings, serious vulnerabilities could result and potentially threaten data, disrupt critical business processes and jeopardize compliance with regulatory standards. We also recognized that by addressing our compliance needs—which was viewed as a priority among the executive team—we had an opportunity to improve our overall security posture.
Because Bertucci’s has nearly 6,000 employees, a large amount of sensitive information, such as accounting, human resources and other data, flows through our network at any given moment. So it’s critical that the right people—and only the right people—have access to that information.
The problems that plagued us in the past include instances when someone in accounts receivable inadvertently got access to payroll files and when access was not terminated for employees who left the company. What's more, since the majority of our employees are transitional or part time, we had a clear security case for achieving full visibility into who is accessing folders in violation of user rights.
That’s a powerful motivator because we had virtually no awareness of who was accessing what information—and whether incidents were benign instances of employees “fat-fingering” passwords (typing the wrong character) or if there was malicious activity under way that could compromise our servers. We didn’t know if we were secure or compliant, or if we were just moments away from a massive data breach.
Another key security consideration rears its head when new systems are brought online. Bertucci’s averages one or two new servers per month, whether part of the standard refresh cycle or recent upgrades we made to our SQL Servers. Either way, configuring each of these systems presents a massive security hole if the configuration isn’t verified before the software is loaded.
So, ultimately, we came to recognize the value of compliance—not for the sake of checking some boxes to keep regulators at bay, but as a catalyst for implementing much-needed security measures. For that reason alone, we developed a fine appreciation for compliance, rather than the feelings of frustration I hear from my peers.
The next step was to figure out how to address our security and compliance challenges, now that we had a handle on what we were up against. Given the small size of my team, it became evident that we required technology that could automate as much of the security and compliance process as possible.
The requirements of PCI DSS largely dictated where I began selecting the right tools. Requirement 10.5.5 calls for “the use of file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts,” so I looked at Tripwire Enterprise. Considered by many to be the de facto standard for file integrity monitoring (FIM), Tripwire Enterprise is, I believe, the only single-source solution for detecting, analyzing and reporting all changes to our systems and files across the IT infrastructure.
My team was glad to have access to tools that could automate the assessment of relevant con-figurations across our infrastructure and alert me to settings that are out of compliance. It meant that we didn’t need people burning the midnight oil, particularly during our SQL Server upgrades, to make sure everything was compliant and stayed that way.
After our success with Tripwire Enterprise, we purchased the Tripwire Log Center security information and event management (SIEM) solution to improve our intelligent threat control by correlating events and changes. This enabled us to immediately identify and respond to significant events.
By using the solutions together as the integrated Tripwire VIA suite, we can cover all the bases when it comes to IT security and compliance: from identifying threats and reducing the breach-to-detection gap to being able to generate proof of compliance and get significantly more visibility into our overall infrastructure.
Though it’s notoriously difficult to quantify the ROI of security and compliance technology, I find it easy to measure Tripwire VIA’s impact on our company. Simply put, I now know that seven days a week, all my systems are protected.
From a compliance perspective, we not only meet all regulatory requirements, but also have a foundation in place to automate and prove compliance with any industry or government mandates that may emerge in the future. The proof is in our audits, the reports for which now require only a mouse click. That compares with the hours it previously took us to generate these reports.
Making the suite a core component of our security and compliance efforts has had a tremendous affect on our business by adding greater visibility across our infrastructure and giving us the automated intelligence needed to turn change and log data into actionable knowledge. It’s amazing that just four years ago we had zero visibility into the state of our network and our security and compliance status, yet now we have a clear view of precisely where we stand at any given moment.
Kevin Quinlan is senior director of IT at Bertucci’s, headquartered in Northboro, Mass.