UNIT-IV

VISA INTERNATIONAL SECURITY MODEL

Presented by
Tmt.P.Tharani
AP/CSE
GCE,Salem

1
 VISA INTERNATIONAL SECURITY MODEL
 It promotes strong security measures in its business associates
and has established guidelines for the security of its
information systems.
 It has developed two important documents
1. Security Assessment Process-document contains series of
recommendations for detailed examination of organization’s
systems with the eventual goal of integration into the VISA
systems
2. Agreed Upon Procedures-outlines the policies and technologies
used to safeguard security systems that carry the sensitive
cardholder information to and from VISA systems
 Both documents provide specific instructions on the use of the
VISA Cardholder Information Security Program.

2
 Using the two documents, a security team can develop a sound
strategy for the design of good security architecture.
 The only downside to this approach is the specific focus on
systems that can or do integrate with VISA’s systems with the
explicit purpose of carrying the aforementioned cardholder
information.
• The Gold Standard
 Best business practices are not sufficient for organizations that
prefer to set the standard by implementing the most protective,
supportive, and yet fiscally responsible standards they can.
 They strive toward the gold standard, a model level of
performance that demonstrates industrial leadership, quality,
and concern for the protection of information. The
implementation of gold standard security requires a great deal
of support, both in financial and personnel resources
3
• Selecting Best Practices

 Choosing which recommended practices to implement can

pose a challenge for some organizations

– In industries that are regulated by governmental agencies,

government guidelines are often requirements

– For other organizations, government guidelines are

excellent sources of information and can inform their
selection of best practices

4
 When considering best practices for your organization,
consider the following:
– Does your organization resemble the identified target
organization of the best practice?
– Are you in a similar industry as the target?
– Do you face similar challenges as the target?
– Is your organizational structure similar to the target?
– Are the resources you can expend similar to those called
for by the best practice?
– Are you in a similar threat environment as the one assumed
by the best practice?

5
 Microsoft has published a set of best practices in security at its
Web site:
– Use antivirus software
– Use strong passwords
– Verify your software security settings
– Update product security
– Build personal firewalls
– Back up early and often
– Protect against power surges and loss

6
• Baselining & Best Business Practices
 Baselining and best practices are solid methods for collecting
security practices, but provide less detail than a complete
methodology
 Possible to gain information by baselining and using best
practices and thus work backwards to an effective design
 The Federal Agency Security Practices (FASP) site
(fasp.nist.gov) designed to provide best practices for public
agencies and adapted easily to private institutions.
 The documents found in this site include specific examples of
key policies and planning documents, implementation
strategies for key technologies, and position descriptions for
key security personnel.

7
• Of particular value is the section on program management,
which includes the following:
 A summary guide: public law, executive orders, and policy
documents
 Position description for computer system security officer.
 Position description for information security officer
 Position description for computer specialist.
 Sample of an information technology(IT) security staffing plan
for a large service application(LSA)
 Sample of an information technology(IT) security program
policy
 Security handbook and standard operating procedures.
 Telecommuting and mobile computer security policy.

8
Thank You