Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Chapter 7 HARDENING SERVERS.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Computer Security: Principles and Practice
Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Network security policy: best practices
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Note1 (Admi1) Overview of administering security.
Chapter 2 Securing Network Server and User Workstations.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Payment Card Industry (PCI) Data Security Standard Version 3.1
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to PCI DSS
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Summary of Changes PCI DSS V. 3.1 to V. 3.2
CS457 Introduction to Information Security Systems
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Working at a Small-to-Medium Business or ISP – Chapter 8
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security of a Local Area Network
I have many checklists: how do I get started with cyber security?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
12 STEPS TO A GDPR AWARE NETWORK
IS4680 Security Auditing for Compliance
Network hardening Chapter 14.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010

Overview  Summary of Changes  Operational Perspective  Details of Changes  Observations

Summary of Changes (136)  Clarifications 119 total Wording portrays intent  Additional Guidance 15 total Increase understanding  Evolving Requirements 2 total Emerging threats and changes

Operational Perspective  Informational 61 total  Moderate Impact 41 total  Significant Impact 34 total Subjective (your mileage may vary)

Details - General  Operations Staff PCI DSS Applicability Information ○ Account Data = Cardholder Data + Sensitive Authentication Data Scope of Assessment for Compliance with PCI DSS Requirements ○ Added “virtualization components” to the definition of “system components” Policies, Procedures, Standards, etc.  Auditors Sampling of Business Facilities and System Components ○ Criteria that must be documented when sampling ○ Sampling rationale must be (re)validated with each audit Instructions and Content for Report on Compliance ○ Pp > detailed instructions for the RoC Consistency (QSA selection) How much will the Summary of Changes alter QSA procedures?

Details – Section 1  Moderate Impact 1 > “system components providing firewall functionality” to be treated as firewalls > examples of insecure services, protocols, & ports (FTP, Telnet, POP3, IMAP, SNMP) > removed specification of port scanner use > testing procedure applies to “any type of cardholder data storage” (i.e., files)  Significant Impact 1.4.b > “personal firewall software should not be alterable by employee-owned computer users” ○ Local admin rights?

Details – Section 2  Moderate Impact a-e > removed reference to WPA ○ WPA cracked in late > added sources for hardening standards ○ CIS, ISO, SANS, NIST 2.2b > linked system configuration standards to vulnerabilities (was in in 6.2.b) a-b > only enable “necessary and secure” services 2.3.a-c > “strong” cryptography is required ○ Need for agility (point-in-time)  Significant Impact > clarified intent of “one primary function per server” and use of virtualization ○ Web, Database, DNS; functions that require different security levels b > optional testing procedure for virtualization technologies

Details – Section 3  Moderate Impact 3.4 > Deleted note on compensation controls ○ “may be applicable for most PCI DSS requirements” c > Clarification on encryption removable media ○ Rendered unreadable through encryption or some other method 3.5 > “Any” keys used to secure cardholder data must be secured > Clarification around key management operations ○ “manual clear-text cryptographic key mgmt operations” > Key custodians formal acknowledgment (writing or electronic)  Significant Impact 3 > Introductory Paragraph, don’t send PAN’s via end-user messaging tech ( , IM) ○ Enforcement? 3.2 > business justification for storing “sensitive authentication data” > Increased frequency of key changes, per “defined cryptoperiod” > New testing procedures for retired keys

Details – Section 4  Moderate Impact 4.1.c > Protocol “must be implemented” to use only secure configurations (i.e., encrypted)  Significant Impact > 6/3/2010 has passed; no more WEP 4.2 > PANs should never be sent by end- user messaging technologies (see section 3)

Details – Section 5  Moderate Impact none  Significant Impact 5.2 > AV must be generating audit logs, and not just “capable of generating” logs

Details – Section 6  Moderate Impact > clarified scope to include non-web applications a-b > addresses security patches and software modifications ○ Details to include in change documentation > documentation of impact is required 6.5 > broadened to include OWASP, SANS CWE, & CERT > again, OWASP + CWE + CERT  Significant Impact * 6.2 > evolving req, rank vulnerabilities according to risk 6.3.a-d > added types of software apps to be tested (scope) ○ Security in “written software development proceses” a-b > requires security testing for application changes * > new req regarding high-risk vulnerabilities ○ Best Practice through 6/30/2012

Details – Section 7  Moderate Impact none  Significant Impact none

Details – Section 8  Moderate Impact 8 > POS access to one card number at a time ○ Aligned with PA-DSS requirement > clarified intent of multi-factor authentication ○ Know, Have, Are ○ No clarification on physical vs. virtual here > password resets (unique value, immediate change) a-b > clarified “access” by vendors ○ Disabled by default, enabled only when needed ○ Monitored while being used > password management for “non-consumer users” ○ For service providers only  Significant Impact 8.5.2/7/8/13 > allow for authentication mechanisms outside of passwords a-d > restricting user queries against databases ○ Closer review of database config

Details – Section 9  Moderate Impact > restrict physical access to ”networking / communications hardware and telecommunications lines” > visitors are not permitted unescorted physical access to areas that store cardholder data 9.6 > changed “paper and electronic media” to “all media” ○ Computers, removable electronic media, paper receipts, paper reports, faces, etc.  Significant Impact > intent is to determine sensitivity of data on media ○ “Verify that all media is classified…”

Details – Section 10  Moderate Impact > changes to time settings are authorized > time is received from industry accepted sources  Significant Impact 10.7.b > processes to “immediately restore” log data (vs. “immediately available)

Details – Section 11  Moderate Impact none  Significant Impact 11.1 > “detect unauthorized wireless access points on a quarterly basis” (vs. real-time) 11.1.a-e > detect & alert on unauthorized wireless access points > internal & external scans must be verified (ASV) a-c > scans must be repeated & verified until all high vulnerabilities have been resolved a-b > ref to ASV Program Guide Requirements a-c > keep scanning until high vulnerabilities are resolved > vulnerability scanning must encompass all application types in-scope (see 6.5) 11.4 > IDS/IPS at the perimeter and at key points inside the CDE

Details – Section 12  Moderate Impact > replaced “once a year” with “annually” 12.3 > added “tablet” to example technologies a-b > flexibility to limit prohibitions to those “personnel without authorization” 12.7 > “potential personnel to be hired for certain positions” ○ Recommendation if personnel can only access one card number at a time  Significant Impact > test should verify risk assessment documentation > monitor service providers’ PCI compliance at least annually > designated personnel should be available 24/7 for incident response

Details – Appendices  Moderate Impact Appendix E is now “Attestation of Compliance – Service Providers” ○ options for list of services not covered by PCI DSS assessment Appendix D > Segmentation and Sampling of Business Facilities / system Components ○ was Appendix F ○ aligns with new introduction  Significant Impact none

Observations  Perception Revised vs. New  Should vs. Must 27 vs. 77  Effective Date  Risk-Based  New Technologies Wireless Virtualization Encryption (future-state)  Better Log Management  Opportunities Fresh Document Auditors can help Operations achieve compliance Budget

Questions? Jerod Brennen

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.