Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento.

Similar presentations


Presentation on theme: "Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento."— Presentation transcript:

1 Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento

2 Summary Of Changes Effective January 2014 Change Types Clarification Additional Guidance Evolving Requirement (20)

3 5 Key Areas Penetration Testing Inventorying of System Components Vendor Relationships AntiMalware Physical Access and Point of Sale (POS)

4 Penetration Testing (11.3) Penetration testing must follow “Industry Accepted Methodology” Best Practice until June 30, 2015 Why is this an issue?

5 Inventorying System Components (2.4) “Maintain an inventory of system components that are in scope for PCI DSS All hardware (Virtual or Physical) Software (Commercial or custom) Applications (off the shelf, external or internal) Requires that assessors “verify a list of hardware and software components including a description of function Authorized Wireless AP (11.1.1)

6 Vendor Relationships (12.8.5 & 12.9) Requires explicit documentation Which PCI requirements are managed by you, or by a vendor and which vendors (Matrix) Matrix Contractual requirements

7 AntiMalware (5.1.2) Requires campuses to “identify and evaluate evolving malware threats for systems not commonly affected Requires specific authorization from management to disable or alter antivirus and that is time limited

8 Physical Access and POS (9.3) Control access for onsite personnel Access be authorized and based on job function Revoked immediately upon termination Protect devices from tampering/substitution (9.9) Consider non standard POS Food Trucks, carts etc Inventory and regular checking/inspection and policy

9 Building a plan Partner on ownership Engage senior executives Plan Communicate

10 Prioritized Approach

11

12

13 Case Study: Sacramento State Partner – SFSC partnered with the campus ISO Plan – ISO and SFSC implemented required training, document gathering and periodic review Developed tracking process Engaged Administration Imposed “penalties” for non-compliance (“Shut ‘er Down)

14 Case Study: Sacramento State ICSUAM –Section 3102.05 http://www.calstate.edu/icsuam/sections/3000/3102.0 5.shtml http://www.calstate.edu/icsuam/sections/3000/3102.0 5.shtml Write a Campus Policy to support the ICSUAM http://www.csus.edu/umanual/admin/ADM-0117.html http://www.csus.edu/umanual/admin/ADM-0117.html

15 Case Study: Sacramento State

16

17

18

19

20 Report goes at least annually to Vice President for Administration and Business Affairs and the Vice President & Chief Information Officer To date, 3 departments were “shut down” until they could come into reasonable compliance

21 Case Study: Sacramento State You are welcome to copy our templates for your use There is also a sample training presentation available http://www.csus.edu/irt/is/pci/presentations/index.html

22


Download ppt "Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento."

Similar presentations


Ads by Google