Auditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation
|
|
- Liliana Hampton
- 8 years ago
- Views:
Transcription
1 Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California U.S.A. info@xypro.com Telephone: FAX: Copyright 2009 by XYPRO Technology Corporation. All rights reserved.
2 Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) NonStop Kernel EDIT NonStop SQL ENFORM PATHCOM Enscribe PATHWAY Event Management Service (EMS) SAFECOM FUP SAFEGUARD Guardian SCUP MEASURE SPOOLCOM NETBATCH TACL NonStop TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH The PCI Data Security Standard has been compiled by the PCI Security Standards Council. For more information, please consult December, 2007 XYPRO Technology Corporation
3 TABLE OF CONTENTS Introduction Integrity Authentication Authorization Auditing Encryption Access Control Operating Systems & Network Application Security...14 December, 2007 XYPRO Technology Corporation Page i
4 Introduction Security regulation has taken the forefront in the current decade. Significant monetary losses due to lessened corporate regulation and concerns for individual privacy in a time of large data mining have motivated many legislative establishments and voluntary cooperative organizations to create standards for secure behavior. Four such sets of standards are presented in this document: PCI, SOX, HIPAA and SB1386. The Payment Card Industry Data Security Standard (PCI) Version 1.2 is a standard of security for all payment card transactions agreed upon by the members of the Payment Card Industry Council, which includes VISA, Mastercard, American Express, Discovery Card and JCP. This standard is being phased in within the United States and internationally to secure retail transactions between a cardholder and the merchant accepting the transaction, between the merchant accepting the transaction and the merchant s bank, and between the bank and the payment card organization. The Sarbanes-Oxley Act of 2002 (SOX) targets internal controls over accounting procedures and financial reporting. It also brings pressure on the information security organization within a corporation to provide the underlying assurance needed to produce accurate accounting and reporting. While the SOX legislation has no specific security standards, the Control Objectives For Information And Related Technology (COBIT) have been created to provide a structure to meet SOX requirements. Even though the Sarbanes-Oxley Act of 2002 is a law of the United States of America, it is applied to any company that has a presence in the USA, and so it must be part of the security considerations of any corporation doing international business in the USA. The government of the United States of America created the Health Insurance Portability and Accountability Act (HIPAA) to reduce health care fraud and abuse, introduce and implement administrative simplification to increase the effectiveness and efficiency of the health care system, and protect the health care information of individuals against unauthorized access. The State of California passed the legislation SB1386 in response to several breaches of privacy in databases containing personal information. This legislation a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. XYPRO Technology Corporation Page 1
5 The Auditor s Checklist The spreadsheet on the following pages presents a view of various security requirements and how they are viewed in the context of the security standards described above. The specific standard to which a security requirement relates, is listed in the corresponding column. This allows you to easily find and reference a particular security requirement. The spreadsheet also includes references to discussions of these topics in the two definitive HP NonStop information security handbooks. ume 1 refers to: HP NonStop Server Security: A Practical Handbook (ISBN-13: ) and ume 2 refers to: Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL (ISBN: ). XYPRO has designed this document primarily for educational purposes. Readers should note that no regulatory, legislative, or advisory body has endorsed this document. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and auditors. The IT professional should always consult his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. Internal controls, automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving control objectives and can never achieve certainty. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and the breakdowns in internal control can occur because of human factors such as errors of inappropriate override of internal controls. XYPRO Technology Corporation Page 2
6 Item Discussion Security Handbook 1.00 Integrity 1.01 Protect personal information from improper alteration or destruction 1.02 Implement security measures to ensure that electronically transmitted personal information is not improperly modified without detection pp ; pp ; pp PCI SOX (Cobit) HIPAA SB1386 Your Findings 3 ( c) (e) 1.03 Deploy measures to prevent malicious code and update them regularly 1.04 Ensure that measures to prevent malicious code execute regularly and produce audit logs of execution and findings 1.05 Deploy file integrity monitoring software to monitor critical system resources and alert appropriate personnel p523 2; pp53-54 p523 2; p54 pp XYPRO Technology Corporation Page 3
7 2.00 Authentication 2.01 Management should establish procedures to ensure timely account management p95 User Account Management 2.02 Management should have a control process in place to review and confirm access rights periodically 2.03 Users should control the activity of their proper accounts pp94-95 Management Review of User Accounts User Control of User Accounts 2.04 Assign a unique userid to each user 2.05 Do not use group, shared, or generic accounts or passwords 2.06 Ensure proper user authentication and password management for all users p94 8 User Control of User Accounts p User Control of User Accounts p (a)(1) 2.07 Authenticate each user based on his unique userid 1; p94 p Identification, Authentication, and Access (d) Implied 2.08 Two-factor authentication for network access Authenticate users before resetting passwords XYPRO Technology Corporation Page 4
8 2.10 Reset passwords at least every 90 days 2.11 Require a minimum length of 7 characters 2.12 Ensure that each password contains at least 1 numeric and 1 alphabetic character 2.13 Maintain a password history value of at least 4 iterations 2.14 Set AUTHENTICATE- MAXIMUM-ATTEMPTS to permit a maximum of 6 attempted password entries before handling bad password event 2.15 Set AUTHENTICATE-FAIL- TIMEOUT to a minimum of 30 minutes when a bad password event occurs or implement AUTHENTICATE-FAIL- FREEZE or AUTHENTICATE- FAIL-STOP 2.16 If AUTHENTICATE-FAIL- FREEZE is used, ensure that the SUPER.SUPER and security administrator userids cannot be affected by the AUTHENTICATE-FAIL- FREEZE 2.17 Force users to change new passwords immediately after 1;p116 1;p116 1;p111 p116 1;p115 1;p131 1;p131 1;p131 p User Account Management XYPRO Technology Corporation Page 5
9 resets 2.18 Force SUPER.SUPER password to change regularly 2.19 Secure SUPER.SUPER password so that it can only be used by authorized personnel when needed for specific job functions 2.20 Force NULL.NULL password to change regularly or FREEZE NULL.NULL userid 1;p122 p86 p p Unique ID per person p Segregation of duties 2.22 Temporary and vendor accounts should become inactive at appropriate time 2.23 Remove userids of terminated users 2.24 Remove userids that haven't been used in >90 days 2.25 Force users to change new passwords immediately after resets 2.26 Change name of SUPER.SUPER userid to a nondefault value (i.e., NOT SUPER.SUPER) when network is new p User Account Management p User Account Management p User Account Management p117 p User Account Management (a1) Implied XYPRO Technology Corporation Page 6
10 2.27 Change NULL.NULL when node is new to a non-default value (i.e., NOT NULL.NULL) when node is new p Authorization 3.01 Establish a procedure for linking all access to system resources to an individual user Management should implement procedures to provide authorized access to resources based on the individual's demonstrated need to view, add, change, or delete data The userid structure used by the computing resource must support segregation of duties to ensure that personnel are peforming only those duties stipulated for their respective jobs and positions Auditing ch 5 p Security of Online access to data Segregation of Duties 4.01 Implement automated audit trails to reconstruct all individual user accesses to personal data pp72-79 ch Use and monitoring of system utilities (b) Implied XYPRO Technology Corporation Page 7
11 4.02 Implement automated audit trails to reconstruct the following events, for any activity performed by as user logged on as SUPER.SUPER and accountable to the user's unique userid Implement automated audit trails to reconstruct access to all audit trails 4.04 Implement automated audit trails to reconstruct invalid logical access attempts 1;p Use and monitoring of system utilities Use and monitoring of system utilities Use and monitoring of system utilities (b) (b) (b) Implied Implied Implied 4.05 Implement automated audit trails to reconstruct use of identification and authentication mechanisms 4.06 Implement automated audit trails to reconstruct initialization of the audit logs Use and monitoring of system utilities Use and monitoring of system utilities (b) (b) Implied Implied 4.07 Implement automated audit trails to reconstruct creation and deletion of system -level objects; Use and monitoring of system utilities (b) Implied 4.08 Implement audit trails and reporting procedures to ensure that security activity is logged 10.3 Security Surveillance XYPRO Technology Corporation Page 8
12 4.09 Implement reporting to ensure that any indicatotion of imminent security violation is reported immediately to all who may be concerned and is acted upon in a timely manner 4.10 Implement reporting to ensure that violation and security activity is logged, repoted, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity pp7-11 pp Security Surveillance Violation and Security Activity Reports 4.11 Secure all audit trails to prevent modification 4.12 Limit viewing of audit trails to those users that require this access to perform their duties 4.13 Back up audit trails to a separate platform to ensure redundancy Review audit logs daily Retain audit trail for at least one 10.7 year, with minimum of three months online 4.16 Alerts for intrusion detection and file integrity 4.17 Alert personnel about suspected intrusion attempts Violation and Security Activity Reports 11.4 XYPRO Technology Corporation Page 9
13 4.18 Produce quarterly reports certified by the CEO/CFO that any material changes or deficiencies in control have been reported to the audit committee 4.19 Produce internal control reports annually 4.20 Produce rapid and current reports on material changes in operations 4.21 Ensure that attempts to tamper with the security of computing resoures can be detected 4.22 Any breach of security must be reported to the person whose information was disclosed Section 302: CEO/CFO Certification of Annual, Semi- Annual, and Quarterly Reports Section 404(a): Internal Control Reports Section 409: Real- Time Disclosure Section 1102: Corporate Fraud Accountability XYPRO Technology Corporation Page 10
14 5.00 Encryption 5.01 Encrypt personal information, including: first, last, middle name or initial, social security number, drivers license number or other govt issue ID, account number, credit card number, debit card number, access code or password, PIN number 2; pp Security of online access to data (a); (e) Render personal account information unready anywhere it is stored by using -strong one way hash -truncation -index tokens and pads -strong cryptography with key management 2; pp Secure encryption keys Limit access to encryption keys Cryptographic keys must be generated, changes, revoked, certified, sored, used and archived in a secure manner Cryptographic Key Management 5.06 Ensure encryption uses strong algorithm: SSL/TLS, DES168, AES 4.1 XYPRO Technology Corporation Page 11
15 5.07 Encrypt all passwords at all times 5.08 Encrypt all non-console adminstrative access 5.09 Fully document and implement all key manage processes and procedures: -Generation of strong keys -Secure distribution of keys -Secure storage of keys -Periodic changing of keys -Split knowledge and establishment of dual-control of keys -Prevention of unauthorized substitution of keys -Replacement of know or suspected compromised keys -Revocation of old or invalid keys 1;p115 2;p XYPRO Technology Corporation Page 12
16 6.00 Access Control 6.01 Limit access to computing resources to individuals who require the access to perform their duties p Deny access to computing resources unless the inidividual has a demonstrated and authorized need to access the resource 6.03 Document usage policies for critical system resources and document all personnel with access 6.04 Access to computing resources should expire after 15 minutes of inactivity p94-95 p143 pp7-11 1;p (a)(1) 6.05 Modem sessions should expire after a defined period of inactivity 6.06 Vendor access should be activitated only when needed with immediate deactivation when finished XYPRO Technology Corporation Page 13
17 7.00 Operating System & Network 7.01 Disable all unneeded networks services 7.02 Monitor all access to network resources and application data 7.03 Syncronize all system clocks and times 7.04 Configure system security parameters to prevent misuse 7.05 Remove all unnecessary functionality pp Do not use vendor defaults p Control the addition, deletion, and modification of userids and identification objects such as tokens or credentials pp Application Security 8.01 Separate test, development, production environments 8.02 Test all products and product updates before implementation into production 8.03 Separate test, development and production duties 8.04 Evaluate all application updates; apply appropriate updates on a timely basis ch 7 p523 p523 p XYPRO Technology Corporation Page 14
18 8.05 Develop requirements for all application updates. Review all requirements against implementation 8.06 Ensure that test data does not contain live information 8.07 Ensure that live data files do not contain test information 8.08 Use appropriate change control to ensure that the changes made to the application are applied in an orderly manner and that the change is recorded in a source code maintainenance system 8.09 Authenticate access to application information 8.10 Ensure all web-facing applications are secure p XYPRO Technology Corporation Page 15
XYGATE & SOX COMPLIANCE
XYGATE & SOX COMPLIANCE A Solution Paper January, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationXYGATE & HIPAA COMPLIANCE
XYGATE & HIPAA COMPLIANCE A Solution Paper February, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationCredit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCSP & PCI DSS Compliance on HP NonStop systems
CSP & PCI DSS Compliance on HP NonStop systems July 23, 2014 For more information about Computer Security Products Inc., contact us at: 200 Matheson Blvd. West Suite 200 Mississauga, Ontario, Canada L5R
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationCyber-Ark Software and the PCI Data Security Standard
Cyber-Ark Software and the PCI Data Security Standard INTER-BUSINESS VAULT (IBV) The PCI DSS Cyber-Ark s View The Payment Card Industry Data Security Standard (PCI DSS) defines security measures to protect
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationPCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationWhy PCI DSS Compliance is Impossible without Privileged Management
Why PCI DSS Compliance is Impossible without Privileged Management Written by Joseph Grettenberger, compliance risk advisor, Compliance Collaborators, Inc. Introduction For many organizations, compliance
More informationControls for the Credit Card Environment Edit Date: May 17, 2007
Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit
More informationParallels Plesk Panel
Parallels Plesk Panel Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: +41-526320-411 Fax: +41-52672-2010 Copyright 1999-2011
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationPolicies and Procedures
Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationPCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.
PCI Compliance Can Make Your Organization Stronger and Fitter Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc. Today s Agenda PCI DSS What Is It? The Regulation 6 Controls 12 Requirements
More informationDetailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and storing
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationTeleran PCI Customer Case Study
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationWindows Azure Customer PCI Guide
Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationPCI and PA DSS Compliance Assurance with LogRhythm
WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationSECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS
COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationMemeo C1 Secure File Transfer and Compliance
Overview and analysis of Memeo C1 and SSAE16 & SOX Compliance Requirements Memeo C1 Secure File Transfer and Compliance Comply360, Inc Contents Executive Summary... 2 Overview... 2 Scope of Evaluation...
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationChapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents
Chapter 84 Information Security Rules for Street Hail Livery Technology System Providers Table of Contents 84-01 Scope of the Chapter... 2 84-02 Definitions Specific to this Chapter... 2 83-03 Information
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationDepartment of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government
Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationMEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM
MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationUsing Data Encryption to Achieve HIPAA Safe Harbor in the Cloud
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
More informationConformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard
Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard August 2014 Table of Contents Introduction... 1 PCI Data Security Standard...
More informationDetailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationPCI DSS requirements solution mapping
PCI DSS requirements solution mapping The main reason for developing our PCI GRC (Governance, Risk and Compliance) tool is to provide a central repository and baseline for reporting PCI compliance across
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationAn Oracle White Paper January 2010. Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance
An Oracle White Paper January 2010 Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance Disclaimer The following is intended to outline our general product direction. It is
More informationVisa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)
Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) This document is to be used for payment application vendors to validate that the payment application
More informationReducing PCI DSS Scope with the TransArmor First Data TransArmor Solution
First Data First Data Market Market Insight Insight Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution SM Solution Organizations who handle payment card data are obligated to comply
More informationCompliance and Security Challenges with Remote Administration
Sponsored by Netop Compliance and Security Challenges with Remote Administration A SANS Whitepaper January 2011 Written by Dave Shackleford Compliance Control Points Encryption Access Roles and Privileges
More informationWHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance
WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance Complying With HIPAA The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationHow Managed File Transfer Addresses HIPAA Requirements for ephi
How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts
More informationPayment Card Industry (PCI) Compliance. Management Guidelines
Page 1 thehelpdeskllc.com 855-336-7435 Payment Card Industry (PCI) Compliance Management Guidelines About PCI Compliance Payment Card Industry (PCI) compliance is a requirement for all businesses that
More informationRACF & Payment Card Industry (PCI) Data Security Standards RUGONE May 2012
RACF & Payment Card Industry (PCI) Data Security Standards Robert S. Hansel Lead RACF Consultant R.Hansel@rshconsulting.com 617 969 9050 Robert S. Hansel Robert S. Hansel is Lead RACF Specialist and founder
More informationVisa U.S.A. Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting
This guide is designed to assist an independent third-party security firm verify that a select merchant or service provider is in compliance with Visa U.S.A. Cardholder Information Security Program (CISP).
More informationAdobe Systems Software Ireland Ltd
Adobe Systems Software Ireland Ltd Own motion investigation report 13/00007 Timothy Pilgrim, Australian Privacy Commissioner Contents Overview... 2 Background... 3 Relevant provisions of the Privacy Act...
More informationPayment Card Industry (PCI) Data Security Standard. Version 1.1
Payment Card Industry (PCI) Data Security Standard Version 1.1 Release: September, 2006 Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More information