BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Transcription

1 BAE Systems PCI Essentail PCI Requirements Coverage Summary Table

2 Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance while also improving your ability to respond to security threats. This summary table describes how BAE Systems PCI Essential security solution meets specific PCI compliance requirements and minimizes the risk and liability from network attacks. PCI Essential solution can help your company significantly reduce costs and complexity 2

3 Solution Overview: People, Process, and Technology Systems The PCI Essential solution meets the technological requirements of the PCI DSS by bundling the following managed services: Firewall Intrusion Detection and Prevention System SSL and IPSec VPN Multi-Factor Authentication Internal Vulnerability Scanning External Vulnerability Scanning Web Application Firewall File Integrity Monitoring Security Event Log Management (SELM) and Monitoring Process The PCI Essential solution combines the following policies, procedures, and facilities to meet the process requirements of the PCI DSS: Change control management for services provided Daily event review of all security event log files 6 month firewall and Web app firewall rule configuration reviews Alert escalation procedures for services provided Incidence response procedures 24x7 QSA Approved and SSAE 16 Type II audited Security Operations Centers (SOCs) Personnel The PCI Essential solution is fully managed and monitored by BAE Systems security analysts on a 24x7 basis. These security experts are located in our redundant Security Operations Centers. Our analysts are dedicated security experts whose only responsibility is to monitor and manage network security for our customers. They are: Customer service focused, responding rapidly to security events and customer inquiries. All PCI Essential customers have a direct to contact the SOC 24/7 365 and a live engineer will answer the phone within 3 rings. A highly trained team that understands security and the intricacies of the requirements associated with meeting PCI Compliance PCI experts, capable of helping you embed PCI Essential as part of your PCI compliance program. Real-time transparency into these services, processes, and policies is available to authorized customer personnel and auditors through our secure customer portal. QSA Approved The BAE Systems PCI Essential service has achieved a PCI Report on Compliance. All security controls implemented with PCI Essential, including all systems, processes, and personnel, have been scrutinized, tested, and approved for conformance with PCI requirements 1 through 12 by a Qualified Security Assessor (QSA). As a result, a customer s cardholder data environment will inherit these controls when their systems are protected by PCI Essential. Clear evidence that the security controls are effective 24x7 is available through our customer portal, making the customer s PCI audit or self assessment much more efficient and cost effective. You can rest assured that our service will support your PCI DSS compliance program.

4 Solution Overview: People, Process, and Technology The PCI requirements that BAE Systems PCI Essential addresses is summarized below. The table also presents the responsibilities of the customer. PCI Requirement BAE Systems PCI Essential Coverage Customer Responsibility Requirement 1 Install and maintain a firewall configuration to protect cardholder data Firewall Service: Provides implementation of ingress/egress stateful firewall, NAT, and DMZ to prevent access from public, untrusted, and wireless networks. Documentation Process: Works with the customer to maintain a detailed diagram of the network architecture showing all connections, wireless devices, ingress, and egress points within the cardholder environment (CDE). Also, maintains a list of all connections to the CDE that is reviewed bi-annually for differences from the results of the vulnerability scan. Configuration Change Control Process: Handles change control, and testing of firewall configuration modifications as well as documentation of business justification for all allowed traffic. The system maintains administrator roles and responsibilities for network components. Includes a biannual review of firewall rules and network documentation. Requirement 1.1 BAE Systems follows established firewall and router configuration standards to provide services in a PCI compliant fashion. Customer is responsible to establish and follow their own processes. Requirement Customer must accept deployment guidance for BAE Systems to provide proper segregation. Requirement 1.4 Customer must install and maintain personal firewall software for all mobile devices connecting to the CDE. Note: PCI Essential will check that the firewall software is installed and enabled. Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters Internal Vulnerability Scanning Service: Checks for the use of default vendor passwords, community strings, and unnecessary user accounts. Checks that each server has only one primary function and unnecessary services are disabled. Ensures all non-console access uses secure, patched, and encrypted protocols. VPN Service: All non-console administrator access is encrypted using an SSL tunnel. For devices that BAE Systems manages, the tunnel is established with the BAE Systems SOC ensuring that all management activities are encrypted. For other devices within the CDE, the VPN service is used to connect and encrypt all management traffic to and from the CDE. Requirement 2 Customer is responsible for devices not managed by BAE Systems. Requirement 2.3 BAE Systems will secure access to the cardholder data environment through VPN with multi-factor authentication. All other internal access paths must be secured by the customer. 4

5 PCI Requirement BAE Systems PCI Essential Coverage Customer Responsibility Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks PCI Network Analysis Consultation: Although a customer responsibility, BAE Systems will work with the customer to segment the network to reduce complexity of the CDE and determine who has access and to what. VPN Service: Provides strong encryption via IPSEC or SSL VPN connections across open or public networks. Site-to-site or personal VPN connections can be established depending on the customer s network architecture. Firewall Service and Change Control Process: Ensures that messaging protocols are not transmitted in and out of the CDE. Web Application Firewall and Intrusion Detection and Prevention Service: IDPS and WAF identify unencrypted PANS sent out. Escalation Process: If a detected credit card leak indicates a possible security breach, the escalation procedures are initiated. Ensure that credit card storage and point of sales systems encrypt data and manage encryption keys in a compliant manner. Information transmitted over other protocols or paths is the full responsibility of the customer. If a communication mechanism that is not natively encrypted is in use, ensure the payload of the transmission is encrypted. Requirement 5 Use and regularly update anti-virus software or programs Internal Vulnerability Scanning Service: Checks that antivirus software is installed, DAT files are up-to-date, and a full system scan has been completed recently. File Integrity Monitoring Service: For systems that do not support normal antivirus technologies, the File Integrity Monitoring service and agent can supplement this requirement. Security Event Log Management (SELM) and Monitoring Service: Monitors the antivirus software logs to detect and alert on any antivirus system operational failures or viruses found. Deploy, manage and monitor antivirus software on all systems within the CDE for which normal antivirus technologies apply. Requirement 6 Develop and maintain secure systems and applications Internal and External Vulnerability Scanning Service: Provides scanning for up-to-date vendor-supplied security patches, and Web application vulnerability scanning. Scan can be performed before and after a Web application is deployed. Web Application Firewall Service: Provides ongoing protection against Web application threats for public-facing applications. The rules for protection include coverage of all vulnerabilities listed at through At the time of this publication all protections were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices will be used for these requirements BAE Systems can assist in identifying vulnerabilities and follows documented internal processes to identify and assign risk to those vulnerabilities. Customer must patch vulnerabilities, use best secure software development practices, and follow all change control requirements.

6 PCI Requirement BAE Systems PCI Essential Coverage Customer Responsibility Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. BAE Systems SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. VPN Service: Provides multi-factor authentication using tokens, certificates, and user name and password mechanisms for all remote to PCI environment. VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. For remote access the VPN service is used in conjunction with the Multi-Factor Authentication Service using secure tokens, username/password, and SSL certificates for unique identification. BAE Systems SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. BAE Systems Managed VPN service is provided to the customer, which allows them to limit access to the CDE environment via two-factor authentication. Access restrictions within the environment are the responsibility of the customer or data center provider. BAE Systems provides access controls on a per user basis for all remote users via VPN with multi-factor authentication. Customer must provide all access controls for internal access to the CDE. Full responsibility of the customer. 6

7 PCI Requirement BAE Systems PCI Essential Coverage Customer Responsibility Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Security Event Log Management (SELM) and Monitoring Service: Provides daily event reviews for all BAE Systems and 3rd party security logs. Also provides log retention to track user access and actions within individual systems components and retains the required audit trail entries. Provides internal centralized log storage, secured audit trails, and forensic information. Retains audit trail history for a minimum of 1 year, with 3 months available for analysis. File Integrity Monitoring Service: Provides file integrity checks on critical audit trail log files. Internal and External Vulnerability Scanning Services: Provides internal and external network vulnerability scans at least bi-annually and when there are significant changes to the network (customer responsible for informing on all significant changes to the network). IDPS Service: Provides monitoring of traffic and 24x7 response to attacks. File Integrity Monitoring Service: Provides file integrity checks for all critical systems at least weekly for critical system files, registries, configuration files, and content files. Ensure log events are generated to meet all section 10 requirements and provide BAE Systems all paths to be monitored. BAE Systems will store, correlate and report on log events from the CDE. Perform tests for rogue wireless devices on your network. Remediate vulnerabilities found in the CDE by BAE Systems vulnerability scans. Assist in identifying exceptions to standard configuration files, as well as configuration files for custom applications for any changes that may be identified by BAE Systems file integrity service. Perform an annual penetration test, both network and application layers. Requirement 12 Maintain a policy that addresses information security 24x7 Incidence Response SOC: Our SOC provides an incidence response plan and action for any issue detected from security tools we are monitoring. BAE Systems maintains, trains, and enforces its own security processes. Customer is responsible for maintaining, training and enforcing it s own security processes. We know how difficult it is to fully address these security demands in today s fast-paced business environment. The table above describes the services provided through the PCI Essential bundle. In addition to these services, we provide cyber advisory, technical and incident response services to help you achieve your goals, all with a risk and business focused approach.

8 We are BAE Systems At BAE Systems, we provide some of the world s most advanced technology defence, aerospace and security solutions. We employ a skilled workforce of 82,500 people in over 40 countries. Working with customers and local partners, our products and services deliver military capability, protect people and national security, and keep critical information and infrastructure secure. BAE Systems 265 Franklin Street Boston MA USA T: +1 (617) BAE Systems 154 University Avenue, 2nd Floor Toronto, ON M5H 3Y9 Canada T: +1 (647) Victim of a cyber attack? Contact our emergency response team on: BAE Systems, 265 Franklin Street, Boston, MA 02110, USA E: learn@baesystems.com W: baesystems.com/businessdefense linkedin.com/company/baesystemsai twitter.com/baesystems_ai US: 1 (800) UK: Australia: International: E: cyberresponse@baesystems.com Certified Service Cyber Incident Response Copyright BAE Systems plc All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & Wales (No ) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.