IT Assessment Procedures for Maxistar Medical Supplies Company. IT Assessment Procedures for Maxistar Medical Supplies Company

Transcription

1 IT Assessment Procedures for Maxistar Medical Supplies Company IT Assessment Procedures for Maxistar Medical Supplies Company Compliance Assessment Procedures for PCI standards as applicable to the Maxistar Medical Supplies Company s IT operations. This paper was created as part of a case study for CYBS 6355 in the spring 2015 semester at the University of Dallas. James Konderla 3/18/ P a g e

2 Table of Contents Overview and Purpose of This Document... 1 Compliance Assessment Procedures... 2 References... 5

3 IT Assessment Procedures for Maxistar Medical Supplies Company Overview and Purpose of This Document As Maxistar Medical Supplies Company grows and expands operations it becomes increasingly important to keep IT operations secure while also enabling the business to quickly and effectively meet customer needs. During a recent assessment Maxistar identified several changes that needed to be implemented to their IT operations to secure their business, the key change being Payment Card Industry (PCI) compliance. Specifically, Maxistar has decided to seek PCI Data Security Standard (DSS) compliance for their payment card-based systems and, as such, has asked that eight guidelines from the DSS standard be identified as priorities for this. Though there are more than eight requirements, we have identified the following eight standards as immediate priorities for Maxistar Medical Supplies Company s PCI DSS Compliance program: Requirement (Pertaining to Firewalls and Routers) Requirement (Function limits on IT components) Requirement (Card track data storage) Requirement (Physical Network Security for Network Jacks) Requirement (File-Integrity monitoring for Logs) Requirement (Quarterly Vulnerability Scans) Requirement (Security Alert Monitoring and Reporting) Requirement (Training of Personnel) In the following pages we have outlined the assessment objectives for the standards above as well as potential assessment methods and objects for each to enable Maxistar to easily administer these standards as quickly and easily as possible. 1 P a g e

4 Compliance Assessment Procedures The following eight PCI DSS requirements have been identified as priorities for compliance. These requirements are outlined below and shown with their required assessment procedures. Though these specific requirements were identified as priorities for Maxistar Medical Supplies Company they are only a sample of the PCI DSS requirements and should be treated as a guide while pursuing full PCI DSS Compliance. Assessment Procedure ASSESSMENT OBJECTIVE: Pertaining to firewalls and routers: Restrict Inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic Examine: [SELECT FROM: Examine Firewall Configurations To verify that all inbound and outbound traffic necessary for the cardholder agreement is identifiable, that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, that all non-necessary inbound and outbound traffic is specifically denied either by an explicit "deny all" rule or implicit deny after allow statement] ASSESSMENT OBJECTIVE: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (Where virtualization technologies are used, implement only one primary function per virtual system component.) Examine: [SELECT FROM: Inspect system Configurations of a sample to verify that only one primary function is implemented per virtual system component or device]

5 3.2.1 Test: [SELECT FROM: using a sample of system components, inspect enabled services to determine whether only 1 primary function is enabled on each system component] ASSESSMENT OBJECTIVE: Verify that the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, etc.) is not stored Examine: [SELECT FROM: using a sample of system components, examine data sources (including but not limited to: Incoming transaction data, logs, history files, trace files, database schemas, database contents) and verify that the full contents of any track from the magnetic stripe on the back of a card or equivalent data on a chip are not stored after authorization.] ASSESSMENT OBJECTIVE: Verify the implementation of physical and/or logical controls to restrict access to publicly accessible network jacks. Interview: [SELECT FROM: security personnel, LAN administrators, any other parties responsible for restricting access to publicly accessible areas.] Examine: [SELECT FROM: Observe physical locations where publically accessible network jacks are located; review camera footage to verify jacks have not been accessed in public areas; review network logs to verify jacks in public areas have been unable to access restricted/secured network segments] ASSESSMENT OBJECTIVE: Verify that file-integrity monitoring or changedetection software has been implemented on system logs to ensure that existing log data cannot be changed without generating alerts Examine: [SELECT FROM: system settings, monitored files, results from file monitoring/change-detection activities/applications] ASSESSMENT OBJECTIVE: Verify that quarterly internal vulnerability scans have been performed by qualified personnel. This includes rescans performed until all "high-risk" vulnerabilities are resolved.

6 Examine: [SELECT ALL: review scan reports and verify that four quarterly internal scans occurred in the most recent 12-month periods; Review scan reports and verify that scan process includes rescans until all "high-risk" vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.] ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed to appropriate personnel Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appriate information security and business unit management personnel is formally assigned.] ASSESSMENT OBJECTIVE: Verify that all personnel are trained in a security awareness program upon hire and at least once annually. Examine: [SELECT FROM: Verify that the program provides multiple methods of communicating awareness and educating personnel; verify that personnel attend security awareness training upon hire and at least once annually] Interview: [SELECT FROM: randomly sample personnel to verify they have completed awareness training and are aware of the importance of cardholder security.]

7 IT Assessment Procedures for Maxistar Medical Supplies Company References Data Security Standard - Requirements and Security Assessment Procedures. (2013, November 1). Retrieved March 19, 2015, from Guide for Assessing the Security Controls in Federal Information Systems and Organizations. (2010, June 1). Retrieved March 19, 2015, from 5 P a g e