PCI Compliance We Can Help Make it Happen

Transcription

1 We Can Help Make it Happen Compliance Matters The Data Security Standard (DSS) was developed by the founding payment brands of the Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to help facilitate the broad adoption of consistent data security measures on a global basis. Its primary goal is to provide a standard by which the Payment Card Industry can self-regulate. In addition, a number of initiatives are currently underway from state legislatures and federal regulators to increase the penalties for non-compliant organizations. More so now than ever before compliance matters. P Process R Reporting Compliance Discovery, Security Alerts, Stealth Attacks, Prioritized Threats, Policy Violations, Access Violations, Audit Trails Policy, Procedure, Assessment, Gap Analysis, Remediation, Vulnerability Scans, Perimeter Scans, Consulting Services Service 24/7 Monitoring, Firewall Mgmt & Monitoring, Log File Mgmt & Monitoring, Quarterly Vulnerability Scans, Quarterly Perimeter Scans, Annual Audit, Consulting Technology IDS / IPS, UTM, NBA, AV, AS, CF, Firewalls, Threat Management, Log Management, SIEM T Compliance: Continuous Process Synergistic Approach Passive Technology: No Network Latency No Network Changes Unified: Administration 24/7 Monitoring Reporting S

2 Rethinking Compliance DSS is a multi-faceted security standard that includes specific requirements for security management, policies, procedures, network architecture, software design, training and other critical, protective measures. Coupled with Premium Managed and, Masergy s Unified Enterprise Security (UES) systems take a holistic approach to helping customers achieve and maintain compliance, seamlessly integrating process, technology, service and reporting. Key technology elements center around and complement Masergy s patented adaptive behavioral analysis and correlation engine like a complex credit card fraud detection system on steroids. The technology enables the discovery and tracking of odd behaviors over time the kind of activity that eventually makes newspaper headlines providing you with the opportunity to take preemptive action. Make Life Easier. Partner with Masergy, A Certified Vendor. What does all this mean to your organization? The alleviation of business risk (along with demonstrating the expected due care related to storage, processing, and transmission of critical cardholder data as defined by the DSS) is complex and resourcedependent. At Masergy, we understand that compliance depends on a number of critical factors. From auditing to technology, process, and policy, Masergy understands that each organization has different requirements depending on where they currently stand on the compliance path. That s why we approach the challenge of compliance in a holistic fashion, tailoring our services to your organization s current needs and specific requirements. You can be confident that Masergy, one of the few -certified companies, can provide the partnership required to help you efficiently achieve and maintain compliance Best Products & Services Reader s Trust Award Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader s Trust Award for Unified Security Global Product Excellence - Customer Trust Award Info Security Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security Product Innovation Award Network Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Security Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Security Module for Enterprise UTM Tomorrow s Technology Today Award Info Security Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Tomorrow s Technology Today Award for the Integrated Security Solution (Hardware and Software) category. Masergy has also received the Tomorrow s Technology Today award in prior years (2006, 2007 & 2008) for Unified Security, Network Security and Security Risk Management Managed Security Services. SC Magazine 2008 Industry Innovator SC Magazine has recognized Masergy for its industry innovation in the unified threat management category.

3 Enterprise UTM A holistic, non-intrusive, layered approach to compliance A fully integrated, highly scalable, passive network security suite with patented behavioral analysis & correlation shared by all applications Unified Administration, Monitoring, Reporting Protect Monitor Alert Report Trusted Computing Base IDS Users Intrusions Discovery Internet IPS NBA AV NAC AS CF Firewall BLOCKING Servers Firewalls Syslogs Switches Routers Policies Threats Suspicious Traffic Viruses Trojans Vulnerabilities Vendor Alerts Stealth Attacks Access Violations Resource Violations Alerts Compliance Prioritized Threats Policy Violations Access Violations Network Traffic Suspicious Traffic Threats Network Behavioral Analysis & Correlation Server

4 COMPREHENSIVE COMPLIANCE REPORTING Using the most advanced algorithms in the industry, Masergy automatically analyzes your threat status and continually compiles comprehensive sets of reports on suspicious activity. Specific to compliance, we offer the following reporting services: VULNERABILITY SCAN REPORTS Current Risk Report Current Risk Summary Ignored Vulnerabilities Report Vulnerability Escalation Report Vulnerability History Report Report by Vulnerability Detailed description Consequences Detailed remediation steps Risk factor Links to CVEs, patches, etc. VULNERABILITY MANAGEMENT REPORTS Prioritized Vendor Threats Prioritized Network Threats Prioritized Global Threats Prioritized Vulnerabilities Prioritized Threat List (all) Links Threats with: Threat sources, ports, protocols Targeted assets Required remediation steps & patches Rolling 30-day Threat Remediation Report Network Access Policy Violation Report Geographic Origin of Attackers OPEN SERVICES REPORTS Identifies/documents external usage of enterprise services and resources Identifies/documents internal usage of external services and resources Web Usage Encrypted Web Usage SMTP Mail Usage Encrypted SMTP Mail Usage (SSL) POP3 Mail Usage Encrypted POP (SSL) Usage IMAP Mail Usage Encrypted IMAP Mail Usage FTP Usage Telnet Usage SSH Usage LDAP Usage Socks Usage News Usage Encrypted News Usage (SSL) Windows Share Usage (netbios-ssn) Napster Usage IM Usage Proprietary (other)

5 Masergy s 12 Steps to Compliance. A. Build and Maintain a Secure Network 1. We can guide your organization in establishing, optimizing, and maintaining industry best practice firewall configuration standards, as well as install and maintain a firewall configuration to protect cardholder data. This optimizes the protection of all systems from unauthorized Internet access. We ll also share/develop with you industry best practice configuration standards for the rest of your major system components. 2. Monthly configuration scans are performed to ensure your organization is not using vendor-supplied defaults for system passwords or other security parameters. Not only are defaults well known in hacker communities, but they can easily be found in public information making your organization an easy target. B. Protect Cardholder Data 3. Monthly testing and assessments of your cardholder data processing, storage and encryption methodology are performed to ensure the cardholder data is properly protected. 4. Testing and assessment will ensure your organization is using the required strong cryptography and security protocols to protect sensitive information during transmission across open public networks. C. Maintain a Vulnerability Management Program 5. Periodic audits are conducted to assist with the necessary oversight to make sure your organization s anti-virus software or programs are updated. 6. Our Enterprise UTM compliance offering includes an integrated threat management solution to help your organization ensure its network and device vulnerabilities are discovered, prioritized and resolved in an effective manner. D. Implement Strong Access Control Measures 7. Our professional services organization can guide your organization related to security process, policy, and technology to ensure access to cardholder data is appropriate based upon business need-to-know. This ensures critical data is untouchable by unauthorized personnel. 8. Our periodic audits and testing make sure a unique ID is assigned to each person with computer access. 9. We also help you confirm that the necessary restrictions are in place regarding physical access to cardholder data, in order to protect hard copies of cardholder information as well as the cardholder information systems themselves.

6 E. Regularly Monitor and Test Networks 10. The Enterprise UTM component of our compliance offering tracks and monitors all access to network resources and cardholder data so that the cause of any policy violation can be determined through system alerts and activity logs. 11. As a Approved Scanning Vendor, we will provide the required periodic vulnerability scans and penetration testing of your systems, processes and custom software to ensure security is maintained over time and throughout software changes. F. Maintain an Information Security Policy 12. Based on your specific requirements, the Masergy professional services team can work with your organization to establish and maintain policies that address information security, as well as processes that confirm all employees, contractors, and vendor partners are aware of the sensitivity of your data and their responsibility for protecting it. compliance is a significant undertaking for most organizations. The criticality for organizations that process, store, or transmit cardholder data to achieve and maintain compliance continues to increase. Masergy s Premium Managed Services and Enterprise UTM Technology have the necessary flexibility to meet the specific compliance needs of your organization. compliance We can help make it happen.

7 Build and Maintain a Secure Network 1: Install and maintain a firewall configuration to protect cardholder data. Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Firewall Management & Monitoring Service As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration Formal Change Approval Process All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration. Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration Current Network Diagram Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks Firewall s Firewall Management & Monitoring Service As part of the service, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

8 Build and Maintain a Secure Network 1 Install and maintain a firewall configuration to protect cardholder data. Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Firewall Management & Monitoring Service As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration Formal Change Approval Process All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration. Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration Current Network Diagram Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks Firewall s Firewall Management & Monitoring Service As part of the service, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

9 1.1.3 Firewall s Continued Groups, Roles, Responsibilities All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. Based upon your IT infrastructure/business requirements, the Masergy professional services team will define formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network. Working with your team, Masergy will develop a current description of groups, roles, and responsibilities for logical management of network components Services, Ports Necessary for Business Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC (Security Control Center). Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Based on your required business applications, the Masergy professional services team will document a list of services and ports necessary for business.

10 Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC Justification for Non-Standard Protocols All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC. Masergy will work with your organization to identify non-standard protocols in use. We will be responsible for developing a formal justification for required nonstandard protocols Justification for Risky Protocols (e.g., FTP) Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC.

11 1.1.7 Justification for Risky Protocols (e.g., FTP) Continued All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Masergy will work with your organization to identify risky protocols in use. We will be responsible for developing a formal justification for required risky protocols. Firewall Management & Monitoring Service As part of the service, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report Quarterly Review of FW & Router Rules All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report. The Masergy professional services team will perform a quarterly review of the firewall and router rule sets Router Configuration Standards Firewall Management & Monitoring Service As part of the service, Masergy offers industry best practice configuration standards for routers. The Masergy professional services team will provide a complete report of industry best practice configuration standards for routers.

12 Firewall Management & Monitoring Service As part of the service, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. 1.2 FW Rules to Deny Untrusted Networks & Hosts Network Access Monitoring via Network Security Zones Enterprise UTM++ Configurations, Requires Z-1000-G Software ASM Configurations, Requires Z-2500-G Software Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific network resource objects: users, systems, applications, date/time, etc. with secure boundaries for specific systems, applications and users. Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. The Masergy professional services team offers a recommended firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment.

13 Firewall Management & Monitoring Service As part of the service, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements FW Rules to Restrict Connections All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements The Masergy professional services team will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements Firewall Management & Monitoring Service As part of the service, Masergy restricts inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Ingress Filters All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will restrict inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters). Based upon your business environment, the Masergy professional services team will deliver a recommended configuration design, restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Inhibit Internal Address from Reaching Internet via DMZ Firewall Management & Monitoring Service As part of the service, Masergy will not allow internal addresses to pass from the Internet into the DMZ.

14 1.3.2 Inhibit Internal Address from Reaching Internet via DMZ Continued All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will not allow internal addresses to pass from the Internet into the DMZ. Working with your particular infrastructure, the Masergy professional services team will recommend a design and not allow internal addresses to pass from the Internet into the DMZ. Firewall Management & Monitoring Service As part of the service, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network) Implement Stateful Inspection All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network). The Masergy professional services team will offer a design and periodically verify that stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network), is properly implemented Segregate DMZ and Database(s) Firewall Management & Monitoring Service All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ.

15 1.3.4 Segregate DMZ and Database(s) Continued Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies are established to logically place database(s) in an internal network zone, segregated from the DMZ. Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will recommend a design and periodically verify that the database is in an internal network zone, segregated from the DMZ Restrict I/O Traffic Firewall Management & Monitoring Service All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

16 1.3.5 Restrict I/O Traffic Continued Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment is properly implemented Secure & Synch Router Configuration Files Firewall Management & Monitoring Service As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. As part of the service, Masergy will periodically confirm the security and synchronization router of configuration files. For example, running configuration files (for normal functioning of the routers) and start-up configuration files (when machines are re-booted), and ensuring all have the same secure configuration.

17 Firewall Management & Monitoring Service As part of the service, Masergy will configure network access to deny all other inbound and outbound traffic not specifically allowed Deny all Other Nonessential I/O Traffic Network Security Zones Requires Z-1000-G Network Security Zones Feature to Block/Deny NSZ Policy Violations No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies can be established to deny all other inbound and outbound traffic not specifically allowed. Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to deny all other inbound and outbound traffic not specifically allowed is properly implemented Install Perimeter FW Between Wireless Networks and Data Firewall Management & Monitoring Service As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes). As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes).

18 1.3.9 Install PC FW on any Mobile and Employee- Owned Computers with Direct Internet Connections Firewall Management & Monitoring Service As part of the service, Masergy will monitor personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Requires software syslog agent be installed on each monitored laptop that will transmit to FSM, or syslog output from PC FW management/ administration console. As part of the service, Masergy will periodically confirm the appropriate installation of personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Customer must supply the personal firewall software. Firewall Management & Monitoring Service As part of the service, Masergy will logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 1.4 Prohibit Direct Public Access to any Data Network Security Zones Requires Z-1000-G Network Security Zones Feature No Additional HW or SW Agents are Required. to Enable Blocking at Firewalls and/or Switches and Routers. As part of the NSZ capability and service, secure computing policies will prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.

19 1.4 Prohibit Direct Public Access to any Data Continued As part of the service, Masergy will recommend a design to logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Firewall Management & Monitoring Service As part of the service, Masergy will implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic Prohibit Direct Routes in the DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. Firewall Management & Monitoring Service As part of the service, Masergy will restrict outbound traffic from payment card applications to IP addresses within the DMZ Restrict Outbound Traffic from Applications in the DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic.

20 Firewall Management & Monitoring Service As part of the service, Masergy will implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). 1.5 Implement IP Masquerading All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). As part of the service, Masergy will offer a design and periodically confirm that IP masquerading to prevent internal addresses from being translated and revealed on the Internet is properly implemented, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).