MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Transcription

1 MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

2 COMPLIANCE SCHEDULE REQUIREMENT PERIOD DESCRIPTION REQUIREMENT PERIOD DESCRIPTION As Needed 11.1 Monthly 1.3 Quarterly Semi-Annually 1.3 Quarterly Quarterly Determine the type of access your vendor uses to support your system. Review the type of access and the time period you established for your vendor. This is a reactive task. Track each occurrence when your vendor(s) needs to access your system. Review the reports from your firewall to verify unauthorized access has been halted or obtain documentation from the vendor that your ports are being monitored. Use auditing and monitoring tools to verify that: deny all inbound and outbound traffic that is not allowed all router configuration files are secure and synchronized Review firewall and router rule sets to so that no unauthorized changes have been made outside of the change management system. Verify that perimeter firewalls between all wireless networks are configured correctly Run internal and external vulnerability scans performed by a qualified security specialist As Needed Perform internal and external scans after significant upgrades or changes to network, applications or operating systems. (Can be performed by internal staff) Quarterly Run external vulnerability scans validated by an ASV Annually Perform internal and external penetration testing including network (11.3.1) and application (11.3.2) layer tests. Optional testing to be performed after significant upgrades or changes to network, applications or operating systems Quarterly 12.1 Quarterly 1.3 Semi-annually (Sample all users until completed) 9.6 Annually 12.1 Annually Or as required 12.8 Annually Use a wireless analyzer to make sure you verify the validity of each wireless network that appears on the analyzer. Verify all daily operations are being performed. This is accomplished by sampling days and verifying the tracking mechanism has recorded successful completion of all tasks for the sampled days. Verify that the firewall software on personal computers is installed and active for a sample of users. Rotate the sample so that all user mobile computers are reviewed every six months. Update PCI Cardholder Data Inventory Log to record the type of documents and media you are keeping safe. Make sure you review PCI Policy on an annual basis or when your business environment changes. Record your annual review on sighting Information Security Policy Review. Contract Review PCI Security Policy to document your review of service provider contracts. Make sure your contract states these companies or individuals are responsible for protecting your customers' cardholder data.

3 COMPLIANCE PROGRAM Frequency Monthly Task Review vendor / partner access requirements. Semi-Annual Firewall, router rule and change management audit. Quarterly Quarterly Semi-Annual Annually Annually Annually Validate wireless access points. Verify security processes are being followed (sampling) Sample PC s for correct personal firewall installation. Update inventory of credit card data transmission and storage locations. Review security policies and procedures documentation. Review service provider contracts and policies for credit card handling, confidential and personal data protection.

4 VULNERABILITY MANAGEMENT Scan & Report Quarterly conduct ASV scans. Quarterly scans internal and external vulnerability scans Wireless Web applications Annual penetration tests. Annual inventory CCD review, scan for card holder data. Quarterly management reports. Monthly technical reports. Review & Audit Annual review of security policy. Semi-annual review of router and firewall changes against change management system. Semi-annual review of personal firewall configurations on desktop and mobile computers. Annual service provider contract and policy review. Monthly review of third party access requirements.

5 SECURITY MONITORING DAILY, MONTHLY, QUARTERLY, ANNUALLY OR AS REQUIRED Frequency Daily As Required As Required Quarterly Ongoing Ongoing Monthly As Required Task Review logging information. Revise security baseline for logging and alerting. Report on significant baseline deviations. Respond to alerts and network anomalies. Correlate alerts to global events and trending. Technical and management conference calls. Incident response and alert management processes. Collect and store logging information -3 months online, 1 year archived Identify and resolve noncompliance issues. Track trouble tickets and changes using a formal process.

6 ANNUALLY REVISED GOAL Program Management Self Management LCM Management Gap Assessment Remediation

7 ACHIEVING COMPLIANCE REMAINING Gap Assessment Remediation Initiatives Ongoing Process Project Plan Compliance Schedule Gap Report Policy Process Security Monitoring Vulnerability Management Technology Management

8 THANK YOU Contact: Paul King (416) option 2