Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes



Similar documents
SonicWALL PCI 1.1 Implementation Guide

74% 96 Action Items. Compliance

Payment Card Industry Data Security Standard

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry (PCI) Compliance. Management Guidelines

PCI DSS Requirements - Security Controls and Processes

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Implementation Guide

Achieving PCI-Compliance through Cyberoam

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

A Rackspace White Paper Spring 2010

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

PCI Security Audit Procedures Version 1.0 December 2004

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Passing PCI Compliance How to Address the Application Security Mandates

Payment Card Industry Security Audit Procedures. January 2005

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

March

Did you know your security solution can help with PCI compliance too?

Network Security Guidelines. e-governance

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Supplier Information Security Addendum for GE Restricted Data

General Standards for Payment Card Environments at Miami University

PCI DSS requirements solution mapping

Catapult PCI Compliance

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Visa U.S.A. Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting

Enforcing PCI Data Security Standard Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI Data Security and Classification Standards Summary

Payment Card Industry (PCI) Data Security Standard. Version 1.1

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Windows Azure Customer PCI Guide

PCI Requirements Coverage Summary Table

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Firewall and Router Policy

Credit Card Security

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

ICANWK406A Install, configure and test network security

Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

Client Security Risk Assessment Questionnaire

Complying with PCI Data Security

Payment Card Industry (PCI) Data Security Standard

PA-DSS Implementation Guide. Version Document Owners. Approval Date: January 2012

The University of Texas at El Paso

Security. TestOut Modules

Automate PCI Compliance Monitoring, Investigation & Reporting

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Retail Stores Networks and PCI compliance

ISO PCI DSS 2.0 Title Number Requirement

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

TABLE OF CONTENTS. Compensating Controls Worksheet ReymannGroup, Inc. PCI DSS SAQ Tool Version 2009 Page 1 of 51

LogRhythm and PCI Compliance

Vendor Questionnaire

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance We Can Help Make it Happen

PCI Requirements Coverage Summary Table

Cyber-Ark Software and the PCI Data Security Standard

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

PCI Compliance Report

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

How To Comply With Pca Dss

Vendor Risk Assessment Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Small Business IT Risk Assessment

Remote Deposit Terms of Use and Procedures

Achieving PCI DSS Compliance with Cinxi

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Retention & Destruction

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PADSS Implementation Guide

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Secure Auditor PCI Compliance Statement

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Global Partner Management Notice

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

SonicWALL PCI 1.1 Self-Assessment Questionnaire

How Reflection Software Facilitates PCI DSS Compliance

Corporate and Payment Card Industry (PCI) compliance

Web Plus Security Features and Recommendations

GE Measurement & Control. Cyber Security for NEI 08-09

Transcription:

Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more C 1.1.2 Password complexity forces (Choose all that apply): Alpha Numeric C 1.1.3 Passwords can not be reused until after ( # of unique passwords ): ne Special Characters UpperCase LowerCase 1-4 5 or more C 1.1.4 Passwords must be changed every ( # of days ): t Required C 1.1.5 Systems must not allow users to change their password more than once within a 24-hour period: C 1.1.6 Invalid login locks the user after ( # of attempts ): Never 30 60 90 Greater Than 90 1-3 attempts 4-5 attempts 6 or more attempts C 1.1.7 Set the minimum account lockout duration to: Must be reset by administrator C 1.1.8 Policy states that users must not write, store or transmit passwords in plain text: C 1.1.9 Passwords on network devices must be encrypted: C 1.2 Do any system users have access to company data? C 1.2.1 Is there a formal procedure to control the creation and deletion of user IDs? 30 minutes or less 31-59 minutes 60 minutes or more

C 1.2.2 C 1.2.3 Are accounts used by vendors for remote access and maintenance only enabled during the time needed and monitored while in use? Is there a formal process to authorize the creation of group, shared, or generic accounts/passwords? C2: Encryption C 2.1 Are strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol (IPSEC) used to safeguard sensitive Company Information during transmission over public networks? C2: Encryption C 2.1.1 Will company data be rendered unreadable if the use of encryption is mandated by law or regulation? C2: Encryption C 2.1.2 Is company data rendered unreadable if company determines that encryption is necessary to secure it? C2: Encryption C 2.1.3 Is an internal PKI used to protect company data at rest? C2: Encryption C 2.1.4 Is there a requirement for key custodians to sign a form or acknowledge electronically specifying that they understand and accept their key-custodian responsibilities? C2: Encryption C 2.1.5 For wireless networks transmitting comapny data, what encryption method is used for transmissions? Host Host Host Host Host Host Host Host Host C 3.1 C 3.1.1 What Intrusion Detection Systems (IDS), Host-based Intrusion Detection Systems (HIDS), and/or Intrusion Prevention Systems (IPS) are used to monitor all network traffic associated with access, processing, storage, communication and/or transmission of Company Data? If above, does the installed IDS, HIDS or IPS protect all servers that contain company information? Wireless WEP WPA WPA2 Other ne HIDS NIDS C 3.1.2 What does the IDS, HIDS, or IPS monitor? (Check all that apply): DMZ C 3.2 C 3.2.1 C 3.2.2 C 3.2.3 C 3.2.4 C 3.2.5 Is there a formal documented process, including management approval, for approving and testing all external network connections and changes to the firewall configuration? Can a network diagram showing firewall, IDS, HIDS and / or IPS placement be provided upon request? Are there requirements for a firewall at each Internet connection and between any DMZ and the Intranet? Do firewall configuration standards contain a description of groups, roles, and responsibilities for logical management of network components? Do firewall configuration standards include justification and documentation of any available protocols besides HTTP and SSL, SSH, and VPN? Do firewall configuration standards include justification and documentation for any protocols allowed, such as FTP, etc., that IPS N/A Internal Network Other

Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host Host C 3.2.6 C 3.2.6.1 C 3.2.7 C 3.2.8 C 3.3 C 3.3.1 C 3.3.2 C 3.3.3 requires credentials be transmitted in clear text? Is a DMZ implemented to filter and screen all traffic, prohibiting direct routes for inbound and outbound traffic? Does, or will, the server that contains company data reside in the DMZ? Is outbound traffic restricted from Supplier systems hosting company data to IP addresses within the DMZ? Is Internet Protocol (IP) masquerading implemented to prevent internal addresses from being translated and revealed on the Internet? Such as Port Address Translation (PAT) or Network Address Translation (NAT)? Do all System Components and software have the latest vendorsupplied security patches? Are all critical applicable security patches installed within one month of release? Is there a documented process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet)? Are standards documented and updated to address new vulnerability issues? C 3.4 Is antivirus software installed, enabled and maintained on all servers? C 3.4.1 C 3.4.2 Is antivirus software installed, enabled and maintained on all workstations? Is antivirus software installed, enabled and maintained on all email gateways? C 3.4.3 Are all anti-virus mechanisms capable of generating audit logs? C 3.5 C 3.6 C 3.7 C 3.7.1 C 3.7.2 C 3.7.3 Are vendor-supplied defaults always changed before installing a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts.)? For wireless environments, which of the following default settings are changed? (Check all that apply) Are hardening standards documented and implemented for all systems and components. These standards should address all known security vulnerabilities and industry best practices? Is only one primary function implemented per server (e.g., web servers, database servers, and DNS should be implemented on separate servers)? Are all unnecessary and insecure services and protocols disabled and any potentially dangerous ones justified and documented as to appropriate use of the service (e.g., FTP is not used, or is encrypted via SSH or other technology)? Is all unnecessary functionality removed, such as scripts, drivers, features, subsystems, file systems (e.g., unnecessary web servers)? ne SSID Changed Broadcast of SSID disabled SNMP Community String Changed

C4: Physical C 4.1 Which of the following facility entry controls used to control and monitor physical access to the building perimeter? (check all that apply) C4: Physical C 4.1.1 Which of the following facility entry controls used to control and monitor physical access to the data center perimeter? (check all that apply) C4: Physical C 4.1.2 Which of the following facility entry controls used to control and monitor physical access to all media, electronic and paper, containing company Information in an area and/or containers? (check all that apply) C4: Physical C 4.2 Is physical access to wireless access points and gateways restricted? C4: Physical C 4.2.1 Are documented procedures developed to help all personnel distinguish between employees and visitors, especially in areas where company Information is accessible? C4: Physical C 4.2.2 Are cameras used to monitor sensitive areas? C4: Physical C 4.2.2.1 How long are recordings maintained? N/A C5: Data Recovery C 5.1 Has a Disaster Recovery / Business Resumption plan been documented and tested? C5: Data Recovery C 5.2 Are media back-ups containing Company data stored in a secure offsite facility, either an alternate third-party or a commercial data storage facility? C5: Data Recovery C 5.2.1 When media that contains Company data either leaves or returns from off-site vendor is it signed for by an authorized individual? C5: Data Recovery C 5.2.2 Is the media sent via secured courier or a delivery mechanism that can be accurately tracked? C6: Information Disposal and Hardware Sanitization C 6.1 Is there a documented procedure in place to remove company data or information when it is: Contained in hardware at the end of its functional life Sent out for repair As referenced in the agreement Upon request Key Badge Biometric Keypad Guard Key Badge Biometric Keypad Guard Key Badge Biometric Keypad Guard Less than 60 days 60-90 days Over 90 days C7: Change Control C 7.1 Is a documented SDLC in place, based upon industry best practices (such as OWASP) that includes information security? C7: Change Control C 7.1.1 Are there separate development/test and production environments with

access control in place to enforce the separation? C7: Change Control C 7.1.2 Is there a separation of duties between those personnel assigned to the development/test environments and those assigned to the production environment? C7: Change Control C 7.1.3 Is company data used for testing or development - i.e. anywhere outside of a production environment? AS 8.1 AS 8.2 AS 8.2.1 Are application(s) that store or transmit company data externally available through the Internet? Do application(s) use strong Industry Standard cryptography and encryption techniques (force at least 128 bit) to safeguard company data in transit in the internal network? Do application(s) use strong Industry Standard cryptography and encryption techniques (force at least 128 bit) to safeguard company data (SSN, Credit Card Number, Drivers License Number) at rest? AS 8.3 Are proprietary (non-industry standard) encryption algorithms used? AS 8.3.1 If proprietary encryption algorithms are used have their strength and integrity been certified by an authorized evaluation agency? AS 8.4 Are Applications Developed Internally? AS 8.5 Are application(s) independently evaluated or certified? AS 8.6 AS 8.6.1 AS 8.6.2 AS 8.6.3 AS 8.6.4 AS 8.7 Has the application code been reviewed for security flaws and backdoors? Has server side input validation been implemented in the application(s)? Where applicable, are key session identifiers encrypted - e.g. account IDs, etc within the web application? Are there any userids, application ids or passwords stored either within source code or in any form within html source code? Are there any comments within HTML source that can potentailly reveal any architectural details associated with server side programming logic or databases (e.g. stored procedures, table names etc)? Are externally facing web application(s) protected by a web application firewall (WAF)? AS 8.8 Do all application users have a unique ID and password? AS 8.8.1 Application passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 10 or more AS 8.8.2 Application password complexity forces (Choose all that apply): Alpha Numeric Special Characters UpperCase LowerCase

AS 8.8.3 Application passwords can not be reused until after ( # of unique passwords ): ne 1-4 5 or more AS 8.8.4 Application passwords must be changed every ( # of days ): t Required AS 8.8.5 Do applications allow users to change their password more than once within a 24-hour period? AS 8.8.6 Invalid login locks the application user after ( # of attempts ): Never 30 60 90 Greater Than 90 1-3 attempts 4-5 attempts 6 or more attempts AS 8.8.7 What is the minimum application account lockout duration? Must be reset by administrator AS 8.9 Do application(s) use wild card SSL server certificates? AS 8.10 Are controls in place to prevent changes to the application from being made in an unauthorized manner? AS 8.11 Are audit trails enabled within the application(s)? AS 8.12 AS 8.13 AS 8.14 AS 8.15 Do application(s) mask SSN, Credit Card Number and Drivers License Number data when displayed on screen? Is there any type of data export of sensitive company data feature in the application(s)? If the application utilizes passwords stored in databases, are they stored as one-way encrypted hash values? Have Role Based Access Control mechanisms been incorporated to ensure that the Principle of Least Privilege is complied with? 30 minutes or less 31-59 minutes 60 minutes or more

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information