PCI DSS and the Seven Domains
3
ISE 510 Security Risk Analysis & Plan
2-2 Jones & Bartlett Lecture Presentation and Assignment:
PCI DSS and the Seven Domains
Week 2 HW
30 points
<Last Name, First Name>
Due <DATE>
Submitted on <DATE>
If late let me know why:
=====================================
Delete these instructions in blue font before submission:
Change file name to HW#2_LAST_FIRST
A few comments up front: - The Jones and Bartlett Learning, TOPIC 2, does not contain enough information to complete this exercise. You'll need to research several topics related to a) PCI Data Security Standards; and b) NIST 800-53 and NIST 800-53A publications; and c) SANS Top 20 Critical Security Controls ( https://www.cisecurity.org/controls/ )
- Never copy-and-paste from any source. Use quotes and page/ paragraph numbers if you use quotes and rarely are quotes over 40 words.
-- The work you do here will be useful in the FINAL PROJECT!
- I encourage you to read through the HW problems below and if you have questions *about* the problem, please ask either through the Classroom or via email.
- A fully worked question is done for you as an example.
Example:
Find one control from NIST 800-53 (latest version) that pertains to this PCI Goal (GOAL 1: Build and maintain a secure network that is PCI DSS compliant).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated? (Hint: See
NIST Special Publication 800-53A for how they assess the controls)
Example Solution:
a) Control “SC-7” Boundary Protection, is one control under the System and Communications Protection group in NIST 800-53. Boundary Protections refer to activities that secure the network at the interface between internal trusted network traffic and external network traffic. It’s like a fence around a building that protects the valuables inside the building by controlling the perimeter. The selected control chosen to support PCI Goal 1, is SC-7(3), “The organization limits the number of external network connections to the information system” (NIST 800-53, p. F-189). By limiting external network connections, organizations are better able to control and monitor inbound and outbound communications traffic (p. F-189).
b) By limiting the number of external network connections, a vendor will decrease the chances of unauthorized access to cardholder data and therefore reduce the risk. Control SC-7 complements the use of routers, and proper configuration of routers.
c) In NIST SP800-53A, p. F324, the test for compliance is to gather and review: system and communications protection policies and procedures; design documentation; network hardware; configuration documentation; network traffic monitoring/Audit logs. Interview System and network administrators, and test, by automated means for “mechanisms limiting the number of external network connections to the information system” (p. F-324)
1a) Find one control from NIST 800-53 (latest version) that pertains to this PCI Goal (GOAL 1: Build and maintain a secure network that is PCI DSS compliant).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated? (Hint: See
NIST Special Publication 800-53A for how they assess the controls)
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
2a) Find one control from NIST 800-53 (latest version) that pertains to this PCI Goal (GOAL 2: Protect cardholder data).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated? (Hint: See
NIST Special Publication 800-53A for how they assess the controls)
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
3a) Find one control from SANS Top 20 Critical Security Controls (https://www.cisecurity.org/controls/) that pertains to this PCI Goal (GOAL 3: Maintain a vulnerability management program).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated?
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
4a) Find one control from NIST 800-53 (latest version) that pertains to this PCI Goal (GOAL 4: Implement strong access control measures).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated? (Hint: See
NIST Special Publication 800-53A for how they assess the controls)
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
5a) Find one control from SANS Top 20 Critical Security Controls (https://www.cisecurity.org/controls/) that pertains to this PCI Goal (GOAL 5: Regularly monitor and test networks).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated?
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
6a) Find one control from NIST 800-53 (latest version) that pertains to this PCI Goal (GOAL 6: Maintain an information security policy).
b) How will the security control you selected mitigate risks identified in this goal?
c) What are the criteria for measuring the control you selected, to ensure it is properly implemented? In other words, how will the security control be evaluated? (Hint: See
NIST Special Publication 800-53A for how they assess the controls)
- Please use your own words to describe the control and the criteria for measuring the control.
Most importantly, describe why the control you selected pertains to this PCI Goal.
Appendix - PCI DSS 6 Goals from Managing Risk in Information Systems - Maintaining Compliance (in Classroom)
GOAL 1: Build and maintain a secure network that is PCI DSS compliant
· All merchants must protect cardholder information by installing a firewall and a router system.
· Install, configure, and maintain a firewall system to maintain control over an organization’s network; use a router device to connect networks that will make you a PCI compliant merchant.
· Next, execute the following steps:
· Perform testing when configurations change.
· Identify all connections to cardholder information.
· Review configuration rules every six months.
· Change all default passwords. Default passwords are provided when software is installed; they are discernible and can be easily discovered by hackers.
GOAL 2: Protect cardholder data
· Cardholder data is any personal information about the cardholder that is found on the payment card and can never be saved by a merchant.
· Merchants can only display the maximum of the first six and last four digits of the primary account number.
· All information must be encrypted when transmitting data across public networks, such as the Internet, to prevent criminals from stealing the personal information during the process.
GOAL 3: Maintain a vulnerability management program
· Computer viruses make their way onto computers in many ways, but mainly through e-mail and other online activities.
· Viruses compromise the security of personal cardholder information on a merchant’s computer, and therefore antivirus software must be present on all computers associated with the network.
· In addition to antivirus software, computers are also susceptible to a breach in the applications and systems installed on the computer.
· Merchants must install vendor-provided security patches within a month of their release to avoid exposing cardholder data.
GOAL 4: Implement strong access control measures
· As a merchant, you must limit the accessibility of cardholder information.
· Install passwords and other security measurements to limit employee’s access to cardholder data.
· In order to trace employee’s activities when accessing sensitive information, assign each user an unreadable password used to access the cardholder data.
· Monitor the physical access to cardholder data; do not allow unauthorized persons the opportunity to retrieve the information by securing printed information as well as digital.
· Maintain a visitor log and save the log for at least three months.
GOAL 5: Regularly monitor and test networks
· Keep system activity logs that trace all activity; review the log daily for security breaches.
· The information stored in the logs is useful in the event of a security breach to trace employee activities and locate the source of the violation.
· Each quarter, use a wireless analyzer to check for wireless access points to prevent unauthorized access.
· Also, scan internal and external networks to identify any possible vulnerable areas in the system.
· Install software to recognize any modification by unauthorized personnel.
GOAL 6: Maintain an information security policy
· Establish a security policy that covers all PCI DSS compliance requirements and includes annual procedures to recognize any security breaches and day-to-day security policies.
· Perform background checks on potential employees and educate new and current employees about the compliance regulations.