Dan Lobb CRISC Lisa Gable CISM Katie Friebus · I S A C A G E E K W E E K 2 0 1 6 20 PCI DSS...
28
Dan Lobb CRISC Lisa Gable CISM Katie Friebus
Transcript of Dan Lobb CRISC Lisa Gable CISM Katie Friebus · I S A C A G E E K W E E K 2 0 1 6 20 PCI DSS...
Dan Lobb CRISC
Lisa Gable CISM
Katie Friebus
AGENDA
Meet the speakers
Compliance between QSA visits - Dan Lobb
Transitioning from PCI DSS 3.1-3.2 - Katie Friebus
Tips for Managing a PCI Compliance Program - Lisa Gable
Questions
I S A C A G E E K W E E K 2 0 1 6 2
MEET THE SPEAKERS
Dan Lobb
Dan is currently managing the Information Security Compliance Program for Macy’s Inc. He has been focused on Information Security Compliance for the past 10 years at several leading companies; Visa, Coca-Cola, Blue Cross Blue Shield, and AT&T.
Lisa Gable
Lisa is the PCI Compliance Manager for Macy’s Systems and Technology. Over the past 7 years at Macy’s, Lisa has led efforts for various PCI related efforts including Assessment Management, Vulnerability Scanning and Risk Management
Katie Friebus
Katie is a Senior Compliance Analyst for Macy’s Systems and Technology division. Katie helps to manage the annual PCI Assessment for Macy’s as well as ongoing PCI compliance activities. Katie has over 6 years of information security experience both in the banking and credit card processing industries.
I S A C A G E E K W E E K 2 0 1 6 3
PCI COMPLIANCE BETWEEN QSA VISITS DAN LOBB
I S A C A G E E K W E E K 2 0 1 6 4
OUR CHALLENGE
So many requirements…
So many systems…
So many owners…
I S A C A G E E K W E E K 2 0 1 6 5
KEYS TO SUCCESS
Rank your risks…
Focused activities…
Automate…
RANK YOUR RISKS
Concentrate on areas of concern…
Troublesome requirements
Feedback and comments from assessors
Control/process owner input
Changed systems in the CDE
New lines of business/acquisitions
I S A C A G E E K W E E K 2 0 1 6 6
FOCUSED ACTIVITIES
Divide to conquer
Leverage other compliance efforts
Other security framework activities
Policy and procedure management
I S A C A G E E K W E E K 2 0 1 6 7
AUTOMATE
Iterative approach
Fast and impactful
Reporting and dashboards
Make use of tools at your disposal
Move beyond spreadsheets
Policy and procedure management
Introduce workflows
I S A C A G E E K W E E K 2 0 1 6 8
TRANSITIONING FROM PCI DSS 3.1. TO 3.2 KATIE FRIEBUS
I S A C A G E E K W E E K 2 0 1 6 9
COMMUNICATION OF CHANGE
o PCI Council Communications
Website
Participating Organization
o Qualified Security Assessor (QSA)
I S A C A G E E K W E E K 2 0 1 6 10
WHAT CHANGED?
Defining PCI Security Council Change Types
I S A C A G E E K W E E K 2 0 1 6 11
Change Type Definition
Clarification Clarifies the intent of the requirement. Ensures
that concise wording in the standard portrays
the desired intent of requirements.
Additional Guidance Explanation, definition and/or instruction to
increase understanding or provide further
information or guidance on a particular topic.
Evolving Requirement Changes to ensure that the standards are up to
date with emerging threats and changes in the
market.
KEY CHANGES
o 47 Clarification, 3 Additional Guidance, 8 Evolving Requirements
o Additional Requirements For Service Providers (Effective Feb 1, 2018):
Key Management/ Cryptographic Architecture
Detect and report on failures of critical security control systems
Network Penetration Testing every 6 months
PCI DSS Compliance Program Charter
Quarterly Reviews: Personnel are following security policies and procedures
o SSL /Early TLS Requirements and guidance moved to Appendix 2
June 30, 2018
TLS 1.1 or Higher
Document exceptions
I S A C A G E E K W E E K 2 0 1 6 12
KEY CHANGES
o 6.4.6: PCI Requirements in Change Control (Effective Feb 1, 2018)
Upon Completion of a significant change, all relevant PCI DSS requirements
must be implemented on all new or changed systems and networks, and
documentation updated as applicable.
1. Logging
2. Antivirus
3. File Integrity Monitoring
4. Vulnerability Scanning
5. Penetration Testing
6. Configurations
7. Diagram updates
Allows for additional visibility within new changes to the CDE and identifying
PCI gaps early in the process.
I S A C A G E E K W E E K 2 0 1 6 13
KEY CHANGES
o 8.3, 8.3.1, 8.3.2- Multi-Factor Authentication for Non-console
Administrative Access and Remote access within the CDE (Effective Feb 1,
2018)
Multi-factor authentication requires that a minimum of two of the three
authentication methods:
1.Something you know, such as a password or passphrase
2.Something you have, such as a token device or smart card
3.Something you are, such as a biometric.
Non-console administrative access: access via means without having the
device in front of you.
I S A C A G E E K W E E K 2 0 1 6 14
NEXT STEPS o Analysis: What do these changes/updates mean for my organization?
I S A C A G E E K W E E K 2 0 1 6 15
Section
Change Type Impact PCI DSS v3.1 PCI DSS v3.2
N/A 6.4.6
New requirement for change
control processes to include
verification of PCI DSS
requirements impacted by a
change.
Effective February 1, 2018
Evolving
Requirement
This is a large impact.
Multiple teams including
Information Security,
Change Management,
development and Server
management teams will
be affected by these
processes.
NEXT STEPS
o Communication: communicate key updates to stakeholders
What is the requirement?
How does it impact them?
What needs to happen to maintain compliance?
o Implementation: How does my organization prepare/implement these
changes to processes?
Size of effort
Communication of process and procedure changes
Implementation and tracking
I S A C A G E E K W E E K 2 0 1 6 16
TIPS FOR MANAGING ONGOING PCI
COMPLIANCE LISA GABLE
I S A C A G E E K W E E K 2 0 1 6 17
ONGOING PCI COMPLIANCE
Whew – my assessment is over – now I can take a break?
Compliance program continues! – CONTINUOUS COMPLIANCE
Time bound requirements
• Defining and understanding the time bound requirements
• Development of a schedule for compliance review
Influences on your PCI Compliance Program
I S A C A G E E K W E E K 2 0 1 6 18
TIME BOUND REQUIREMENTS
What are time bound requirements?
Requirements that must be completed on a regular
schedule or set frequency
Frequency includes Annually
Quarterly
Monthly
Daily
As defined by your Risk Assessment process
Why keep up with these requirements?
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 19
CASE STUDY – VULNERABILITY SCANNING
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 20
PCI DSS Requirement 11.2
Description Testing Procedures
All entities are required to run
internal and external network
vulnerability scans for the card
holder data environment at least
quarterly.
Your assessor or internal audit group
is required to ask for the last four
tests you have completed.
If you are planning for this requirement only during audit
checks or just before your PCI assessment kicks off you are
already too late!
CASE STUDY – VULNERABILITY SCANNING
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 21
PCI DSS Requirement 11.2.1 (Part 2)
Description Testing Procedures
All entities are required to address
vulnerabilities and perform rescans
to verify all “high risk” vulnerabilities
are resolved.
Your assessor or internal audit group
is required to verify that all high risk
vulnerabilities are addressed.
Many requirements in the PCI-DSS have multiple components.
Scanning is just the first part – Part Two includes remediation
and rescanning!
ANNUAL REQUIREMENTS (OR AS CHANGED)
Diagrams: network and data flows
System configuration standards
Maintain inventory of in-scope systems
List of roles with access to PAN data
Training for system developers
Web facing application scanning
Device lists
Inventory of wireless access points
Security awareness training
Penetration testing
Security policies and operational procedures
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 22
QUARTERLY REQUIREMENTS (OR AS CHANGED)
• Remove data based on retention requirements
• Install any vendor-supplied patches (non critical)
• Internal and external network vulnerability scans
• Perform risk assessment
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 23
MONTHLY REQUIREMENTS (OR AS CHANGED)
• Identify and review new security vulnerabilities; assign risk ranking
• Install any critical security patches
• Remove/disable inactive user accounts
• Change user passwords/passphrases including local accounts (every
60 days)
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 24
DAILY REQUIREMENTS (OR AS CHANGED)
• Evaluate malware threats
• Review security events
• Review logs of system components
• DLP to ensure no PAN exists in test systems
• Logs of all critical systems
• Wireless scans to verify authorized and unauthorized wireless access
points
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 25
TIME BOUND REQUIREMENT PLANNING
8/5/2016
QTR 1 QTR 2 QTR 3 QTR 4
Regularly Monitor and Test Networks PCI Rqmt Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Requirement 11 - Regularly test security systems and processes
Perform wireless scans to verify authorized and unauthorized wireless access points are identified
11.1.c Ongoing-Daily detection
Maintain an inventory/justification of authorized wireless access points
11.1.1 Access list maintained regularly
Run internal network vulnerability scans 11.2.1 Feb May Aug Nov
Run external network vulnerability scans
11.2.2 Apr Jul Oct Jan
Perform external penetration test 11.3.1.a July
Perform internal penetration test 11.3.2.a June
Perform penetration test of segmentation controls/methods
11.3.4 June
Security policies and operational procedures
11.6 As changed and once annually (November 2016)
I S A C A G E E K W E E K 2 0 1 6 26
INFLUENCES ON YOUR PCI PROGRAM
Other Influencers
• Opportunities from your last assessment
• Feedback from your assessor – supplemental findings
• Info Sec/IT Risk Management
• Control Owner Changes
• Change Management – how is your CDE changing and are you
aware?
8/5/2016 I S A C A G E E K W E E K 2 0 1 6 27
QUESTIONS
I S A C A G E E K W E E K 2 0 1 6 28
