Learning Center
Plans & pricing Sign in
Sign Out
Get this document free



									                                      GNB Security Plan

  ◦   Standards GNB Complies with:
      ▪ PCI-DSS 2.0
      ▪ Relevant NIST standards
      ▪ SANS 20 Critical Controls (guidelines)

1) Risk Assessment Plan:
   1. Gather necessary/relevant information on information assets and the risks/vulnerabilities
      that these assets are exposed to. This includes technical information as well as policies.
      1. (“The Federal Reserve includes six types of risk, which are credit, market, liquidity,
          operational, legal, and reputational. The OCC includes nine types of risk which are
          credit, interest rate, liquidity, price, foreign exchange, transaction, compliance,
          reputation, and strategic.”)
      2. Incorporate newly-discovered vulnerabilities at a speed reflecting their danger
      3. PCI-DSS generally requires you protect cardholder data at maximum level of protection
   2. Analyze information systems, how we use information in daily operations. How is it
      accessed? Transmitted? Stored? Disposed of? What is the system architecture?
      1. Identify all access points to the network
      2. Map internal/external connectivity
   3. Evaluate the assets and the risks faced:
      1. Classify/rank assets based on importance/sensitivity
      2. Assess threats/vulnerabilities based on potential damage and probability. Anticipate
          future vulnerabilities.
      3. Evaluate control/mitigation effectiveness and efficiency
   4. Assign risk ratings based on probability and impact
   5. Regularly update risk assessment as new information affecting risks is identified. Overhaul
      risk management framework annually.
2) Network Design:
   1. Key concepts:
      1. Follow the “20 Critical Controls” identified by SANS
      2. Everywhere you have a network, secure it
      3. Think about every connection
      4. Security domains (restriction of access at the network/application layer):
          compartmentalizing business units' networks as much as possible, restricting
          connectivity between networks
      5. Least permissions/least privilege: restricting authorization to certain users
      6. Layers of security/defense in depth
   2. Network Architecture:
      1. Firewalls: frontside and backside (application-level) firewalls for Website, firewalls for
          our dedicated connection or VPN tunnels to other company that strictly enforce whitelist
          port/IP rules – restricted communication with untrusted networks
              1. PCI-DSS calls for firewalls between outside and “DMZ” then between “DMZ” and
                  the internal network. These firewalls should obey port/IP whitelists.
              2. Secure router configuration files, do not use default passwords
          2. Active Content Filtering with deep packet inspection
          3. Email screening service
          4. IDS/IPS: Wireless IDS as well, multiple passive listening devices throughout network
          5. Anti-virus/anti-malware software, software firewalls on all computers – regularly update
          6. Encryption: HDDs encrypted, data encrypted with AES-256
          7. “DMZ”: Intermediate, firewalled layer through which most important data must travel
              1. Obscure internal IP addresses and routing information from the external internet
              2. DMZ systems never contain sensitive data
          8. Monitoring/restriction of outward-oriented communication: websurfing, emailing, etc.
              1. Prohibit direct public access between the Internet and any system component in the
                  cardholder data environment.
              2. Analyze outbound traffic to look for exfiltration of data
          9. Quarantining or forbidding access to network to devices that are noncompliant (eg. do
              not have up-to-date patches).
              1. Monitor all network devices through active configuration/patch management
                  software to ensure configuration, patches, anti-malware software are all up to date
                  and secure
          10. Weekly vulnerability scan with automated vulnerability scanning software that searches
              for vulnerability to the latest exploits
          11. Split DNS servers: One for public domain information to outside, a second for internal
              recursive queries
          12. File Integrity Monitoring (FIM): making sure software/files are doing what we want them
              to do
              1. Monitor operating system access by user, location, time
          13. Segmentation of network: strict controls on business units talking to each other.
              Supersecret R&D and planning kept separate from advertising kept separate from
              Credit Cards, etc.
              1. Focus perimeters at high-risk domains (eg. wire transfer) to segregate them
              2. Cut wireless off with firewall from cardholder data environment
          14. Treat wireless networks as untrusted and use encryption, strong authentication, etc.
              Monitor unauthorized wireless access.
          15. Ensure systems are configured in a secure manner
              1. Do not use default passwords for system components
          16. Require all customers to access the website or otherwise communicate with the latest
          17. One primary function per server (including virtualized): Only DNS, email, etc.
          18. Backup systems regularly: once/day for most important information, once/week for
              other information
              1. Secure backup media
              2. Test backup media once/quarter
          19. Regular audit of system to make sure all components are configured the way we want
              them to be, at least once every six months
              1. Ensure all software is patched: verify critical patches once/month, non-critical
                  patches once/two months
   3) Policies and Procedures:
      1. Index all devices that connect to the network
      2. Index all authorized software (whitelist), prevent devices from using unauthorized software
      3. Keep cardholder data storage to a minimum:

Rev. August 2012                                 2
          1. Limit data retention time, delete all but the minimum data
          2. Do not store authentication information
          3. Require strong cryptographic keys to access cardholder data, control these keys
      4. Restrict access to cardholder information: the principle of least privilege
      5. Use strong cryptography and secure protocols (eg. SSL) to protect all sensitive information,
          from cardholder information to passwords, during transmission over public networks
          1. Use the best wireless standards
      6. Specify organization, roles, and responsibilities of information security team
      7. Restriction of superuser access
          1. Carefully monitor use of privileged access, especially for operating system-level access
              or critical applications
      8. Clear delineation of responsibilities/privileges for users and administrators: only the
          minimum access required to perform required functions. Default: deny all. Unless it is
          specifically allowed it is forbidden.
          1. Periodic review of access rights
      9. Eliminate all unnecessary functions on machines, from USB to AutoRun to superfluous
          scripts, drivers, etc.
      10. Restricted website access (whitelisting) to avoid drive-by-downloads
      11. Two-factor authentication: Use RSA, Use Biometrics for more important information
          1. Strong passwords, update at least once/90 days
              1. Follow password best practices: lockout after multiple failed logins, no identical
                  “new” passwords, no group passwords, etc.
          2. Behavioral and device authentication
      12. Automatic log-out (timeout), prohibition of automatic log-in
      13. Clear, enforceable disciplinary process.
      14. Background checks and rigorous hiring process, including for contractors
      15. Account Controls:
          1. Monitor all account usage
          2. Onboarding/offboard: When people leave the company or move between positions,
              their access privileges are adjusted accordingly
          3. Including RSA add/delete
          4. Review accounts and access privileges at least once every 90 days
          5. This goes for vendors/etc.
      16. Multiple users' credentials required for access to the most secure data
      17. Follow software development best practices, including:
          1. Code review before code is released
          2. Separate development area from production environment (from rest of network)
          3. Security best practices: test your code against common attacks
      18. Branch offices:
          1. Same equipment and layout as much as possible
          2. Communicate with redundant ISP connections with VPN tunnels
          3. Do not put both hardware firewalls in same building
          4. Own servers- virtualized
      19. Carefully monitor outsourced service providers of all types
          1. Ensure PCI-DSS compliance
          2. Have an agreement acknowledging that service providers are responsible for protection
              of cardholder data that they posses
      20. Remote Access:
          1. Forbid remote access unless a “compelling business justification exists.” Only for the
              most senior executives/etc. and then only on a case-by-case basis as is appropriate to
              job function

Rev. August 2012                                 3
              1. Regularly review remote access privileges
          2. Secure remote access devices against malware: patch software, etc.
              1. Monitor with configuration monitoring software
              2. Restrict functionality to functions essential to performance of business mission
              3. Browsers and outward communication restricted by whitelist of sites
          3. Reject remote access unless communicating through secure channels and using
              secure configuration
          4. Use encryption and two-factor authentication
          5. Restrict remote access to only the network areas necessary to perform business
      21. Wireless Access:
          1. Only have wireless networks when a business case can be made
          2. Only whitelisted wireless devices are allowed to communicate to the wireless network
          3. Require wireless devices communicating to the network to have active
              configuration/patch management and to communicate securely
          4. Restrict wireless access to non-critical network segments
          5. Determine secure zones and designate by priority
              1. Ban mobile devices in most secure zones
              2. Restrict mobile device functionality in other secure zones
          6. Monitor wireless activity in all secure zones
      22. Physical security: Use zones to compartmentalize by priority and mission. Keep the
          principle of least privilege. Use biometrics to access most critical areas.
          1. Protect cardholder data at your maximum level of protection
          2. Protect network access points: jacks, wireless gateways
          3. Backups: don't put all of your resources in one building
          4. Follow best practices for data destruction
          5. Exceptionally high security for data centers: UPS, lasers, vibration detectors, CCTV,
      23. Stay up to date on latest security developments and latest vulnerabilities
      24. Publish a security strategy, review the strategy once/year
          1. Develop security procedures that develop from security strategy
          2. Disseminate the security strategy
      25. Create an Incident Response Plan: test at least annually
      26. Create a Business Continuity Plan: test at least annually
   4) Education
      1. Information Security will manage all security education for all employees, including
          managers, senior executives, and members of the board of directors
          1. Dedicated Chief Information Security Education Officer and staff
          2. On-boarding: initial education day dedicated to IT and security education
          3. Mandatory annual education updating on the latest security standards and policies
          4. Monthly briefings of board members and senior executives by CISO
      2. Enforce the acceptable-use policy: what you are and are not allowed to do, consequences
          1. Hold employees liable if they are not compliant
      3. Train users to prepare for and protect against social engineering attacks
      4. Take security seriously with a security awareness program
      5. Foster a culture of disclosure
      6. Obtain employee certification/affidavit that they have read and understood security policy
      7. ALL employees, including contractors, are required to follow standards
          1. Best practices for programming
   5) Logging:
      1. Continuous monitoring by three employees/contractors at all times

Rev. August 2012                                 4
      2. Be able to link all behavior to each individual user
      3. Logs should have: user ID, event, time, identity of data and system resources involved
          1. Have redundant synchronized time sources
      4. Log all administrator access behavior
      5. Log access to operating system and critical information
          1. Including logging all access to cardholder data
      6. Log access to critical applications
      7. Log remote access
      8. Write to write-only devices or secured servers
      9. Monitor network behavior 24 hours a day with employees
      10. Daily report of log information for CISO, weekly/as requested for CIO, monthly/ad hoc for
          CEO and senior executives
      11. Aggregate logs on a consolidated log platform, secure per best practices
          1. Back up regularly (by importance: daily, weekly)
          2. Restrict access to logs per the principle of least privilege
          3. Watch the logs with File Integrity Monitoring
          4. Analyze reports biweekly to check for tampering
          5. Retain at least one year's worth of information, with three months easily accessible
      12. Follow best practices for incident response forensics:
          1. Capture most volatile data first
          2. Work on a sterile duplicate copy
          3. Keep forensics experts on retainer
   6) Testing:
      1. PCI-DSS 2.0 compliance proven through annual external penetration testing, quarterly
          external vulnerability scan
          1. Perform internal penetration test once annually
      2. Annual FFIEC audit
      3. Testing of logging/forensics procedures by external retainers (annual)
      4. Test physical security/social engineering for eg. the “pizza guy” sneaking in (annual)
      5. Internal scanning to ensure that security standards and policies are actually working
          1. Conduct this internal scan at least once/quarter
      6. Perform an internal and external scan after any significant change to network/etc.
      7. Test incident response plan and business continuity plan at least once annually
      8. Periodic reviews of policies to ensure they are up to date with best practices (semi-annual)

Rev. August 2012                                  5

To top