Document Sample
Documentation Powered By Docstoc
					PCI Design Plan


      Scheduled Scans
          a. Create timeline for scans to occur
                  i. Schedule scans according to the PCI DSS
                          Req 1.1.8 Quarterly Review of Firewall and Router Rule Sets
                                a. Feb 4 All systems including PCI
                                b. May 12 PCI systems
                                c. Aug 4 All systems including PCI
                                d. Nov 3 PCI systems
                          Req 11.2 Quarterly Internal and External Vulnerability Scans
                                a. 1st of the month except in May and December
                          Req 11.3A Annual Penetration Testing
                                a. June 16
                          Req 12.1.2 Annual process to identify Vulnerabilities, resulting in a
                             Formal Risk Assessment
                                a. June 18
                          Req 12.1.3 Annual Review of Security Policy
                                a. October 20
                          Req 12.6.1 Annual Education of Employees about Security
                                a. November 17
                          Req 12.9.2 Annual Testing of Incident Response Plan
                                a. September 16
          b. Schedule scans appropriately for each department
                  i. Confirm that planned scan times will not conflict with each department’s
                     daily schedule
                 ii. Resolve conflicts by making scheduling changes when necessary
          c. Scheduled scan times with regard for change management and freeze windows
                  i. Ensure that scans will not interfere with UTS freeze windows
                 ii. For any scan that may impact UTS systems operations, schedule scans
                     within a change management window
          d. Include scans in daily operations (EPMS)
                  i. Scans will become a new duty for each department participating in PCI
                     compliance and must be assigned to a task owner’s EPMS.
                 ii. When a scan is completed, the results of the scan will be interpreted by
                     the task owner
                iii. Recommendations will be made by the task owner to the appropriate
                     department on what changes, if any, should be made to comply with PCI

          e. Create a PCI DSS procedural template for UTS
                 i. Create a list of PCI Impacted Systems
                         This list will reside with other non-published procedural
              ii. Create a template for Managing Department Operations. This document
                  is intended to address those requirements of PCI that can apply to all
                  systems and should map back to ISO 27002.
                       Local Security Procedures
                       Organizational Structure
                       Asset Management
                       Human Resources Procedures
                       Physical and Environmental Security
                       Communications and Operations Management
                       Systems Acquisition, Development and Maintenance
                       Incident Management
                       Business Continuity Management
                       Compliance Handling
             iii. Create a PCI DSS procedural template for Managing PCI Impacted
                       This document is intended to address the systems included in the
                          list of PCI Impacted Systems. Due to resources and other
                          constraints, these procedures cannot be applied to all systems.
       f. Apply template to appropriate SAQs to create procedures
       g. Include process to update procedures as necessary

   Technical Changes
1. Host Intrusion Prevention System (HIPs)(6.5A, 6.5B, 6.5C, 6.6, 11.4A, 11.4B)
      a. HIPs requirements based on SAQs
               Scan web applications based on secure coding guidelines such as the
                  Open Web Application Security Project guidelines.
               Scan custom application code to identify coding vulnerabilities.
               Provide prevention of common coding vulnerabilities covered in software
                  development processes. Coding Vulnerabilities include Unvalidated input,
                  Broken access control (for example, malicious use of user IDs), Cross-site
                  scripting (XSS) attacks, Buffer overflows, Injection flaws (for example,
                  structured query language (SQL) injection), Improper error handling,
                  Insecure storage, Denial of service and Insecure configuration
               Scan web-facing applications against known attacks
               Provide network intrusion detection systems, host-based intrusion
                  detection systems, and intrusion prevention systems to monitor all
                  network traffic and alert personnel to suspected compromises.
               Provide intrusion detection and keep prevention engines kept up-to date.

       b. Procure HIPs solution
       c. Configure HIPs based on SAQs

2. File Integrity Checking System (FICs)(10.5A, 10.5.5, 11.5A, 11.5B)
       a. FICs requirements based on SAQs
              Secure audit trails that cannot be altered.
              Log data cannot be changed without generating alerts (although new
                 data being added should not cause an alert).
              Alert personnel to unauthorized modification of critical system or content
              Perform critical file comparisons at least weekly.
              Critical files are not necessarily only those containing cardholder data.
                 Critical files are usually those that do not regularly change, but the
                 modification of which could indicate a system compromise or risk of
              Other critical files, such as those for custom applications, must be
                 evaluated and defined by the entity (that is the merchant or service
       b. Procure FICs solution
       c. Configure FICs based on SAQs
               Test Web Based console (tripwire)
               ensure that file comparisons occur at least weekly
               Software has to be configured to check log files
               Software should be installed on log aggregation server and PCI Impacted

3. Vulnerability Scanner(11.3.1, 11.3.2, 11.3A)
      a. Define scanner requirements based on SAQs
                Penetration tests include network-layer penetration tests
                Penetration tests include application-layer penetration tests
      b. Procure scanner solution
      c. Configure scanner based on SAQs
                    Penetration testing performed at least once a year and after any
                      significant infrastructure or application upgrade or modification (such
                      as an operating system upgrade, a subnetwork added to the
                      environment, or a web server added to the environment)

4. Log Aggregation Tool (LAT)(8.5.1, 8.5.4, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11,
   8.5.12, 8.5.13, 8.5.15, 8.5.16, 10.1, 10.2.1, 10.2.2, 10.6, 10.7)
       a. LAT requirements based on SAQs
                Proper user authentication and password management controls for:
                       Addition, deletion, and modification of user IDs, credentials, and
                          other identifier objects.
                       Access from any terminated users to be immediately revoked.
                       Accounts used by vendors for remote maintenance to be enabled
                          only during the time period needed.
                       Group, shared, or generic accounts and passwords are not
                       Passwords to be changed at least every 90 days, with a minimum
                          password length of at least seven characters containing both
                          numeric and alphabetic characters
                       An individual to submit a new password that is different from any
                          of the last four passwords he or she has used.
                       Repeated access attempts to be limited by locking out the user ID
                        after no more than six attempts
                     A session idle for more than 15 minutes will require the user re-
                        enter the password to re-activate the terminal
                     All access to any database containing cardholder data to be
                        authenticated.     (This     includes    access  by     applications,
                        administrators, and all other users.)
               Link all access to system components (especially access done with
                administrative privileges such as root) to each individual user.
               Automated audit trails are implemented for all system components to
                reconstruct all individual user accesses to cardholder data
               Automated audit trails are implemented for all system components to
                reconstruct all actions taken by any individual with root or administrative
               Logs for all system components, including those servers that perform
                security functions like intrusion detection system (IDS) and
                authentication, authorization, and accounting protocol (AAA) servers (for
                example, RADIUS).
               Audit trail history retained for at least one year

       b. Procure LAT solution
       c. Configure LAT based on SAQs
              Password procedures and policies must communicated to all users who
                 have access to cardholder data
              Logs for all system components must be reviewed at least daily.
              Audit trail history must be retained for at least one year, with a minimum
                 of three months online availability.
              Enforce policies on Linux systems and on Windows systems not joined to
              Specific policy for PCI systems joined to AD.
              Configure an Event Management System.
              Require unique user ID

5. Security Camera(9.1.1A, 9.1.1B)
      a. Camera requirements based on SAQs
               Cameras must monitor sensitive areas.
               Data from video cameras is audited and correlated with other entries.
      b. Procure camera solution
      c. Setup cameras based on SAQs
              Video date/time stamping system should sync with log aggregation tool.
              Video files should be available to managers upon request.

6. DCO Administrative Tool(12.1.1, 12.1.2, 12.1.3)
      a. Administrative Console requirements based on SAQs
            A central administrative tool geared to managing systems that are not
              within a domain environment or cannot be moved into AD due to legacy
              software requirements or configuration is necessary to centrally manage
        policy and insure PCI compliance standards. Tools need to be brought in
        and tested to find out what works best for our needs.
         Define manual process to complete tasks
               Individually set policy standards on 200 servers that are not within
                 AD having no method of insuring that policy settings related to
                 compliance standards have not been altered, intentionally or
               To manually review the PCI systems individually would take
                 several days, whereas the review of the Server Farm would take
                 months to complete.
               PCI DSS indicates this to be an annual review process, unless
                 environmental changes dictate it to occur more often.
         Define automated process to complete tasks
               Procure an Administrative Console which would facilitate
                 compliance with the related PCI issues by automating the policy
                 standards management. Such issues would be drive shares, NTFS
                 File permissions, Local policy, audit settings, local user accounts,
                 local user account permissions, etc.
         Define the ROI for administrative tool purchase
               Man hours may cost more than the tool purchase ( for one
                 complete cycle )
               Learning curve for software purchase is very low, quick return on
b. Procure administrative tool solution
c. Configure administrative tool based on SAQs

Shared By: