Monthly Status Report
Project Name: PCI DSS Project Manager: Frank Zobitz Project Sponsor: Laura King Project Owner:Tim Stoddard ITS Manager: Bev Schuft Reporting Period:April 2009 Est. Proj. End Date:Dec 2009
Project Description: While payment via credit card is an advantage for the citizen and the institutions, it does increase the risk of a security breach from cyber criminals who are making concerted efforts to harvest personal identity information from Internet based systems. For institutions, a breach would be expensive in terms of the unbudgeted cost to respond and remediate. In an effort to reduce the risk of data breach caused by such attacks, the credit card industry created the Payment Card Industry Data Security Standard (PCI DSS). The data security framework was created by the major credit card companies (American Express, Discover Financial Services, MasterCard Worldwide, and Visa International). Prior to 2004, each of the associations had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. The associations subsequently created a uniform set of information security requirements for all national card brands. The PCI DSS project consists of two phases for each institution: a discovery phase and an external vulnerability assessment phase. Phase I: Discovery During the Discovery Phase, documentation is reviewed and interviews are performed in order to create a PCI DSS gap analysis. Utilizing the framework described (assess, remediate, and report) the data flow of payment through the network and servers will be documented in order to manage the PCI DSS compliance scope.
Phase II: External Vulnerability Assessment The External Vulnerability Assessment is broken out into information gathering, vulnerability and port scanning, and vulnerability identification. PCI DSS requires that external vulnerability assessments be performed on a quarterly basis. The project team will coordinate these assessments with each institution following completion of Phase I.
Executive Summary
04/29/2009
Monthly Status Report
Page 1 of 3
Minnesota State Colleges and Universities
�Status
Green (Controlled) Yellow (Caution) Red (Critical) Schedule Scope Budget
Description
Reason for Deviation
Quarter 1 scans have been completed and quarter 2 scans are in process. All campuses except one have had a site visit. The scope of the project is defined and at present is operating within it initial parameters. Projected campus expenditures might exceed initial projection. Extended work in trying to get the external scanning working has resulted in additional billable contractor billable time to determine why scanning is being blocked at the campus level.
Comments:
New/Updated Issues
Issues
Status (New, Newly Completed)
Mitigation Plan
Milestones / Deliverables
Milestones/Deliverables
Estimated Completion Date
Actual Completion Date
Status (On Schedule, Complete, At Risk)
For each campus:
04/29/2009
Monthly Status Report
Page 2 of 3
Minnesota State Colleges and Universities
�Phase 1: Discovery Onsite Interviews and Info Gathering Draft SAQ and Rec Report Sent Final SAQ and Rec Report Sent
X 5/1/09 5/15/09 5/30/09
X
Completed At Risk
Phase 2: External Vulnerability Assessment Phase 2: Quarter 1 scan Quarter 2 scan Quarter 3 scan Quarter 4 scan 3/31/09 6/30/09 9/30/09 12/31/09 3/31/09 Completed On Schedule On Schedule On Schedule
Project Assumptions and Dependencies
Assumptions
Dependencies
04/29/2009
Monthly Status Report
Page 3 of 3
Minnesota State Colleges and Universities
�