pci 3.1 asset management - conexxus · pci dss, hipaa and ei3pa . 3 conexxus: presentation title...

Post on 06-Jul-2020

0 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Agenda

• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

2015 Conexxus Webinar Schedule*

Month/Date Webinar Title Speaker Company

June 30, 2015 Network Segmentation Mark Carl Echosat

July 31, 2015 Mobile PaymentsWesley BurressDon Friendman

ExxonMobilP97

September 10, 2015

Point 2 Point Encryption – P2PE Rustin Miles BlueFin

September 24, 2015

Asset Tracking in PCI 3.0Olivia RoseJenkins

ControlScan

October The 411 of EMV Kristi KuehnHeartland Payment Systems

November Tokenization TBD

December Conexxus – Year end review TBD

If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at cbayer@conexxus.org.

* Updated: September 23, 2015

Presenters

• Carl Bayer (cbayer@conexxus.org)Program Manager Conexxus

• Kara Gunderson (kgunder@citgo.com)POS ManagerCitgo Petroleum Corporation

• Olivia Rose Jenkins (ojenkins@controlscan.com)Director, Senior Consulting ServicesControlScan

2016 Conexxus Annual Conference

May 1 – 5, 2016Loews Ventana Canyon Resort

Tucson, Arizona www.conexxus.org/annualconference

The NACS Show

October 11-14, 2015Las Vegas Convention Center

Las Vegas, Nevada

Future Events

About Conexxus

• We are an independent, non-profit, member

driven technology organization

• We set standards…

– Data exchange

– Security

– Mobile commerce

• We provide vision

– Identify emerging tech/trends

• We advocate for our industry

– Technology is policy

Agenda• What is an “asset”?• What does Asset Management have to do

with PCI?• Key data points you should be tracking• How to obtain the data needed for

effective asset management• When to turn to a third-party assessment

management system

1

2 Conexxus: Presentation Title

• Specialize in improving security and preventing cyber-attacks

• Alliances with organizations in retail, healthcare, restaurant, petroleum, and technology services industries

• Offer security testing and compliance support for PCI DSS, HIPAA and EI3PA

3 Conexxus: Presentation Title

Olivia Rose JenkinsDirector, Security Consulting Services

ojenkins@controlscan.com

11475 Great Oaks WaySuite 300Alpharetta, GA 30022

controlscan.com

• Qualified Security Assessor (QSA) for 10 years• Security compliance assessments, gap analyses,

IT risk assessments, penetration testing, social engineering, wireless assessments, and more!

• Feel free to reach out with questions!

Asset Management 

Security Rule #1

You can’t protect

what you don’t know about

5 Conexxus: Presentation Title

Security Rule #2

Find outwhat you have

so you can protect it

6 Conexxus: Presentation Title

Security Rule #3

Once you know what you have, figure out

how best to protect it

7 Conexxus: Presentation Title

Security Rule #4

Deploy the controls toprotect what you have

8 Conexxus: Presentation Title

Security Rule #5

Manage the controls you deployed toprotect what you have

so gaps don’t open

9 Conexxus: Presentation Title

Introducing Asset Management

What you have (“Asset”)So you can

figure out what you have how best to protect it, how to deploy it, and

how to manage it.

10 Conexxus: Presentation Title

So, What is an “Asset”?

11 Conexxus: Presentation Title

People

12 Conexxus: Presentation Title

The weakest linkTheir job and/or role = level of access they should haveRemote HelpDeskTechniciansThird-Parties/Service ProvidersContractors/TempsNewly-hired and old-timersTech-savvy or not

Process

13 Conexxus: Presentation Title

Easy to define; Hard to enforce“How we do things” documentedAll the knowledge for:• Firewall management• Change management• Virus detection• Security awareness training• POS physical security• …and many moreLots of documentation!

Technology

14 Conexxus: Presentation Title

Network Components (virtual or physical):• Firewalls• Switches• Routers• Wireless access points• Network/security appliances

Server Components (virtual or physical):• All types of servers• Include, but are not limited to, Web, application, database,

authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS)

Applications:• All purchased and custom programs• Deployed internally within the network or externally

POS:• PIN Pads• Card swipes• Forecourt and inside POS• Validation payment applications are deployed correctly

Technology

15 Conexxus: Presentation Title

Remember:Anything connected to anything that transmits, processes, or stores cardholder data is in scope for PCI!

So, to Recap:

16 Conexxus: Presentation Title

Any technology connected to any technology that transmits, processes, or stores cardholder data PLUSThe people who have access or possibly could get access to the aboveANDAll of the knowledge for the above defined as process and documented

All of These are Assets!

17 Conexxus: Presentation Title

Firewall between your POS/Fuel Controller and your processor

Remote HelpDesk who can log into the POS or Service Provider if it’s a managed firewall

Firewall security configurations and management documented as procedures

All of These are Assets!

18 Conexxus: Presentation Title

Gilbarco Encore 700 S

Technicians who can log into the fuel dispenser

Encrypting PIN Pad (EPP)Secure Card Reader (SCR)security configurations and management documented as procedures

Typical PCI-Related Assets at Motor Fueling Retailers

19 Conexxus: Presentation Title

Automated Fuel Dispenser (AFD)  

PIN Pads with card swipes

Tank Monitoring Systems

Point of Sale (POS) Systems Inside PIN pads

Electronic Payment System 

(EPS)

Store Personnel/Administrators/Service ProvidersRemote HelpDesk

Store Personnel/Administrators/Service Providers

Defined and documented processes for all of the above

Back Office PCs

Asset Management and ISO 27001/27002

http://www.iso.org/

ISO/IEC 27002 Information Security Framework

21 Conexxus: Presentation Title

What Does ISO Say?Section 8: Asset management• 8.1 Responsibility for assets

All information assets should be inventoried and owners should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.

• 8.2 Information classificationInformation should be classified and labeled by its owners according to the security protection needed, and handled appropriately.

• 8.3 Media handlingInformation storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised.

22 Conexxus: Presentation Title

Asset Management and PCI Scoping

Remember Security Rules #1 and #2

You can’t protect

what you don’t know about

Find outwhat you have

so you can protect it

24 Conexxus: Presentation Title

The Asset Management Requirement

25 Conexxus: Presentation Title

PCI: Scope

26 Conexxus: Presentation Title

Need to know what systems are being used to transmit, process and/or 

store CHD

PCI: Scope

27 Conexxus: Presentation Title

Need to know what is in the CDE (people, processes, technologies, and locations) involved with 

transmitting, processing and/or storing CHD

PCI: Scope

28 Conexxus: Presentation Title

Need to know what technical controls were used to segment off the 

environment used to transmit, process and/or store CHD.

Further breakdown is on next slide.

29 Conexxus: Presentation Title

PCI: Network Diagram/s

30 Conexxus: Presentation Title

Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to 

validate the network diagram is accurate

PCI: Wireless Scope

31 Conexxus: Presentation Title

Need to know what wireless networks/technologies are in use that can impact the environment used to transmit, process and/or store CHD.

PCI: CHD Storage

32 Conexxus: Presentation Title

Need to know what CHD is stored, how long, where, and 

why

PCI: CHD Protection in Storage

33 Conexxus: Presentation Title

Need to know what is used to safeguard CHD while being stored

PCI: Critical Hardware

34 Conexxus: Presentation Title

Need to know what hardware is being used for all system components that transmit, process and/or store CHD

Unfortunately, this is not enough for req 2.4 for Asset Management

PCI: Critical Software

35 Conexxus: Presentation Title

Need to know what software and applications are being used for all system 

components that transmit, process and/or store CHD

Unfortunately, this is not enough for req 2.4 for Asset Management

PCI: Payment Applications

36 Conexxus: Presentation Title

Need to know what  third‐party payment applications are being used

PCI: Sampling

37 Conexxus: Presentation Title

Need to know what to sample

Asset Management and PCI Requirements

PCI: Network Diagram/s

39 Conexxus: Presentation Title

Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to 

validate the network diagram is accurate

PCI: Firewalls and Routers

40 Conexxus: Presentation Title

Firewall, routers, and POS router standards are defined and documented

Details on the technical controls used to segment off the environment used to transmit, process and/or store CHD.

PCI: Personal Firewalls

41 Conexxus: Presentation Title

Need to know which individuals have mobile and/or employee‐owned devices that connect to the Internet outside the 

network

PCI: Secure Configurations

42 Conexxus: Presentation Title

Secure Configuration standards  for all components in scope are 

defined and documented

Need to know what hardware  and software is being used for all system components that transmit, process 

and/or store CHD

PCI: Anti Virus

43 Conexxus: Presentation Title

Need to know what systems should have AV deployed

PCI: Vulnerability Management

44 Conexxus: Presentation Title

Need to know what systems need patching to protect against 

introducing vulnerabilities

PCI: Secure Application Development

45 Conexxus: Presentation Title

Need to know what applications are in use to transmit, process and/or store CHD (both internally‐developed or by a third‐party)

PCI: Access Management

46 Conexxus: Presentation Title

Who has access and why to what systems and applications isdefined, documented and deployed

PCI: Physical Access

47 Conexxus: Presentation Title

Who has access to physical areas transmitting, processing and/or storing CHD and why is

defined, documented and deployed

PCI: Physical Storage

48 Conexxus: Presentation Title

How physical media containing CHD is safeguarded anddefined, documented and deployed

PCI: POS Security

49 Conexxus: Presentation Title

Need to know what AFD PIN pads and card swipes, POS terminals, Inside PIN pads are in use

POS Security

50 Conexxus: Presentation Title

• Ask staff at the start of every shift to perform checks of the following:– Tampered with or

voided labels

POS Security

51 Conexxus: Presentation Title

– Credit card skimmers

– Pinholecameras

PCI: Monitoring and Logging

52 Conexxus: Presentation Title

Need to know what systems and applications are in use in order to monitor and log them

PCI: Unauthorized Wireless

53 Conexxus: Presentation Title

Need to know what wireless access points are in use in order to detect unauthorized ones

PCI: Security Policy

54 Conexxus: Presentation Title

Need to know what the scope is so can identify if and when the environment changes to update the security policy

PCI: Risk Assessments

55 Conexxus: Presentation Title

Need to know what the scope is so can identify the critical assets for an annual risk assessment

PCI: People

56 Conexxus: Presentation Title

Need to define who has actual or potential access to CHD so can train them on best security practices, obtain their acknowledgement of your 

security policies, and perform background checks on them 

PCI: Service Providers

57 Conexxus: Presentation Title

Need to define which service providers have actual or potential access to CHD so you can ensure they comply with PCI and effectively safeguard 

your CHD

Asset Management – How to

Where to Start• Create a plan on how you are going to obtain

all this information (asset discovery)– Interviews– Location visits– Review of IT and HR records– Review of Accounting purchase records

• Define you will enter it– Use a spreadsheet or a database?– Research third-party tools?

• How you plan to keep it up-to-date and ensure the integrity of the data

59 Conexxus: Presentation Title

What to Capture & TrackComponents (virtual or physical):• Name• Purpose• Asset ID (use instead of serial number)• Type (firewall, router, pump, POS, server, wireless access point, laptop, etc.) • # of each system component• Date of purchase• Retirement date• Vendor make and model• Operating system name and version• Location• Latest patches applied/patch history• Asset owner and contact info, backup owner and contact info• Internal-only or external-only facing (or both)• Physical or virtual• Notes

60 Conexxus: Presentation Title

What to Capture & TrackLocations:• Location address• Name of facility• Purpose• Other identifying info (location ID)• # of individuals located there• CHD storage?• Location point of contact and contact info, backup owner and contact info• Notes

People:• All employees• All contractors and service providers• Date of hire• Contract period (as applicable)• Location• Correlation to access control forms and IT access logs

61 Conexxus: Presentation Title

Keeping the Data Current & Accurate• Hardest part of asset management• Need to communicate with IT, HR, and

Accounting individual/groups and/or service providers regularly

• Review annually and update as needed• Make sure to update whenever you have a

change

62 Conexxus: Presentation Title

Do it myself or outsource?

63 Conexxus: Presentation Title

Do it myself or outsource?

64 Conexxus: Presentation Title

Do it myself or outsource?

65 Conexxus: Presentation Title

Do it myself or outsource?

66 Conexxus: Presentation Title

Summary• It’s not just to meet PCI compliance; it’s for

best security practices overall!You

can’t protect what you

don’t know about

Find outwhat you have

so you can protect it

67 Conexxus: Presentation Title

Contact InfoOlivia Rose Jenkins

Director, Security Consulting ServicesOjenkins@ControlScan.com

ControlScan, Inc.

Q & A

Asset Management and ISO 27001/27002

add link

ISO/IEC 27002 Information Security Framework

71 Conexxus: Presentation Title

72 Conexxus: Presentation Title

Need to know what people, processes, and technologies to 

include in the documentation

ISO/IEC 27002

73 Conexxus: Presentation Title

Need to know who has access to your 

systems, when, why, and 

how

ISO/IEC 27002

74 Conexxus: Presentation Title

Need to know which systems and locations can be accessed and how

ISO/IEC 27002

75 Conexxus: Presentation Title

Need to know where data is 

stored and how it is protected

ISO/IEC 27002

76 Conexxus: Presentation Title

Need to know what locations transmit, process and/or 

store data and how

ISO/IEC 27002

77 Conexxus: Presentation Title

Need to know which systems 

transmit, process and/or store data and how they are 

configured

ISO/IEC 27002

78 Conexxus: Presentation Title

Need to know how data is transmitted and how networks are segmented

ISO/IEC 27002

79 Conexxus: Presentation Title

Need to know how systems and applications that transmit, process and/or store data are developed and managed

ISO/IEC 27002

80 Conexxus: Presentation Title

Need to know how service providers 

access your environment and 

safeguard it

ISO/IEC 27002

81 Conexxus: Presentation Title

Need to know what steps to take if 

there is an incident or a breach

ISO/IEC 27002

82 Conexxus: Presentation Title

Need to know what steps to take to ensure business continues in the event of an 

incident or breach

ISO/IEC 27002

What does ISO say?• Section 8: Asset management• 8.1 Responsibility for assets• All information assets should be inventoried and owners

should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.

• 8.2 Information classification• Information should be classified and labeled by its owners

according to the security protection needed, and handled appropriately.

• 8.3 Media handling• Information storage media should be managed, controlled,

moved and disposed of in such a way that the information content is not compromised.

83 Conexxus: Presentation Title

top related