PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title...

PCI 3.1

Asset Management

Curbing Fraud and Data Loss with Asset Management

September 24, 2015

https://www.facebook.com/conexxusonline

https://www.facebook.com/conexxusonline

https://twitter.com/Conexxusonline

https://twitter.com/Conexxusonline

https://www.linkedin.com/grp/home?gid=1831829

https://www.linkedin.com/grp/home?gid=1831829

Agenda

• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

2015 Conexxus Webinar Schedule*

Month/Date Webinar Title Speaker Company

June 30, 2015 Network Segmentation Mark Carl Echosat

July 31, 2015 Mobile PaymentsWesley BurressDon Friendman

ExxonMobilP97

September 10, 2015

Point 2 Point Encryption – P2PE Rustin Miles BlueFin

September 24, 2015

Asset Tracking in PCI 3.0Olivia RoseJenkins

ControlScan

October The 411 of EMV Kristi KuehnHeartland Payment Systems

November Tokenization TBD

December Conexxus – Year end review TBD

If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at [email protected].

* Updated: September 23, 2015

mailto:[email protected]

Presenters

• Carl Bayer ([email protected])Program Manager Conexxus

• Kara Gunderson ([email protected])POS ManagerCitgo Petroleum Corporation

• Olivia Rose Jenkins ([email protected])Director, Senior Consulting ServicesControlScan

2016 Conexxus Annual Conference

May 1 – 5, 2016Loews Ventana Canyon Resort

Tucson, Arizona www.conexxus.org/annualconference

The NACS Show

October 11-14, 2015Las Vegas Convention Center

Las Vegas, Nevada

Future Events

http://www.conexxus.org/annualconference

About Conexxus

• We are an independent, non-profit, member

driven technology organization

• We set standards…

– Data exchange

– Security

– Mobile commerce

• We provide vision

– Identify emerging tech/trends

• We advocate for our industry

– Technology is policy

Agenda• What is an “asset”?• What does Asset Management have to do

with PCI?• Key data points you should be tracking• How to obtain the data needed for

effective asset management• When to turn to a third-party assessment

management system

1

2 Conexxus: Presentation Title

• Specialize in improving security and preventing cyber-attacks

• Alliances with organizations in retail, healthcare, restaurant, petroleum, and technology services industries

• Offer security testing and compliance support for PCI DSS, HIPAA and EI3PA


Olivia Rose JenkinsDirector, Security Consulting Services

[email protected]

11475 Great Oaks WaySuite 300Alpharetta, GA 30022

controlscan.com

• Qualified Security Assessor (QSA) for 10 years• Security compliance assessments, gap analyses,

IT risk assessments, penetration testing, social engineering, wireless assessments, and more!

• Feel free to reach out with questions!

Asset Management

Security Rule #1

You can’t protect

what you don’t know about


Security Rule #2

Find outwhat you have

so you can protect it


Security Rule #3

Once you know what you have, figure out

how best to protect it


Security Rule #4

Deploy the controls toprotect what you have


Security Rule #5

Manage the controls you deployed toprotect what you have

so gaps don’t open


Introducing Asset Management

What you have (“Asset”)So you can

figure out what you have how best to protect it, how to deploy it, and

how to manage it.


So, What is an “Asset”?


People


The weakest linkTheir job and/or role = level of access they should haveRemote HelpDeskTechniciansThird-Parties/Service ProvidersContractors/TempsNewly-hired and old-timersTech-savvy or not

Process


Easy to define; Hard to enforce“How we do things” documentedAll the knowledge for:• Firewall management• Change management• Virus detection• Security awareness training• POS physical security• …and many moreLots of documentation!

Technology


Network Components (virtual or physical):• Firewalls• Switches• Routers• Wireless access points• Network/security appliances

Server Components (virtual or physical):• All types of servers• Include, but are not limited to, Web, application, database,

authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS)

Applications:• All purchased and custom programs• Deployed internally within the network or externally

POS:• PIN Pads• Card swipes• Forecourt and inside POS• Validation payment applications are deployed correctly

Technology


Remember:Anything connected to anything that transmits, processes, or stores cardholder data is in scope for PCI!

So, to Recap:


Any technology connected to any technology that transmits, processes, or stores cardholder data PLUSThe people who have access or possibly could get access to the aboveANDAll of the knowledge for the above defined as process and documented

All of These are Assets!


Firewall between your POS/Fuel Controller and your processor

Remote HelpDesk who can log into the POS or Service Provider if it’s a managed firewall

Firewall security configurations and management documented as procedures

All of These are Assets!


Gilbarco Encore 700 S

Technicians who can log into the fuel dispenser

Encrypting PIN Pad (EPP)Secure Card Reader (SCR)security configurations and management documented as procedures

Typical PCI-Related Assets at Motor Fueling Retailers


Automated Fuel Dispenser (AFD)

PIN Pads with card swipes

Tank Monitoring Systems

Point of Sale (POS) Systems Inside PIN pads

Electronic Payment System

(EPS)

Store Personnel/Administrators/Service ProvidersRemote HelpDesk

Store Personnel/Administrators/Service Providers

Defined and documented processes for all of the above

Back Office PCs

Asset Management and ISO 27001/27002

http://www.iso.org/

ISO/IEC 27002 Information Security Framework


What Does ISO Say?Section 8: Asset management• 8.1 Responsibility for assets

All information assets should be inventoried and owners should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.

• 8.2 Information classificationInformation should be classified and labeled by its owners according to the security protection needed, and handled appropriately.

• 8.3 Media handlingInformation storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised.


Asset Management and PCI Scoping

Remember Security Rules #1 and #2

You can’t protect

what you don’t know about




The Asset Management Requirement


PCI: Scope


Need to know what systems are being used to transmit, process and/or

store CHD

PCI: Scope


Need to know what is in the CDE (people, processes, technologies, and locations) involved with

transmitting, processing and/or storing CHD

PCI: Scope


Need to know what technical controls were used to segment off the

environment used to transmit, process and/or store CHD.

Further breakdown is on next slide.

PCI: Network Diagram/s


Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to

validate the network diagram is accurate

PCI: Wireless Scope


Need to know what wireless networks/technologies are in use that can impact the environment used to transmit, process and/or store CHD.

PCI: CHD Storage


Need to know what CHD is stored, how long, where, and

why

PCI: CHD Protection in Storage


Need to know what is used to safeguard CHD while being stored

PCI: Critical Hardware


Need to know what hardware is being used for all system components that transmit, process and/or store CHD

Unfortunately, this is not enough for req 2.4 for Asset Management

PCI: Critical Software


Need to know what software and applications are being used for all system

components that transmit, process and/or store CHD

Unfortunately, this is not enough for req 2.4 for Asset Management

PCI: Payment Applications


Need to know what third‐party payment applications are being used

PCI: Sampling


Need to know what to sample

Asset Management and PCI Requirements

PCI: Network Diagram/s


Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to

validate the network diagram is accurate

PCI: Firewalls and Routers


Firewall, routers, and POS router standards are defined and documented

Details on the technical controls used to segment off the environment used to transmit, process and/or store CHD.

PCI: Personal Firewalls


Need to know which individuals have mobile and/or employee‐owned devices that connect to the Internet outside the

network

PCI: Secure Configurations


Secure Configuration standards for all components in scope are

defined and documented

Need to know what hardware and software is being used for all system components that transmit, process

and/or store CHD

PCI: Anti Virus


Need to know what systems should have AV deployed

PCI: Vulnerability Management


Need to know what systems need patching to protect against

introducing vulnerabilities

PCI: Secure Application Development


Need to know what applications are in use to transmit, process and/or store CHD (both internally‐developed or by a third‐party)

PCI: Access Management


Who has access and why to what systems and applications isdefined, documented and deployed

PCI: Physical Access


Who has access to physical areas transmitting, processing and/or storing CHD and why is

defined, documented and deployed

PCI: Physical Storage


How physical media containing CHD is safeguarded anddefined, documented and deployed

PCI: POS Security


Need to know what AFD PIN pads and card swipes, POS terminals, Inside PIN pads are in use

POS Security


• Ask staff at the start of every shift to perform checks of the following:– Tampered with or

voided labels

POS Security


– Credit card skimmers

– Pinholecameras

PCI: Monitoring and Logging


Need to know what systems and applications are in use in order to monitor and log them

PCI: Unauthorized Wireless


Need to know what wireless access points are in use in order to detect unauthorized ones

PCI: Security Policy


Need to know what the scope is so can identify if and when the environment changes to update the security policy

PCI: Risk Assessments


Need to know what the scope is so can identify the critical assets for an annual risk assessment

PCI: People


Need to define who has actual or potential access to CHD so can train them on best security practices, obtain their acknowledgement of your

security policies, and perform background checks on them

PCI: Service Providers


Need to define which service providers have actual or potential access to CHD so you can ensure they comply with PCI and effectively safeguard

your CHD

Asset Management – How to

Where to Start• Create a plan on how you are going to obtain

all this information (asset discovery)– Interviews– Location visits– Review of IT and HR records– Review of Accounting purchase records

• Define you will enter it– Use a spreadsheet or a database?– Research third-party tools?

• How you plan to keep it up-to-date and ensure the integrity of the data


What to Capture & TrackComponents (virtual or physical):• Name• Purpose• Asset ID (use instead of serial number)• Type (firewall, router, pump, POS, server, wireless access point, laptop, etc.) • # of each system component• Date of purchase• Retirement date• Vendor make and model• Operating system name and version• Location• Latest patches applied/patch history• Asset owner and contact info, backup owner and contact info• Internal-only or external-only facing (or both)• Physical or virtual• Notes


What to Capture & TrackLocations:• Location address• Name of facility• Purpose• Other identifying info (location ID)• # of individuals located there• CHD storage?• Location point of contact and contact info, backup owner and contact info• Notes

People:• All employees• All contractors and service providers• Date of hire• Contract period (as applicable)• Location• Correlation to access control forms and IT access logs


Keeping the Data Current & Accurate• Hardest part of asset management• Need to communicate with IT, HR, and

Accounting individual/groups and/or service providers regularly

• Review annually and update as needed• Make sure to update whenever you have a

change


Do it myself or outsource?


Summary• It’s not just to meet PCI compliance; it’s for

best security practices overall!You

can’t protect what you

don’t know about




Contact InfoOlivia Rose Jenkins

Director, Security Consulting [email protected]

ControlScan, Inc.

Asset Management and ISO 27001/27002

add link

ISO/IEC 27002 Information Security Framework



Need to know what people, processes, and technologies to

include in the documentation

ISO/IEC 27002


Need to know who has access to your

systems, when, why, and

how

ISO/IEC 27002


Need to know which systems and locations can be accessed and how

ISO/IEC 27002


Need to know where data is

stored and how it is protected

ISO/IEC 27002


Need to know what locations transmit, process and/or

store data and how

ISO/IEC 27002


Need to know which systems

transmit, process and/or store data and how they are

configured

ISO/IEC 27002


Need to know how data is transmitted and how networks are segmented

ISO/IEC 27002


Need to know how systems and applications that transmit, process and/or store data are developed and managed

ISO/IEC 27002


Need to know how service providers

access your environment and

safeguard it

ISO/IEC 27002


Need to know what steps to take if

there is an incident or a breach

ISO/IEC 27002


Need to know what steps to take to ensure business continues in the event of an

incident or breach

ISO/IEC 27002

What does ISO say?• Section 8: Asset management• 8.1 Responsibility for assets• All information assets should be inventoried and owners

should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.

• 8.2 Information classification• Information should be classified and labeled by its owners

according to the security protection needed, and handled appropriately.

• 8.3 Media handling• Information storage media should be managed, controlled,

moved and disposed of in such a way that the information content is not compromised.


PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title...

Documents

Transcript of PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title...