Professional Documents
Culture Documents
ABC Corporation
CONFIDENTIAL INFORMATION This document is the property of ABC Corporation; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of ABC Corporation.
!e"ision #istory
Changes
Initial Publication
Approving Manager
Date
'ny mobile and2or employee-owned computers with direct connectivity to the Internet %for example, laptops used by employees&, which are to access the organization s networ/ must have a local %personal& software firewall installed and active. This firewall must be configured to specific standards, and not alterable by mobile and2or employee-owned computer users. %"#I 3e!uirement -.9&
!e)uire%ent 2* Do not use Vendor-Supplied De$aults $or Syste% Pass'ords and +ther Security Para%eters
Vendor De$aults :endor-supplied defaults must always be changed before installing a system on the networ/. ;xamples of vendor-defaults include passwords, $<=" community strings, and elimination of unnecessary accounts. %"#I 3e!uirement *.-& Default settings for wireless systems must be changed before implementation. >ireless environment defaults include, but are not limited to6 default encryption /eys passwords $<=" community strings default passwords2passphrases on access points other security-related wireless vendor defaults as applicable .irmware on wireless devices must be updated to support strong encryption for authentication and transmission of data over wireless networ/s. %"#I 3e!uirement *.-.-& ,nneeded Ser"ices and Protocols Only necessary services, protocols, daemons, etc., as needed or t!e unction o t!e system may be enabled. All services and protocols not directly needed to per orm t!e device"s speci ied unction must be disabled. #PCI $e%uirement &.&.&' -on-Console Ad%inistrati"e Access #redentials for non-console administrative access must be encrypted using technologies such as $$?, :"<, or $$@2T@$. ;ncryption technologies must include the following6 %"#I 3e!uirement *.5& =ust use strong cryptography, and the encryption method must be invo/ed before the administrator s password is re!uested. $ystem services and parameter files must be configured to prevent the use of telnet and other insecure remote login commands. =ust include administrator access to web-based management interfaces
Di!"la#in$ %AN '(# #orporation will mas/ the display of "'<s %primary account numbers&, and limit viewing of "'<s to only those employees and other parties with a legitimate need. ' properly mas/ed number will show only the first six and the last four digits of the "'<. %"#I re!uirement 5.5&
Requirement &: Restrict Access to Cardholder Data "y 'usiness #eed to (no$
2i%it Access to Cardholder Data 'ccess to '(# #orporation s cardholder system components and data is limited to only those individuals whose 4obs re!uire such access. %"#I 3e!uirement C.-& 'ccess limitations must include the following6 'ccess rights for privileged user IDs must be restricted to the least privileges necessary to perform 4ob responsibilities. %"#I 3e!uirement C.-.-& "rivileges must be assigned to individuals based on 4ob classification and function %also called 0role-based access control&. %"#I 3e!uirement C.-.*&
Vulnera.ility Scannin( 't least !uarterly, and after any significant changes in the networ/ %such as new system component installations, changes in networ/ topology, firewall rule modifications, product upgrades&, '(# #orporation will perform vulnerability scanning on all in-scope systems. %"#I 3e!uirement --.*& Internal vulnerability scans must be repeated until passing results are obtained, or until all 0high1 vulnerabilities as defined in "#I 3e!uirement 8.* are resolved. %"#I 3e!uirement --.*.-, --.*.5& )uarterly vulnerability scan results must satisfy the '$: "rogram guide re!uirements %for example, no vulnerabilities rated higher than a 9.+ by the #:$$ and no automatic failures. ;xternal vulnerability scans must be performed by an 'pproved $canning :endor %'$:&, approved by the "ayment #ard Industry $ecurity $tandards #ouncil %"#I $$#&. %"#I 3e!uirement --.*.*, --.*.5&
Requirement *+: ,aintain a Policy that Addresses Information Security for Employees and Contractors
Security Policy '(# #orporation shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. %"#I 3e!uirement -*.-& This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business ob4ectives or the ris/ environment. %"#I re!uirement -*.-.5& Critical /echnolo(ies '(# #orporation shall establish usage policies for critical technologies %for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data2digital assistants %"D's&, email, and internet usage. %"#I re!uirement -*.5& These policies must include the following6 ;xplicit approval by authorized parties to use the technologies %"#I 3e!uirement -*.5.-& 'uthentication for use of the technology %"#I 3e!uirement -*.5.*& ' list of all such devices and personnel with access %"#I 3e!uirement -*.5.5& 'cceptable uses of the technologies %"#I 3e!uirement -*.5.7& 'cceptable networ/ locations for the technologies %"#I 3e!uirement -*.5.8& 'utomatic disconnect of sessions for remote-access technologies after a specific period of inactivity %"#I 3e!uirement -*.5.B& 'ctivation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate de-activation after use %"#I 3e!uirement -*.5.D& Security !esponsi.ilities '(# #orporation s policies and procedures must clearly define information security responsibilities for all personnel. %"#I 3e!uirement -*.9& Incident !esponse Policy The EEEEEEEEEEEE shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. %"#I re!uirement -*.7.5& Incident Identi$ication ;mployees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. 'll employees have the responsibility to assist in the incident response procedures within
their particular areas of responsibility. $ome examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,
Theft, damage, or unauthorized access %e.g., papers missing from their des/, bro/en loc/s, missing log files, alert from a security guard, video evidence of a brea/-in or unscheduled2unauthorized physical entry& .raud F Inaccurate information within databases, logs, files or paper records
!eportin( an Incident The EEEEEEEEEE should be notified immediately of any suspected or real security incidents involving cardholder data6 #ontact the EEEEEEEEEEEEEEEE to report any suspected or actual incidents. The Internal 'udit s phone number should be well /nown to all employees and should page someone during non-business hours. <o one should communicate with anyone outside of their supervisor%s& or the EEEEEEEEEEEE about any details or generalities surrounding any suspected or actual incident. 'll communications with law enforcement or the public will be coordinated by the EEEEEEEEEEEEEEEEEE. Document any information you /now while waiting for the EEEEEEEEEEEEEEE to respond to the incident. If /nown, this must include date, time, and the nature of the incident. 'ny information you can provide will aid in responding in an appropriate manner. Incident !esponse 3esponses can include or proceed through the following stages6 identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls. #ontain, ;radicate, 3ecover and perform 3oot #ause 'nalysis -.<otify applicable card associations. &i!a "rovide the compromised :isa accounts to :isa .raud #ontrol Group within ten %-+& business days. .or assistance, contact --%87+&-95*-*DCB. 'ccount numbers must be securely sent to :isa as instructed by the :isa .raud #ontrol Group. It is critical that all potentially compromised accounts are provided. :isa will distribute the compromised :isa account numbers to issuers and ensure the confidentiality of entity and non-public information. $ee :isa s 0>hat to do if compromised1 documentation for additional activities that must be performed. That documentation can be found at !ttp,11usa.visa.com1do+nload1business1accepting2visa1ops2ris.2management1cisp2+!at2t o2do2i 2compromised.pd Ma!terCard #ontact your merchant ban/ for specific details on what to do following a compromise. Details on the merchant ban/ %a/a. the ac!uirer& can be found in the =erchant =anual at !ttp,11+++.mastercard.com1us1+ce1P341/&555267$C(7ntire26anual.pd . Hour merchant ban/ will assist when you call =aster#ard at --%858&-C**-9-++. Di!co'er Card #ontact your relationship manager or call the support line at --%B++&-59C-5+B5 for further guidance. *.'lert all necessary parties. (e sure to notify6 5.=erchant ban/ 9.@ocal .(I ,ffice 7.A.$. $ecret $ervice %if :isa payment data is compromised&
8.@ocal authorities %if appropriate& 8. "erform an analysis of legal re!uirements for reporting compromises in every state where clients were affected. The following source of information must be used6 http622www.ncsl.org2programs2lis2cip2priv2breach.htm 9. #ollect and protect information associated with the intrusion. In the event that forensic investigation is re!uired the EEEEEEEEEEEE will wor/ with legal and management to identify appropriate forensic specialists. D.;liminate the intruderIs means of access and any related vulnerabilities. -+. 3esearch potential ris/s related to or damage caused by intrusion method used. !oot Cause Analysis and 2essons 2earned <ot more than one wee/ following the incident, members of the EEEEEEEEEEEEEE and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. 3eview other security controls to determine their appropriateness for the current ris/s. 'ny identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly. Security A'areness '(# #orporation shall establish and maintain a formal security awareness program to ma/e all personnel aware of the importance of cardholder data security. %"#I 3e!uirement -*.8& Ser"ice Pro"iders '(# #orporation shall implement and maintain policies and procedures to manage service providers. %"#I re!uirement -*.B& This process must include the following6
=aintain a list of service providers %"#I re!uirement -*.B.-& =aintain a written agreement that includes an ac/nowledgement that the service providers are responsible for the security of the cardholder data the service providers possess %"#I re!uirement -*.B.*& Implement a process to perform proper due diligence prior to engaging a service provider %"#I re!uirement -*.B.5&
=onitor service providers "#I D$$ compliance status %"#I re!uirement -*.B.9&