![Page 1: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/1.jpg)
PCI 3.1
Asset Management
Curbing Fraud and Data Loss with Asset Management
September 24, 2015
![Page 2: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/2.jpg)
Agenda
• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
![Page 3: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/3.jpg)
2015 Conexxus Webinar Schedule*
Month/Date Webinar Title Speaker Company
June 30, 2015 Network Segmentation Mark Carl Echosat
July 31, 2015 Mobile PaymentsWesley BurressDon Friendman
ExxonMobilP97
September 10, 2015
Point 2 Point Encryption – P2PE Rustin Miles BlueFin
September 24, 2015
Asset Tracking in PCI 3.0Olivia RoseJenkins
ControlScan
October The 411 of EMV Kristi KuehnHeartland Payment Systems
November Tokenization TBD
December Conexxus – Year end review TBD
If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at [email protected].
* Updated: September 23, 2015
![Page 4: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/4.jpg)
Presenters
• Carl Bayer ([email protected])Program Manager Conexxus
• Kara Gunderson ([email protected])POS ManagerCitgo Petroleum Corporation
• Olivia Rose Jenkins ([email protected])Director, Senior Consulting ServicesControlScan
![Page 5: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/5.jpg)
2016 Conexxus Annual Conference
May 1 – 5, 2016Loews Ventana Canyon Resort
Tucson, Arizona www.conexxus.org/annualconference
The NACS Show
October 11-14, 2015Las Vegas Convention Center
Las Vegas, Nevada
Future Events
![Page 6: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/6.jpg)
About Conexxus
• We are an independent, non-profit, member
driven technology organization
• We set standards…
– Data exchange
– Security
– Mobile commerce
• We provide vision
– Identify emerging tech/trends
• We advocate for our industry
– Technology is policy
![Page 7: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/7.jpg)
Agenda• What is an “asset”?• What does Asset Management have to do
with PCI?• Key data points you should be tracking• How to obtain the data needed for
effective asset management• When to turn to a third-party assessment
management system
1
![Page 8: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/8.jpg)
2 Conexxus: Presentation Title
• Specialize in improving security and preventing cyber-attacks
• Alliances with organizations in retail, healthcare, restaurant, petroleum, and technology services industries
• Offer security testing and compliance support for PCI DSS, HIPAA and EI3PA
![Page 9: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/9.jpg)
3 Conexxus: Presentation Title
Olivia Rose JenkinsDirector, Security Consulting Services
11475 Great Oaks WaySuite 300Alpharetta, GA 30022
controlscan.com
• Qualified Security Assessor (QSA) for 10 years• Security compliance assessments, gap analyses,
IT risk assessments, penetration testing, social engineering, wireless assessments, and more!
• Feel free to reach out with questions!
![Page 10: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/10.jpg)
Asset Management
![Page 11: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/11.jpg)
Security Rule #1
You can’t protect
what you don’t know about
5 Conexxus: Presentation Title
![Page 12: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/12.jpg)
Security Rule #2
Find outwhat you have
so you can protect it
6 Conexxus: Presentation Title
![Page 13: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/13.jpg)
Security Rule #3
Once you know what you have, figure out
how best to protect it
7 Conexxus: Presentation Title
![Page 14: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/14.jpg)
Security Rule #4
Deploy the controls toprotect what you have
8 Conexxus: Presentation Title
![Page 15: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/15.jpg)
Security Rule #5
Manage the controls you deployed toprotect what you have
so gaps don’t open
9 Conexxus: Presentation Title
![Page 16: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/16.jpg)
Introducing Asset Management
What you have (“Asset”)So you can
figure out what you have how best to protect it, how to deploy it, and
how to manage it.
10 Conexxus: Presentation Title
![Page 17: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/17.jpg)
So, What is an “Asset”?
11 Conexxus: Presentation Title
![Page 18: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/18.jpg)
People
12 Conexxus: Presentation Title
The weakest linkTheir job and/or role = level of access they should haveRemote HelpDeskTechniciansThird-Parties/Service ProvidersContractors/TempsNewly-hired and old-timersTech-savvy or not
![Page 19: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/19.jpg)
Process
13 Conexxus: Presentation Title
Easy to define; Hard to enforce“How we do things” documentedAll the knowledge for:• Firewall management• Change management• Virus detection• Security awareness training• POS physical security• …and many moreLots of documentation!
![Page 20: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/20.jpg)
Technology
14 Conexxus: Presentation Title
Network Components (virtual or physical):• Firewalls• Switches• Routers• Wireless access points• Network/security appliances
Server Components (virtual or physical):• All types of servers• Include, but are not limited to, Web, application, database,
authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS)
Applications:• All purchased and custom programs• Deployed internally within the network or externally
POS:• PIN Pads• Card swipes• Forecourt and inside POS• Validation payment applications are deployed correctly
![Page 21: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/21.jpg)
Technology
15 Conexxus: Presentation Title
Remember:Anything connected to anything that transmits, processes, or stores cardholder data is in scope for PCI!
![Page 22: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/22.jpg)
So, to Recap:
16 Conexxus: Presentation Title
Any technology connected to any technology that transmits, processes, or stores cardholder data PLUSThe people who have access or possibly could get access to the aboveANDAll of the knowledge for the above defined as process and documented
![Page 23: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/23.jpg)
All of These are Assets!
17 Conexxus: Presentation Title
Firewall between your POS/Fuel Controller and your processor
Remote HelpDesk who can log into the POS or Service Provider if it’s a managed firewall
Firewall security configurations and management documented as procedures
![Page 24: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/24.jpg)
All of These are Assets!
18 Conexxus: Presentation Title
Gilbarco Encore 700 S
Technicians who can log into the fuel dispenser
Encrypting PIN Pad (EPP)Secure Card Reader (SCR)security configurations and management documented as procedures
![Page 25: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/25.jpg)
Typical PCI-Related Assets at Motor Fueling Retailers
19 Conexxus: Presentation Title
Automated Fuel Dispenser (AFD)
PIN Pads with card swipes
Tank Monitoring Systems
Point of Sale (POS) Systems Inside PIN pads
Electronic Payment System
(EPS)
Store Personnel/Administrators/Service ProvidersRemote HelpDesk
Store Personnel/Administrators/Service Providers
Defined and documented processes for all of the above
Back Office PCs
![Page 26: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/26.jpg)
Asset Management and ISO 27001/27002
http://www.iso.org/
![Page 27: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/27.jpg)
ISO/IEC 27002 Information Security Framework
21 Conexxus: Presentation Title
![Page 28: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/28.jpg)
What Does ISO Say?Section 8: Asset management• 8.1 Responsibility for assets
All information assets should be inventoried and owners should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.
• 8.2 Information classificationInformation should be classified and labeled by its owners according to the security protection needed, and handled appropriately.
• 8.3 Media handlingInformation storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised.
22 Conexxus: Presentation Title
![Page 29: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/29.jpg)
Asset Management and PCI Scoping
![Page 30: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/30.jpg)
Remember Security Rules #1 and #2
You can’t protect
what you don’t know about
Find outwhat you have
so you can protect it
24 Conexxus: Presentation Title
![Page 31: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/31.jpg)
The Asset Management Requirement
25 Conexxus: Presentation Title
![Page 32: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/32.jpg)
PCI: Scope
26 Conexxus: Presentation Title
Need to know what systems are being used to transmit, process and/or
store CHD
![Page 33: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/33.jpg)
PCI: Scope
27 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with
transmitting, processing and/or storing CHD
![Page 34: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/34.jpg)
PCI: Scope
28 Conexxus: Presentation Title
Need to know what technical controls were used to segment off the
environment used to transmit, process and/or store CHD.
Further breakdown is on next slide.
![Page 35: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/35.jpg)
29 Conexxus: Presentation Title
![Page 36: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/36.jpg)
PCI: Network Diagram/s
30 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to
validate the network diagram is accurate
![Page 37: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/37.jpg)
PCI: Wireless Scope
31 Conexxus: Presentation Title
Need to know what wireless networks/technologies are in use that can impact the environment used to transmit, process and/or store CHD.
![Page 38: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/38.jpg)
PCI: CHD Storage
32 Conexxus: Presentation Title
Need to know what CHD is stored, how long, where, and
why
![Page 39: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/39.jpg)
PCI: CHD Protection in Storage
33 Conexxus: Presentation Title
Need to know what is used to safeguard CHD while being stored
![Page 40: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/40.jpg)
PCI: Critical Hardware
34 Conexxus: Presentation Title
Need to know what hardware is being used for all system components that transmit, process and/or store CHD
Unfortunately, this is not enough for req 2.4 for Asset Management
![Page 41: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/41.jpg)
PCI: Critical Software
35 Conexxus: Presentation Title
Need to know what software and applications are being used for all system
components that transmit, process and/or store CHD
Unfortunately, this is not enough for req 2.4 for Asset Management
![Page 42: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/42.jpg)
PCI: Payment Applications
36 Conexxus: Presentation Title
Need to know what third‐party payment applications are being used
![Page 43: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/43.jpg)
PCI: Sampling
37 Conexxus: Presentation Title
Need to know what to sample
![Page 44: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/44.jpg)
Asset Management and PCI Requirements
![Page 45: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/45.jpg)
PCI: Network Diagram/s
39 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to
validate the network diagram is accurate
![Page 46: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/46.jpg)
PCI: Firewalls and Routers
40 Conexxus: Presentation Title
Firewall, routers, and POS router standards are defined and documented
Details on the technical controls used to segment off the environment used to transmit, process and/or store CHD.
![Page 47: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/47.jpg)
PCI: Personal Firewalls
41 Conexxus: Presentation Title
Need to know which individuals have mobile and/or employee‐owned devices that connect to the Internet outside the
network
![Page 48: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/48.jpg)
PCI: Secure Configurations
42 Conexxus: Presentation Title
Secure Configuration standards for all components in scope are
defined and documented
Need to know what hardware and software is being used for all system components that transmit, process
and/or store CHD
![Page 49: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/49.jpg)
PCI: Anti Virus
43 Conexxus: Presentation Title
Need to know what systems should have AV deployed
![Page 50: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/50.jpg)
PCI: Vulnerability Management
44 Conexxus: Presentation Title
Need to know what systems need patching to protect against
introducing vulnerabilities
![Page 51: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/51.jpg)
PCI: Secure Application Development
45 Conexxus: Presentation Title
Need to know what applications are in use to transmit, process and/or store CHD (both internally‐developed or by a third‐party)
![Page 52: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/52.jpg)
PCI: Access Management
46 Conexxus: Presentation Title
Who has access and why to what systems and applications isdefined, documented and deployed
![Page 53: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/53.jpg)
PCI: Physical Access
47 Conexxus: Presentation Title
Who has access to physical areas transmitting, processing and/or storing CHD and why is
defined, documented and deployed
![Page 54: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/54.jpg)
PCI: Physical Storage
48 Conexxus: Presentation Title
How physical media containing CHD is safeguarded anddefined, documented and deployed
![Page 55: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/55.jpg)
PCI: POS Security
49 Conexxus: Presentation Title
Need to know what AFD PIN pads and card swipes, POS terminals, Inside PIN pads are in use
![Page 56: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/56.jpg)
POS Security
50 Conexxus: Presentation Title
• Ask staff at the start of every shift to perform checks of the following:– Tampered with or
voided labels
![Page 57: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/57.jpg)
POS Security
51 Conexxus: Presentation Title
– Credit card skimmers
– Pinholecameras
![Page 58: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/58.jpg)
PCI: Monitoring and Logging
52 Conexxus: Presentation Title
Need to know what systems and applications are in use in order to monitor and log them
![Page 59: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/59.jpg)
PCI: Unauthorized Wireless
53 Conexxus: Presentation Title
Need to know what wireless access points are in use in order to detect unauthorized ones
![Page 60: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/60.jpg)
PCI: Security Policy
54 Conexxus: Presentation Title
Need to know what the scope is so can identify if and when the environment changes to update the security policy
![Page 61: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/61.jpg)
PCI: Risk Assessments
55 Conexxus: Presentation Title
Need to know what the scope is so can identify the critical assets for an annual risk assessment
![Page 62: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/62.jpg)
PCI: People
56 Conexxus: Presentation Title
Need to define who has actual or potential access to CHD so can train them on best security practices, obtain their acknowledgement of your
security policies, and perform background checks on them
![Page 63: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/63.jpg)
PCI: Service Providers
57 Conexxus: Presentation Title
Need to define which service providers have actual or potential access to CHD so you can ensure they comply with PCI and effectively safeguard
your CHD
![Page 64: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/64.jpg)
Asset Management – How to
![Page 65: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/65.jpg)
Where to Start• Create a plan on how you are going to obtain
all this information (asset discovery)– Interviews– Location visits– Review of IT and HR records– Review of Accounting purchase records
• Define you will enter it– Use a spreadsheet or a database?– Research third-party tools?
• How you plan to keep it up-to-date and ensure the integrity of the data
59 Conexxus: Presentation Title
![Page 66: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/66.jpg)
What to Capture & TrackComponents (virtual or physical):• Name• Purpose• Asset ID (use instead of serial number)• Type (firewall, router, pump, POS, server, wireless access point, laptop, etc.) • # of each system component• Date of purchase• Retirement date• Vendor make and model• Operating system name and version• Location• Latest patches applied/patch history• Asset owner and contact info, backup owner and contact info• Internal-only or external-only facing (or both)• Physical or virtual• Notes
60 Conexxus: Presentation Title
![Page 67: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/67.jpg)
What to Capture & TrackLocations:• Location address• Name of facility• Purpose• Other identifying info (location ID)• # of individuals located there• CHD storage?• Location point of contact and contact info, backup owner and contact info• Notes
People:• All employees• All contractors and service providers• Date of hire• Contract period (as applicable)• Location• Correlation to access control forms and IT access logs
61 Conexxus: Presentation Title
![Page 68: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/68.jpg)
Keeping the Data Current & Accurate• Hardest part of asset management• Need to communicate with IT, HR, and
Accounting individual/groups and/or service providers regularly
• Review annually and update as needed• Make sure to update whenever you have a
change
62 Conexxus: Presentation Title
![Page 69: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/69.jpg)
Do it myself or outsource?
63 Conexxus: Presentation Title
![Page 70: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/70.jpg)
Do it myself or outsource?
64 Conexxus: Presentation Title
![Page 71: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/71.jpg)
Do it myself or outsource?
65 Conexxus: Presentation Title
![Page 72: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/72.jpg)
Do it myself or outsource?
66 Conexxus: Presentation Title
![Page 73: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/73.jpg)
Summary• It’s not just to meet PCI compliance; it’s for
best security practices overall!You
can’t protect what you
don’t know about
Find outwhat you have
so you can protect it
67 Conexxus: Presentation Title
![Page 75: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/75.jpg)
Q & A
![Page 76: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/76.jpg)
Asset Management and ISO 27001/27002
add link
![Page 77: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/77.jpg)
ISO/IEC 27002 Information Security Framework
71 Conexxus: Presentation Title
![Page 78: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/78.jpg)
72 Conexxus: Presentation Title
Need to know what people, processes, and technologies to
include in the documentation
ISO/IEC 27002
![Page 79: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/79.jpg)
73 Conexxus: Presentation Title
Need to know who has access to your
systems, when, why, and
how
ISO/IEC 27002
![Page 80: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/80.jpg)
74 Conexxus: Presentation Title
Need to know which systems and locations can be accessed and how
ISO/IEC 27002
![Page 81: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/81.jpg)
75 Conexxus: Presentation Title
Need to know where data is
stored and how it is protected
ISO/IEC 27002
![Page 82: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/82.jpg)
76 Conexxus: Presentation Title
Need to know what locations transmit, process and/or
store data and how
ISO/IEC 27002
![Page 83: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/83.jpg)
77 Conexxus: Presentation Title
Need to know which systems
transmit, process and/or store data and how they are
configured
ISO/IEC 27002
![Page 84: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/84.jpg)
78 Conexxus: Presentation Title
Need to know how data is transmitted and how networks are segmented
ISO/IEC 27002
![Page 85: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/85.jpg)
79 Conexxus: Presentation Title
Need to know how systems and applications that transmit, process and/or store data are developed and managed
ISO/IEC 27002
![Page 86: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/86.jpg)
80 Conexxus: Presentation Title
Need to know how service providers
access your environment and
safeguard it
ISO/IEC 27002
![Page 87: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/87.jpg)
81 Conexxus: Presentation Title
Need to know what steps to take if
there is an incident or a breach
ISO/IEC 27002
![Page 88: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/88.jpg)
82 Conexxus: Presentation Title
Need to know what steps to take to ensure business continues in the event of an
incident or breach
ISO/IEC 27002
![Page 89: PCI 3.1 Asset Management - Conexxus · PCI DSS, HIPAA and EI3PA . 3 Conexxus: Presentation Title ... database, authentication, mail, proxy, network time protocol (NTP), and domain](https://reader034.vdocument.in/reader034/viewer/2022042409/5f256c674cd48b72fc6b2532/html5/thumbnails/89.jpg)
What does ISO say?• Section 8: Asset management• 8.1 Responsibility for assets• All information assets should be inventoried and owners
should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.
• 8.2 Information classification• Information should be classified and labeled by its owners
according to the security protection needed, and handled appropriately.
• 8.3 Media handling• Information storage media should be managed, controlled,
moved and disposed of in such a way that the information content is not compromised.
83 Conexxus: Presentation Title