Implementing PCI DSS best practice – versions 2.0 & 3.0

Geraint Williams & Alastair StewartIT Governance Ltd

www.itgovernance.co.uk

Introduction

• Geraint Williams• QSA at IT Governance Ltd• CREST Registered Tester

• Alastair Stewart• PCI DSS Consultant at IT Governance Ltd• MSc Information Management• Associate of (ISC)2 for CISSP• Adapted and assembled the new v3.0 toolkit

2

© IT Governance Ltd 2014

Agenda

• A QSA’s view of documentation and evidence• Why is the Toolkit useful?• PCI Documentation Requirements v2.0 & v3.0• Changes to the toolkit• Using the toolkit• Q&A

3

© IT Governance Ltd 2014

A QSA’s look at evidence

• Performing a PCI DSS audit requires observation and collection of evidence

• Evidence types:– Records, Sign-off sheets, Change Control– Log Files, Configuration Files, Setup Files

• Vulnerability scan and penetration test results (where applicable)

4

© IT Governance Ltd 2014

The standards view on evidence

5

© IT Governance Ltd 2014

Why all this evidence?

• Evidence is required to for compliance, and it must be continual between audits

• If you have a breach, your evidence will prove your compliance

• The forensics teams will need the data to carry out an investigation

6

© IT Governance Ltd 2014

Why a Toolkit?

• IS policies & procedures are mandated in the standard and must cover all requirements

• Large number of requirements to track compliance against

• Results in a large amount of documents to manage

7

© IT Governance Ltd 2014

• Construct an ISMS

Why a Toolkit?

• Assessment/Audit is only a snapshot

• Compliance is a complicated and continual process

• Compliance should be treated as a ‘Business as Usual’ process

• Continuous monitoring and control is needed

8

© IT Governance Ltd 2014

Assess /Reassess

Plan and Design

Implement

Evaluate

Why a toolkit?Alternatives

• ISO 27001/27002– Can help as a framework– Based on risk assessment– Will need tailoring to fit all the PCI DSS requirements

• COBIT– High level framework– Good for integrating with the rest of the IT– Need a more detailed ISMS to cover the PCI DSS

• Existing (custom) ISMS– Good starting point– Provides a template to fit PCI documents into

9

© IT Governance Ltd 2014

PCI DSS Documentation Requirements v2.0 • Requirement 12.1/12.1.1 – Establish, publish,

maintain, and disseminate a security policy that addresses all PCI DSS requirements. – Quite vague as to the details

• Further sub-requirements expand a little, it must include:– An annual risk assessment and review– Daily operation security procedures– Usage policies for critical technologies– Definitions of IS responsibilities for all personnel– Policies for managing service providers– An Incident Response plan

10

© IT Governance Ltd 2014

PCI DSS Documentation Requirements v2.0

• Other requirements mention documentation– Requirement 1.1.5: Documentation and justification

for use of services, protocols and ports allowed..– Requirement 2.2: Develop configuration standards for

all system components.– Requirement 3.1.1: Implement a data retention and

disposal policy.

• It can be difficult to work out what policies and documentation is required as it differs from one SAQ to another

11

© IT Governance Ltd 2014

PCI DSS Documentation Requirements v3.0

• Given more clarification• All the previous requirements still apply but the

detail is clarified• Replaces ‘addresses all PCI DSS requirements’

with separate IS policy and procedure sub-requirements for each requirement e.g.:– Req. 1.5 - ‘Ensure that security policies and

operational procedures for managing firewalls are documented, in use, and known to all affected parties.’

12

© IT Governance Ltd 2014

PCI DSS Documentation Requirements v3.0

• Much clearer as to which requirements need policies and procedures and which require documented evidence of their implementation

13

© IT Governance Ltd 2014

Changes to the Toolkit- v2.0 Toolkit

• Basic documentation toolkit

• Provided all the necessary policies as templates

• Standardised documentation

• Compatible with ISO 27001/27002

14

© IT Governance Ltd 2014

Changes to the Toolkit- v2.0 Toolkit

15

© IT Governance Ltd 2014

v2.0 Toolkit - Issues

• Difficult to manage which documents to use and which to edit

• Roles & Responsibilities not easy to manage• Little support in performing risk assessments• Only helps with documentation

16

© IT Governance Ltd 2014

v2.0 Toolkit – Example

• Used with a service provider with no existing ISMS• Created a compliant ISMS but required

customisation, based on applicable requirements– Some documents weren’t needed– Some clauses within documents weren’t needed

• Easy to fill out for those un-familiar with policy writing

• Saved a lot of initial time in setting up a standardised documentation set

17

© IT Governance Ltd 2014

Changes to the Toolkit- v3.0 Toolkit

• Updated all the documents to meet the new standard

• Added new documents for new requirements• Added new document to help with risk

assessments• Added a number of tools to help with the whole

compliance process

18

© IT Governance Ltd 2014

v3.0 Document Checker

• Easy to use tool which allows you to monitor progress towards completion of policies

• Maps requirement to documents/clauses• Shows which requirements are for which SAQ• Alternate document column for existing documents

19

© IT Governance Ltd 2014

v3.0 Gap Analysis Tool

20

© IT Governance Ltd 2014

v3.0 Gap Analysis Tool

• Executive Summary

21

© IT Governance Ltd 2014

v3.0 Toolkit other changes

• Included various guides on difficult topics such as scoping and encryption key management

• A simplified roles and responsibilities matrix for tracking ownership

• A risk treatment plan to assist in annual risk assessments

22

© IT Governance Ltd 2014

IT Governance PCI v3.0 Services

PCI DSS

PCI QSAPCI DSS

ConsultancyPCI ASV Scanning

Service

Vulnerability & Penetration

Testing

Classroom based PCI Courses

Online Staff Awareness

Training

Custom Designed Training Courses

PCI DSS BooksPCI DSS Toolkit

23Protect • Comply • Thrive© IT Governance Ltd 2014

Receive 20% discount off our

PCI DSS v3.0 Documentation Toolkit

Contact Adam Harrison at aharrison@itgovernance.co.uk

Or call on: 01353 771058

24

© IT Governance Ltd 2014

Special Offer

Where to find us

• Visit our website: www.itgovernance.co.uk

• E-mail us: servicecentre@itgovernance.co.uk

• Call us: 0845 070 1750

• Follow us on Twitter: https://twitter.com/#!/itgovernance

• Read our blog: http://blog.itgovernance.co.uk/

• Join us on LinkedIn www.linkedin.com/company/it-governance

• Join us on Facebook www.facebook.com/ITGovernanceLtd

25Protect • Comply • Thrive

© IT Governance Ltd 2014

Other PCI DSS v3.0Products and Services

PCI DSS A Pocket Guide, third edition - http://www.itgovernance.co.uk/shop/p-1010-pci-dss-a-pocket-guide-third-edition.aspx

PCI Foundation - Overview & Introduction Training Course (1 Day)http://www.itgovernance.co.uk/shop/p-1017-pci-foundation-overview-introduction-training-course.aspx

PCI Implementation & Maintenance Training Course (2 days)http://www.itgovernance.co.uk/shop/p-1279-pci-implementation-maintenance-training-course.aspx

PCI DSS Staff Awareness e-learning coursehttp://www.itgovernance.co.uk/shop/p-1014-pci-dss-security-e-learning-technical-edition-online-access.aspx

26Protect • Comply • Thrive

© IT Governance Ltd 2014

Technical & Consultancy Services• Penetration Testing Servicehttp://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx

• PCI QSA Serviceshttp://www.itgovernance.co.uk/pci-qsa-services.aspx

• PCI DSS ASV Scanning Servicehttp://www.itgovernance.co.uk/pci-scanning.aspx

• PCI Hacker Guardian - Standard/ Enterprise Scanning Servicehttp://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx

• PCI DSS Consultancy Services - aligned to either Version 2 or Version 3– PCI DSS Scoping– PCI DSS Gap Analysis– Remediation support– Consultancy by the Hour - IT Governance LiveOnline

http://www.itgovernance.co.uk/pci-consultancy.aspx

27Protect • Comply • Thrive

© IT Governance Ltd 2014