pci 3.1 asset management - conexxus · pci dss, hipaa and ei3pa . 3 conexxus: presentation title...
TRANSCRIPT
PCI 3.1
Asset Management
Curbing Fraud and Data Loss with Asset Management
September 24, 2015
Agenda
• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
2015 Conexxus Webinar Schedule*
Month/Date Webinar Title Speaker Company
June 30, 2015 Network Segmentation Mark Carl Echosat
July 31, 2015 Mobile PaymentsWesley BurressDon Friendman
ExxonMobilP97
September 10, 2015
Point 2 Point Encryption – P2PE Rustin Miles BlueFin
September 24, 2015
Asset Tracking in PCI 3.0Olivia RoseJenkins
ControlScan
October The 411 of EMV Kristi KuehnHeartland Payment Systems
November Tokenization TBD
December Conexxus – Year end review TBD
If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at [email protected].
* Updated: September 23, 2015
Presenters
• Carl Bayer ([email protected])Program Manager Conexxus
• Kara Gunderson ([email protected])POS ManagerCitgo Petroleum Corporation
• Olivia Rose Jenkins ([email protected])Director, Senior Consulting ServicesControlScan
2016 Conexxus Annual Conference
May 1 – 5, 2016Loews Ventana Canyon Resort
Tucson, Arizona www.conexxus.org/annualconference
The NACS Show
October 11-14, 2015Las Vegas Convention Center
Las Vegas, Nevada
Future Events
About Conexxus
• We are an independent, non-profit, member
driven technology organization
• We set standards…
– Data exchange
– Security
– Mobile commerce
• We provide vision
– Identify emerging tech/trends
• We advocate for our industry
– Technology is policy
Agenda• What is an “asset”?• What does Asset Management have to do
with PCI?• Key data points you should be tracking• How to obtain the data needed for
effective asset management• When to turn to a third-party assessment
management system
1
2 Conexxus: Presentation Title
• Specialize in improving security and preventing cyber-attacks
• Alliances with organizations in retail, healthcare, restaurant, petroleum, and technology services industries
• Offer security testing and compliance support for PCI DSS, HIPAA and EI3PA
3 Conexxus: Presentation Title
Olivia Rose JenkinsDirector, Security Consulting Services
11475 Great Oaks WaySuite 300Alpharetta, GA 30022
controlscan.com
• Qualified Security Assessor (QSA) for 10 years• Security compliance assessments, gap analyses,
IT risk assessments, penetration testing, social engineering, wireless assessments, and more!
• Feel free to reach out with questions!
Asset Management
Security Rule #1
You can’t protect
what you don’t know about
5 Conexxus: Presentation Title
Security Rule #2
Find outwhat you have
so you can protect it
6 Conexxus: Presentation Title
Security Rule #3
Once you know what you have, figure out
how best to protect it
7 Conexxus: Presentation Title
Security Rule #4
Deploy the controls toprotect what you have
8 Conexxus: Presentation Title
Security Rule #5
Manage the controls you deployed toprotect what you have
so gaps don’t open
9 Conexxus: Presentation Title
Introducing Asset Management
What you have (“Asset”)So you can
figure out what you have how best to protect it, how to deploy it, and
how to manage it.
10 Conexxus: Presentation Title
So, What is an “Asset”?
11 Conexxus: Presentation Title
People
12 Conexxus: Presentation Title
The weakest linkTheir job and/or role = level of access they should haveRemote HelpDeskTechniciansThird-Parties/Service ProvidersContractors/TempsNewly-hired and old-timersTech-savvy or not
Process
13 Conexxus: Presentation Title
Easy to define; Hard to enforce“How we do things” documentedAll the knowledge for:• Firewall management• Change management• Virus detection• Security awareness training• POS physical security• …and many moreLots of documentation!
Technology
14 Conexxus: Presentation Title
Network Components (virtual or physical):• Firewalls• Switches• Routers• Wireless access points• Network/security appliances
Server Components (virtual or physical):• All types of servers• Include, but are not limited to, Web, application, database,
authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS)
Applications:• All purchased and custom programs• Deployed internally within the network or externally
POS:• PIN Pads• Card swipes• Forecourt and inside POS• Validation payment applications are deployed correctly
Technology
15 Conexxus: Presentation Title
Remember:Anything connected to anything that transmits, processes, or stores cardholder data is in scope for PCI!
So, to Recap:
16 Conexxus: Presentation Title
Any technology connected to any technology that transmits, processes, or stores cardholder data PLUSThe people who have access or possibly could get access to the aboveANDAll of the knowledge for the above defined as process and documented
All of These are Assets!
17 Conexxus: Presentation Title
Firewall between your POS/Fuel Controller and your processor
Remote HelpDesk who can log into the POS or Service Provider if it’s a managed firewall
Firewall security configurations and management documented as procedures
All of These are Assets!
18 Conexxus: Presentation Title
Gilbarco Encore 700 S
Technicians who can log into the fuel dispenser
Encrypting PIN Pad (EPP)Secure Card Reader (SCR)security configurations and management documented as procedures
Typical PCI-Related Assets at Motor Fueling Retailers
19 Conexxus: Presentation Title
Automated Fuel Dispenser (AFD)
PIN Pads with card swipes
Tank Monitoring Systems
Point of Sale (POS) Systems Inside PIN pads
Electronic Payment System
(EPS)
Store Personnel/Administrators/Service ProvidersRemote HelpDesk
Store Personnel/Administrators/Service Providers
Defined and documented processes for all of the above
Back Office PCs
Asset Management and ISO 27001/27002
http://www.iso.org/
ISO/IEC 27002 Information Security Framework
21 Conexxus: Presentation Title
What Does ISO Say?Section 8: Asset management• 8.1 Responsibility for assets
All information assets should be inventoried and owners should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.
• 8.2 Information classificationInformation should be classified and labeled by its owners according to the security protection needed, and handled appropriately.
• 8.3 Media handlingInformation storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised.
22 Conexxus: Presentation Title
Asset Management and PCI Scoping
Remember Security Rules #1 and #2
You can’t protect
what you don’t know about
Find outwhat you have
so you can protect it
24 Conexxus: Presentation Title
The Asset Management Requirement
25 Conexxus: Presentation Title
PCI: Scope
26 Conexxus: Presentation Title
Need to know what systems are being used to transmit, process and/or
store CHD
PCI: Scope
27 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with
transmitting, processing and/or storing CHD
PCI: Scope
28 Conexxus: Presentation Title
Need to know what technical controls were used to segment off the
environment used to transmit, process and/or store CHD.
Further breakdown is on next slide.
29 Conexxus: Presentation Title
PCI: Network Diagram/s
30 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to
validate the network diagram is accurate
PCI: Wireless Scope
31 Conexxus: Presentation Title
Need to know what wireless networks/technologies are in use that can impact the environment used to transmit, process and/or store CHD.
PCI: CHD Storage
32 Conexxus: Presentation Title
Need to know what CHD is stored, how long, where, and
why
PCI: CHD Protection in Storage
33 Conexxus: Presentation Title
Need to know what is used to safeguard CHD while being stored
PCI: Critical Hardware
34 Conexxus: Presentation Title
Need to know what hardware is being used for all system components that transmit, process and/or store CHD
Unfortunately, this is not enough for req 2.4 for Asset Management
PCI: Critical Software
35 Conexxus: Presentation Title
Need to know what software and applications are being used for all system
components that transmit, process and/or store CHD
Unfortunately, this is not enough for req 2.4 for Asset Management
PCI: Payment Applications
36 Conexxus: Presentation Title
Need to know what third‐party payment applications are being used
PCI: Sampling
37 Conexxus: Presentation Title
Need to know what to sample
Asset Management and PCI Requirements
PCI: Network Diagram/s
39 Conexxus: Presentation Title
Need to know what is in the CDE (people, processes, technologies, and locations) involved with transmitting, processing and/or storing CHD to
validate the network diagram is accurate
PCI: Firewalls and Routers
40 Conexxus: Presentation Title
Firewall, routers, and POS router standards are defined and documented
Details on the technical controls used to segment off the environment used to transmit, process and/or store CHD.
PCI: Personal Firewalls
41 Conexxus: Presentation Title
Need to know which individuals have mobile and/or employee‐owned devices that connect to the Internet outside the
network
PCI: Secure Configurations
42 Conexxus: Presentation Title
Secure Configuration standards for all components in scope are
defined and documented
Need to know what hardware and software is being used for all system components that transmit, process
and/or store CHD
PCI: Anti Virus
43 Conexxus: Presentation Title
Need to know what systems should have AV deployed
PCI: Vulnerability Management
44 Conexxus: Presentation Title
Need to know what systems need patching to protect against
introducing vulnerabilities
PCI: Secure Application Development
45 Conexxus: Presentation Title
Need to know what applications are in use to transmit, process and/or store CHD (both internally‐developed or by a third‐party)
PCI: Access Management
46 Conexxus: Presentation Title
Who has access and why to what systems and applications isdefined, documented and deployed
PCI: Physical Access
47 Conexxus: Presentation Title
Who has access to physical areas transmitting, processing and/or storing CHD and why is
defined, documented and deployed
PCI: Physical Storage
48 Conexxus: Presentation Title
How physical media containing CHD is safeguarded anddefined, documented and deployed
PCI: POS Security
49 Conexxus: Presentation Title
Need to know what AFD PIN pads and card swipes, POS terminals, Inside PIN pads are in use
POS Security
50 Conexxus: Presentation Title
• Ask staff at the start of every shift to perform checks of the following:– Tampered with or
voided labels
POS Security
51 Conexxus: Presentation Title
– Credit card skimmers
– Pinholecameras
PCI: Monitoring and Logging
52 Conexxus: Presentation Title
Need to know what systems and applications are in use in order to monitor and log them
PCI: Unauthorized Wireless
53 Conexxus: Presentation Title
Need to know what wireless access points are in use in order to detect unauthorized ones
PCI: Security Policy
54 Conexxus: Presentation Title
Need to know what the scope is so can identify if and when the environment changes to update the security policy
PCI: Risk Assessments
55 Conexxus: Presentation Title
Need to know what the scope is so can identify the critical assets for an annual risk assessment
PCI: People
56 Conexxus: Presentation Title
Need to define who has actual or potential access to CHD so can train them on best security practices, obtain their acknowledgement of your
security policies, and perform background checks on them
PCI: Service Providers
57 Conexxus: Presentation Title
Need to define which service providers have actual or potential access to CHD so you can ensure they comply with PCI and effectively safeguard
your CHD
Asset Management – How to
Where to Start• Create a plan on how you are going to obtain
all this information (asset discovery)– Interviews– Location visits– Review of IT and HR records– Review of Accounting purchase records
• Define you will enter it– Use a spreadsheet or a database?– Research third-party tools?
• How you plan to keep it up-to-date and ensure the integrity of the data
59 Conexxus: Presentation Title
What to Capture & TrackComponents (virtual or physical):• Name• Purpose• Asset ID (use instead of serial number)• Type (firewall, router, pump, POS, server, wireless access point, laptop, etc.) • # of each system component• Date of purchase• Retirement date• Vendor make and model• Operating system name and version• Location• Latest patches applied/patch history• Asset owner and contact info, backup owner and contact info• Internal-only or external-only facing (or both)• Physical or virtual• Notes
60 Conexxus: Presentation Title
What to Capture & TrackLocations:• Location address• Name of facility• Purpose• Other identifying info (location ID)• # of individuals located there• CHD storage?• Location point of contact and contact info, backup owner and contact info• Notes
People:• All employees• All contractors and service providers• Date of hire• Contract period (as applicable)• Location• Correlation to access control forms and IT access logs
61 Conexxus: Presentation Title
Keeping the Data Current & Accurate• Hardest part of asset management• Need to communicate with IT, HR, and
Accounting individual/groups and/or service providers regularly
• Review annually and update as needed• Make sure to update whenever you have a
change
62 Conexxus: Presentation Title
Do it myself or outsource?
63 Conexxus: Presentation Title
Do it myself or outsource?
64 Conexxus: Presentation Title
Do it myself or outsource?
65 Conexxus: Presentation Title
Do it myself or outsource?
66 Conexxus: Presentation Title
Summary• It’s not just to meet PCI compliance; it’s for
best security practices overall!You
can’t protect what you
don’t know about
Find outwhat you have
so you can protect it
67 Conexxus: Presentation Title
Q & A
Asset Management and ISO 27001/27002
add link
ISO/IEC 27002 Information Security Framework
71 Conexxus: Presentation Title
72 Conexxus: Presentation Title
Need to know what people, processes, and technologies to
include in the documentation
ISO/IEC 27002
73 Conexxus: Presentation Title
Need to know who has access to your
systems, when, why, and
how
ISO/IEC 27002
74 Conexxus: Presentation Title
Need to know which systems and locations can be accessed and how
ISO/IEC 27002
75 Conexxus: Presentation Title
Need to know where data is
stored and how it is protected
ISO/IEC 27002
76 Conexxus: Presentation Title
Need to know what locations transmit, process and/or
store data and how
ISO/IEC 27002
77 Conexxus: Presentation Title
Need to know which systems
transmit, process and/or store data and how they are
configured
ISO/IEC 27002
78 Conexxus: Presentation Title
Need to know how data is transmitted and how networks are segmented
ISO/IEC 27002
79 Conexxus: Presentation Title
Need to know how systems and applications that transmit, process and/or store data are developed and managed
ISO/IEC 27002
80 Conexxus: Presentation Title
Need to know how service providers
access your environment and
safeguard it
ISO/IEC 27002
81 Conexxus: Presentation Title
Need to know what steps to take if
there is an incident or a breach
ISO/IEC 27002
82 Conexxus: Presentation Title
Need to know what steps to take to ensure business continues in the event of an
incident or breach
ISO/IEC 27002
What does ISO say?• Section 8: Asset management• 8.1 Responsibility for assets• All information assets should be inventoried and owners
should be identified to be held accountable for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when people leave the organization.
• 8.2 Information classification• Information should be classified and labeled by its owners
according to the security protection needed, and handled appropriately.
• 8.3 Media handling• Information storage media should be managed, controlled,
moved and disposed of in such a way that the information content is not compromised.
83 Conexxus: Presentation Title