PCI-DSS EVIDENCE REFERENCE

Transcription

1 PCI-DSS EVIDENCE REFERENCE

2 Version Reviewed/Changed By Date Comments 1.0 Stevie Heong 5 May 2016 First Draft Review 1.1 Anna Shah 2 August 2016 Update Note: This is a document for internal distribution for PKF Avant Edge Sdn. Bhd. Reproduction and distribution of this document outside of PKF Avant Edge Sdn. Bhd. is prohibited. This document is not endorsed by QSA and all evidences are based only on the experiences of our consultants in PCI-DSS. Evidences required by QSA for an organisation might change from time to time, and from business to business, therefore these samples should be used as a guidelines only and not actual reference to what is actually required for an organisation to certify for PCI-DSS.

3 EXECUTIVE SUMMARY & REQUIREMENT 1 QUESTION 1 Please provide the list of office locations, cloud environments and data centres that store, process or transmit information covered under this certification. NOTES 1. Expected Evidence: is the complete list of with detailed address of all the in-scope location, either physical or in cloud, the related business tight to the business and whether the process is card present or card not present REFERENCE

4 QUESTION 2 Please provide a list of applications that are involved in storing, processing or transmitting information covered under this certification NOTES 1. Expected Evidence: a complete list of all the payment application that are in scope 2. Payment applications are applications storing and processing card information, located in CDE 3. Off the shelf systems like Databases, Operating systems are excluded 4. Applications are generally divided as such: 5. If application has different URLs and authentication system, they will be treated as separate app. If one application having different roles but the login page is same, it is one application. If app has different modules e.g. Admin, supervisor, analyst where these modules have their own independent login pages, they will be considered as 3 apps. REFERENCE

5 QUESTION 3 Please provide a high-level network diagram for in-scope environment (See attached templates). NOTES REFERENCE Expected Evidence: a high-level network diagram that covers the following: - All connections into and out of the network, including demarcation points between the cardholder data environment (CDE) and other networks/zones - Connectivity type used for data transmission (IPSEC tunnel, SSL, SFTP etc.) - Internal, External and DMZ network zones with cardholder application and database systems in respective network zone OR PCI scope specific VLAN s (as well as their locations and the boundaries between them - All network devices firewall, IPS, Router, VPN devices, Switches devices as applicable - Third party connections having cardholder data shared with

6 QUESTION 4 Please provide your asset list, databases, data storage locations etc. NOTES REFERENCE Expected Evidence: inventory list of servers, network devices, software and application Caas Customer: Ensure that for LINUX servers, the hostname and IP is unique for that project and not having similar IP in different project sending to caas as the keys cannot be sync correctly having similar IP for LINUX Includes all network and server systems in CDE and Non CDE In Scope

7

8 QUESTION 5 Provide a list of all your external IP addresses and their function NOTES Expected Evidence: The complete list of ALL external IP that will be scan under the ASV scan, i.e in scope. If company has only one set of external IP addresses for PCI and Non-PCI, these need to be provided to ASV for scanning. Ensure that the list of External IP in Q5 is the same as in Q4. REFERENCE

9 QUESTION 6 Provide 3 sample firewall and router change forms or tickets. NOTES Expected Evidence: a change request form that specific the change of firewall and/or router change forms that should include the signoff from the head of IT In the form please include the following: 1. Firewall name, brand and IP 2. Reason/description for Change 3. Requestor name, signoff, date 4. Approval name signoff, date 5. Testing after review Forms can be in tickets as well or in electronic form as long as it fulfils the relevant criteria

10 REFERENCE

11 QUESTION 7 Provide detailed network diagram(s) NOTES Expected Evidence: Ensure that the detail network diagram cover the following REFERENCE - All boundaries of the in-scope environment - Any network segmentation point - Boundaries between trusted and un-trusted networks - Wireless (if available) and wired networks - All other connection points applicable to the assessment - Ensure the diagram(s) include enough detail to clearly understand how each communication point functions and is secured o The interface that the traffic pass through the firewall and the servers o The traffic flow of card holder data

12 QUESTION 8 Provide data flow diagrams that explain storage, processing and transmission of covered information NOTES Expected Evidence: please identity the business process of the entity that uses card data in their process, some of the process that may include CHD is: REFERENCE - Card capturing - Card acquiring and authorization - Card issuing - Charge back - Settlement - Fraud management Reconciliation - Recurring - etc

13

14

15 QUESTION 9 Provide roles and responsibilities for management of firewall and routers. NOTES Expected Evidence: An access matrix that specifies the UID and the user that is given permission to access the firewall and/or router and their permission REFERENCE

16 QUESTION 10 Provide business justification for use of all services, protocols, and ports allowed through firewall and router. NOTES Expected Evidence: A document that that contains all the justification for ALL open ports and services that are running in the firewall or router. QSA can also accept I the form justify Only the insecure services as well. However, these will be dependent on the amount of rule that the company have. These can be either be in a separate document or be merge together in the firewall hardening / firewall policy document REFERENCE

17

18 QUESTION 11 Provide two compliant semi-annual firewall and router rule set review reports along with evidence that the team performing the review has the necessary credentials and knowledge to perform the review. NOTES Expected Evidence: A report that outlines the review of All the firewall rules in scope of PCI. The report need to contains the changes made to the firewall that have been noted down in the Change Request form as well. The Firewall review is intended to ensure that all the rules are align towards PCI DSS compliance such as 1. Specific destination, sources, ports and services are allowed 2. Any-to-Any Deny 3. There is no direct communication between the CDE Zone and Internet 4. All rule must be properly describe or tag with a description REFERENCE

19

20 QUESTION 12 Provide system generated configuration showing inbound and outbound access list for all firewall(s)/router(s) in scope. NOTES Expected Evidence: 1. A raw system generated configuration file generated by the firewall that outlines all the configuration of the firewall/ router devices 2. A screenshot of every interface of the firewall/router that show all the inbound and outbound rules REFERENCE

21

22 QUESTION 13 Provide a written explanation of how a firewall/router full configuration backup is done and how are the backups secured. NOTES Expected Evidence: REFERENCE 1. A document that outlines the process on how the backup of the firewall config is being done and should contain the following a. The frequency of backup b. The destination of the backup c. The screenshot to show that the backup is stored in the designated place d. A test report on performing recovery of the backup to show that the backup works perfect

23

24 QUESTION 14 For in - scope wireless networks, provide system generated configuration showing inbound and outbound access list between wireless and wired network. NOTES Expected Evidence: 1. If the wireless in scope, then please show a screenshot of the firewall to show the ACL between the wired and wireless devices 2. If the wireless is not in scope, these is consider as Not Applicable, However a wireless scan in needed to ensure no wireless access is present REFERENCE

25 QUESTION 15 Provide explanation/justification for any scenarios where there is a direct connection from Internet to internal network or vice versa. NOTES Expected Evidence: 1. Provide a justification why there is a need for internal network to go directly out to the internet. 2. Only Non CDE in scope allowed, CDE cannot go directly out or in from internet 3. DMZ needs to be traversed REFERENCE

26 QUESTION 16 Provide screenshot for anti - spoofing access list or equivalent settings on external firewall and/or router. NOTES Expected Evidence: 1. Provide screenshot in the firewall that anti-spoofing is enabled to detect any incoming IP from external facing to reach the firewall 2. Show that every movement of IP to internet is NAT REFERENCE

27

28

29 QUESTION 17 Provide screenshot to show stateful inspection has been enabled on external firewalls in scope. NOTES Expected Evidence: 1. Provide screenshot in the firewall that the firewall maintains or permit only established connections into the network. 2. Sometime in certain cases, by default the firewall is already a stateful inspection firewall, therefore please get a newsletter or a whitepaper from the firewall vendor to shot that the firewall be default is stateful REFERENCE

30

31 QUESTION 18 For a sample of 5 laptops provide the following: - Evidence of a personal firewall running appropriately - Evidence that the personal firewall cannot be disabled by the user. NOTES Expected Evidence: 1. Provide screenshot from the laptop that is connecting to the PCI environment is protected with personal firewall and cannot be disabled unless by admin REFERENCE

32

33 QUESTION 19 If Wireless access point is used provide screenshot that shows the following - firmware version is the latest - strong encryption has been implemented - vendor defaults have been changed NOTES Expected Evidence: 1. If the wireless AP In scope: show screenshot from the wireless AP the version, the encryption (WPA2), and the password have been changed 2. If wireless AP not in scope than this will not be applicable, however wireless scan need to be conducted REFERENCE

34 REQUIREMENT 2 QUESTION 20 Provide hardening (secure configuration) documents for all system components identified in the asset inventory NOTES Expected Evidence: 1. A document that contains AT LEAST the basic hardening configuration for all the components in scope especially a. Server b. Firewall c. Router/Switches d. Databases e. Application 2. The basis hardening may contain the following a. Removal of default username and password supplied by vendors b. Password policy c. Audit log policy d. The removal of unused and insecure services, justification for needed services e. Etc. REFERENCE

35

36 QUESTION 21 Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and network devices) OR In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems. NOTES Expected Evidence: 1 Internal Vulnerability Scan Report (IVA). REFERENCE

37

38 QUESTION 22 For insecure services (such as HTTP, FTP, Telnet, SSL) provide details on what additional controls have been implemented to mitigate the risk of having that insecure service NOTES Expected Evidence: 1. Provide a list of justification of the services that are running in the servers especially the insecure services such as HTTP, FTP, Telnet, etc REFERENCE

39 QUESTION 23 Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and network devices) OR In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems. NOTES Expected Evidence: 1 Internal Vulnerability Scan Report (IVA). REFERENCE

40

41 QUESTION 24 For POS devices, provide evidence of strong cryptography being implemented. You must use the attached template to provide us the data. NOTES Expected Evidence: 1. If POS in scope: provide screenshot that the POS is having strong cryptography 2. In the event the POS is already PCI PIN PTS Certified, get the screenshot to show the model is certified. REFERENCE

42

43 REQUIREMENT 3 QUESTION 25 Provide the following for covered information, - defined retention period - process for secure data deletion based on the retention period - records that evidence process was followed. NOTES Expected Evidence: 1. Data retention & deletion policy document 2. CHD Matrix REFERENCE

44

45 QUESTION 26 Provide results that show card data was searched in all applicable assets. These could be a combination of process interviews, manual reviews of logs/transaction files and automated scans as long as they cover PAN, Track, CVV and PIN in all locations within cardholder data environment (CDE) and outside the CDE. NOTES Expected Evidence: 1. Clean Card Data Discovery Scan results REFERENCE

46 QUESTION 27 Provide the following for all physical media and applications - All screenshots where cardholder data is displayed - Business justification where full PAN is displayed NOTES Expected Evidence: 1. Screenshot where card data is being displayed in clear text 2. Justification on the display of card data REFERENCE

47

48 QUESTION 28 Provide the following for all filesystems, databases and any backup media - Details on method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage - Evidence (screenshots or settings) showing covered information is protected NOTES Expected Evidence: 1. The methodology on how the client implement either encryption, truncation, or tokenization method 2. Screenshot showing the number have been encrypted, truncated or tokenize. 3. Provide screenshot showing Algorithm (e.g. AES, 3DES, RSA etc.) in use and key strength (e.g. 128/256/20148 bits). Also, describe process (e.g. program/hsm etc.) to generate the key. 4. If keys are distributed, describe how key distribution is done. 5. Describe how Secure cryptographic key storage is done and provide screenshot of locations where Key encryption key (KEK) and Data encryption key (DEK) is stored. 6. Show using screenshots who is having access to Data encryption key (DEK) and Key encryption key (KEK)? REFERENCE

49

50 REQUIREMENT 4 QUESTION 29 Provide evidence of encryption being used for transmission of in - scope data over any open or public communication channel (i.e. Internet, Wireless network, GSM, GPRS, VSAT technology etc.). Encryption must confirm to strong industry standards. NOTES Expected Evidence: 1. If data is send via internet: Show that is using strong cryptography such as HTTPS, SSL VPN, etc. 2. If no data is send via the internet: NOT Applicable REFERENCE

51

52 QUESTION 30 Provide evidence of encryption being used for transmission of in - scope data over messaging technologies such as , chat and SMS. Encryption must confirm to strong industry standards. NOTES Expected Evidence: 1. If data is send via SMS or social app: Show that is using a secure connection method such as secure 2. If no data is send via the SMS: NOT Applicable REFERENCE (No client are having this at the moment)

53 REQUIREMENT 5 QUESTION 31 For the selected sample, provide evidence of antivirus software. Provide the following, - Running in active mode - Antivirus version and - Signature version. - Evidence that user cannot disable or alter the antivirus settings NOTES Expected Evidence: 1. Screenshot from antivirus agent from ALL servers that satisfy the following requirement REFERENCE

54

55 QUESTION 32 Provide Antivirus Server Management Console screenshot that shows the following - Signature update frequency - Periodic scan frequency - Signature version - Log storage for 3 months online and further 9 months offline - Three summary scan run reports from the year NOTES Expected Evidence: 1. Screenshot from antivirus agent from the Antivirus Server console that satisfy the following requirement REFERENCE

56

57

58

59 REQUIREMENT 6 QUESTION 33 Provide evidence that any security alerts or threat notifications are analysed against the asset/application inventory and a risk ranking process applied to the alerts. NOTES Expected Evidence: 1. A risk methodology document need to be documented that outlined ANY incident or alerts found is being map into a risk methodology document based on industry based practices REFERENCE

60 QUESTION 34 Provide evidence of, - Current patch levels - Patches being deployed in a timely manner NOTES Expected Evidence: 1. A screenshot from firewall, IDS, switch, Servers, AV, DB and application showing that the patch is keep current and is updated to the latest patch 2. A process on how patching is being done such as the schedule, the frequency, etc. REFERENCE

61 QUESTION 35 Provide secure software development process document in accordance with industry best practices NOTES Expected Evidence: 1. A document on how the client perform their SDLC procedures REFERENCE

62

63 QUESTION 36 Provide system generated list of users on all applications that store, process or transmit covered information. NOTES Expected Evidence: 1. A screenshot showing the application user ID in the application. REFERENCE

64

65 QUESTION 37 Provide a recent secure code review report for an application that stores, processes, or transmits covered information. NOTES Expected Evidence: 1. A yearly report on code review to ensure that the application is free from the web app vulnerability especially OWASP top 10 REFERENCE

66 QUESTION 38 Provide evidence showing that higher environments (i.e. production) are logically separated from lower environments (such as test/development) NOTES Expected Evidence: 1. A document/ screenshot shows that developer and tester are logically separated from the operation REFERENCE

67 QUESTION 39 Provide evidence that there is segregation of duties between users having access to higher (production) and lower (test/development) environments. NOTES Expected Evidence: 1. A document/ screenshot shows that developer and tester are having a segregation of duties 2. If user have both roles, ensure that the username to access development and production is unique only to the respective environment exp: teo_dev is only use on development environment and teo_prod or teo_dba is only use in production REFERENCE

68

69

70 QUESTION 40 Provide a document that outlines - the process for generating test data to be used in lower (test/development) environments - the process for removing test data and test accounts prior to moving the system to the higher (production) environment. NOTES Expected Evidence: 1. A process or document to outlines the process on how the client generate the test card and how the test card is being remove before it goes to production REFERENCE

71 QUESTION 41 Provide 4 sample change request (2 for software modification and 2 for security patch implementation) from the last 6 months. NOTES Expected Evidence: 1. A sample of change request form for the following a. Software modification 2x b. Patch implementation, change to the servers 2x REFERENCE

72

73 QUESTION 42 Provide the following from a secure code training perspective, - Material used for training - Attendee list showing that all developers are covered NOTES Expected Evidence: 1. A secure code training module that was attended recently 2. A secure code training attendance list. REFERENCE

74 QUESTION 43 (Optional) Provide evidence that a web application firewall is in place to protect against well know web based vulnerabilities (such as OWASP). NOTES Expected Evidence: 1. A screenshot showing that Web Application Firewall (WAF) is implemented to protect the web application 2. A web application Penetration Test report If a WAF is already be in place, a web app PT will still need to be conducted to verify that the WAF is functional in protecting the application from external attacks REFERENCE

75 REQUIREMENT 7 & 8 QUESTION 44 Provide the organizational access control policy. NOTES Expected Evidence: 1. A document that outlines the policy for user access and privileged. The document must be sign off by the management REFERENCE ( Access Control Policy)

76 QUESTION 45 please provide, - List of users - Access permission for those users - Business justification for the level of access permission NOTES Expected Evidence: 1. A list of users from server/ active directory and the privileged given to the users. 2. Ensure that the users privileged is given as per need to know basis with least privileged unless there is a business justification why a higher privileged is needed REFERENCE

77

78 QUESTION 46 Provide two forms/tickets per platform (one for general user and one for administrative user) from the last 6 months for, - User access creation - User access deletion - User access modification NOTES Expected Evidence: 1. A sample of user form for user creation, deletion, and modification. Each scenario will need around 2-3 sample. If there is no deletion or modification then 5 sample of creation is needed REFERENCE

79

80 QUESTION 47 Provide three sample user termination forms/tickets that evidence timely removal of logical and physical access upon termination of an employee or contractor NOTES Expected Evidence: 1. A sample of user termination form and screenshot that the user is remove from the environment REFERENCE

81 QUESTION 48 Provide procedures that outline the process for monitoring inactive users for 90 days for all platforms in scope. In addition, provide reports showing inactive users either disabled or removed. NOTES Expected Evidence: 1. Based on last active login of a UID. Show that the user that are not active for more than 90 days are removed from the system. 2. In windows, AD stores a user's last logon time in the Last-Logon AD user object attribute 3. In Linux, please run a command lastb where it will show the last log file from /var/log/btmp, which contains all the bad login attempts 4. If there is AD present, capture users from AD and also any local user present in each server 5. If no AD, then only all users that are allowed to access each server need to be captured REFERENCE

82

83 QUESTION 49 Provide an inventory of vendors that are provided remote access to your organization. For each vendor please provide - Procedure for providing access only when needed - Access activity monitoring reports NOTES Expected Evidence: 1. An inventory list for all the third party that is involved in PCI environment REFERENCE

84 QUESTION 50 For all assets identified in the sample provide evidence of logical access account and password features to include, - Account lockout policy - Account lockout duration - Session timeout policy - Password length - Password complexity - Password history - Password expiry NOTES Expected Evidence: 1. If have AD: screenshot from the GPO, screenshot that all server follow GPO, all network device integrate with AD via RADIUS 2. If no AD: Screenshot of password policy from ALL servers, network devices REFERENCE

85

86 QUESTION 51 Provide evidence that passwords (for platform and/or consumer applications) are encrypted during transmission and storage. NOTES Expected Evidence: 1. Screenshot to show that the password for all components is encrypted during storage and transmission REFERENCE

87 QUESTION 52 Provide one sample per platform of recent password reset requests/forms for users. NOTES Expected Evidence: 1. Sample of password reset form for users for access to: a. Server 1x b. DB 1x c. Firewall 1x REFERENCE

88 QUESTION 53 Provide documented procedures for password change during new user creation or for a password reset for all platforms in scope. NOTES Expected Evidence: 1. A documentation on how the password change is being done 2. Screenshot showing that the password need to be change during first time and during password reset REFERENCE

89 QUESTION 54 Provide the following related to remote access, - Procedure that outlines the process of granting remote access as well as the description of the two - factor authentication technology used - List of internal and external users with remote access NOTES Expected Evidence: 1. A process on how users are granted remote access and 2. how does the two-factor authentication is being given 3. The list of users that are granted remote access REFERENCE

90

91 QUESTION 55 This is applicable only to service providers with remote access to multiple customers. Provide user list for up to (but not exceeding) 3 customers to prove unique credentials are being used per customer. NOTES Expected Evidence: 1. If customer have access to merchants, then we will need the list of merchants that are connecting to the client and every customer is having a unique ID REFERENCE (we have never encounter where service provider access the environment)

92 QUESTION 56 If other authentication mechanisms are used apart from normal passwords (for example, physical or logical security tokens, smart cards, certificates, etc.) then provide the list of users and that the authentication method assigned to an individual account. NOTES Expected Evidence: 1. Show the screenshot or evidence on the users that are having more than one authentication mechanism such as OTP for MFA REFERENCE

93 QUESTION 57 Provide the output screenshot of current active connections. NOTES Expected Evidence: For each Sampled Database, provide the screenshot for the followings (Please make sure that screenshots are clearly showing IP address/hostname and command used for displaying the current sessions):- - On Oracle database Sqlplus command prompt executed query"select * from gv$sessions" - On SQL database used SQL Query Analyzer and executed query"sp_who 'active'" - On Sybase database sql command prompt executed query"sp_who" - For any other type of databases, please check vendor documentation to provide screenshot 1. REFERENCE

94 REQUIREMENT 9 QUESTION 58 Provide the following for all physical locations in scope: - Sample records from physical access control system (such as a badge system) and /or video cameras showing 90 days of retention - List of users created on access control system (such as a badge system) for administrative access NOTES 1. Provide the access card badge log - latest up to 3 months 2. CCTV log screenshot at DC, make sure each row in DC have CCTV to monitor 3. screenshot of user in access badge control system, system version 4. Make sure there is no username ADMIN, ADMINISTRATOR. Username must be unique REFERENCE

95

96 QUESTION 59 Please provide two samples of user access creation and deletion forms/tickets from the last 6 months that evidence, - physical access allocation to the sensitive area is authorized and as per individual s job function. - timely removal of physical access upon termination of user NOTES samples of user access creation to physical samples of user deletion REFERENCE

97 QUESTION 60 Provide sample records or scanned copies of visitor log (for a 90 day period) for the facility /network rooms / data centers that contains: - The visitor s name - The date and time - The firm represented, and - The onsite personnel authorizing physical access. NOTES 1 either hardcopy/softcopy 2 Make sure latest 3 month REFERENCE

98 QUESTION 61 Provide a policy that outlines the following, - visitors can be distinguished from onsite personnel (employees) - visitors are escorted during access to sensitive areas - visitor badges are returned upon departure NOTES Physical access control policy or Physical security policy and make sure the points below are including in the document: visitors can be distinguished from onsite personnel (employees) visitors are escorted during access to sensitive areas visitor badges are returned upon departure QUESTION 62 This question is applicable only if physical media is used for backups of covered information and stored offsite. Provide evidence that a physical security has been performed of the backup facility. NOTES 1 Please provide the backup log 2 Media physical annual review REFERENCE

99

100

101

102 -Sample report-

103 QUESTION 63 This question is applicable only if physical media is used to store covered information. Provide the following, - Full media inventory - sample of 5 inbound and outbound media movement records (including information such as date/time of movement, approver name, delivery method) from last 6 months NOTES 1 Please provide the tape movement in and out

104 Sample template

105 QUESTION 64 Provide the physical media destruction procedure and a sample of media destruction records from within the last year. NOTES 1 Please provide data retention and disposal policy REFERENCE - Full report can be review from the shared folder-

106

107 QUESTION 65 Provide up-to-date list of point of sale devices (card-reading devices and terminals) with information that includes: - Make, model of device. - Location of device (for example, the address of the site or facility where the device is located). - Device serial number or other method of unique identification NOTES REFERENCE

108 QUESTION 66 Provide for POS devices, - documented procedures that outline the process for inspection for tampering. - material used for training personnel for inspection - records showing that personnel have been trained - sample of 3 records from different retail locations showing the schedule of inspection NOTES 1 Q66.Sample_POS_inspection_training_material REFERENCE

109

110

111

112 REQUIREMENT 10 QUESTION 67 Please wait on providing this information until assessor provides you with a sample after phase I. For the sample, provide the audit log policy settings. You may use the attached template or provide the required information in an alternative format. NOTES Please ensure that the audit log is setting to send all logs as per PCI requiremt for all server, network devices, application and database For Linux REFERENCE Windows

113

114 Sample 1: AIX

115

116

117 Sample 2: Checkpoint firewall

118 Sample 3: Cisco ACS

119 Sample 4: Cisco devices Sample 5: fortiget firewall

120

121 Sample 6: juniper firewall Sample 7: linux red hat

122

123 Sample 8: oracle

124 Sample 9: Sophos firewall

125 Sample 9: windows

126

127 QUESTION 68 Please wait on providing this information until assessor provides you with a sample after phase I. Provide actual event logs for each of the platforms identified in the sample. NOTES All of these scenario will require screenshot All individual access to cardholder data. All actions taken by any individual with root or administrative privileges. Access to all audit trails. All actions taken by any individual with root or administrative privileges. Use of identification and authentication mechanisms. All elevation of privileges. All changes, additions, or deletions to any account with root or administrative privileges. Initialization of audit logs. Stopping or pausing of audit logs. Creation and deletion of system level objects. Note: Above sample audit logs should show information such as user ID, date & time, type of event, success or failure indication of event, source and target system IP & hostname Reference

128

129 QUESTION 69 Provide the following NTP evidence to show that all devices have a common timestamp within logs, - Device being used as the central NTP server along with the NTP version number - Setting/Screenshot showing synch between NTP server and external time source - Access control list for NTP server - You must use the attached template to provide us the data. NOTES 1. The version of the NTP used (using the current version which is version 4) 2. The setting up of primary NTP server 3. The setting up of secondary NTP server 4. Ensure that all server is taking the time from secondary NTP server 5. Ensure that the time is having standard time, either GMT or UTC Central NTP: 1. Central NTP configuration. <Paste screenshot here> 2. Central NTP Version. <Paste screenshot here> 3. List of users Created on Central NTP server. <Paste screenshot here> Provide NTP Configuration for all flavor of following servers or network device: 1. Firewall (CISCO, Juniper, Nokia, Checkpoint, SonicWALL, Fsecure etc.) 2. Server (Linux, Windows, Solaris, AIX, Redhat etc.) 3. Switch 4. Router 5. IDS/IPS 6. Load Balancer

130 7. Desktops (if applicable) REFERENCE

131

132

133

134 QUESTION 70 Provide evidence of the following on the central syslog server - Access list of users with permission type (i.e. read only/modify) and business justification - Evidence of archived logs being protected by FIM NOTES CAAS REFERENCE RSA:

135 QUESTION 71 Provide - one daily daily log review reports/ for every sample. - Evidence of follow up to the event - Evidence of log rention for 12 months You must use the attached template to provide us the data. NOTES 1. At least 3 Sample report/ of daily log review 2. /Follow up to events 3. Screenshot showing logs stored for 12 Months with DATE clearly visible. REFERENCE

136

137

138

139 - Full report can be review in shared folder-

140 REQUIREMENT 11 QUESTION 72 Provide quarterly wireless analyzer reports along with details for authorized/unauthorized nature of the access point. The attached template is provided as a sample. NOTES Wireless scan report every quarter REFERENCE

141

142

143

144

145

146 QUESTION 73 Provide one sample incident response report in response to a rogue access point detection. REFERENCE

147

148

149 QUESTION 74 Provide quarterly internal vulnerability/configuration assessment reports for 4 last quarters. NOTES Each quarter Reports should contain at least following: 1. List of IP scanned in each quarter scan. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE Internal vulnerability scan report QUESTION 75 Provide quarterly external vulnerability/asv scan reports for 4 last quarters. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned in each quarter scan. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE ASV report

150 QUESTION 76 Provide a documented methodology being used for penetration testing. You must use the attached template to provide us the data. REFERENCE

151

152

153 QUESTION 77 Provide external penetration test report. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE External PT report

154 QUESTION 78 Provide internal penetration test report. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE Internal PT report QUESTION 79 Provide segmentation test results NOTES Reports should contain at least following: 1. List of IP/ Vlan in No-In-Scope. 2. List of IP/ Vlan in Scope and scanned. 3. Date of scan started. 4. Testers Name. 5. Methodology used for testing. REFERENCE Refer Segmentation PT report QUESTION 80 Provide evidence of the following from all IDS/IPS implemented, - Location on network

155 - Version number - Signatures - Alerting s - Follow up to alerts NOTES Provide evidence of the following from all IDS/IPS implemented, - Location on network (must monitor external as well as internal network) - Version number - Signatures - Alerting s (at least 3 sample) - Follow up to alerts (at least 3 sample) REFERENCE

156

157

158

159 QUESTION 81 Provide the following evidence for the sample, - FIM version installed - Files being monitored by FIM - Alerting s - Follow up to alerts You must use the attached template to provide us the data. NOTES - FIM version installed - Files being monitored by FIM - Alerting s (At least 3 sample /report) - Follow up to alerts (At least 3 sample /report) REFERENCE

160

161

162

163 REQUIREMENT 12 QUESTION 82 Provide annual user information security policy acknowledgement records for : - Existing employees (5 sample records) - Recent new joiner (5 sample records) - vendors, contractors (at-least 1 sample record) NOTES 1. Make sure it signs by existing employee and new joiner annually REFERENCE

164

165

166 QUESTION 83 Provide - All organizational information security policies and procedures - Evidence showing those are reviewed and updated on annual basis. The attached template is provided as a sample. NOTES 1. Policy must be updated 2. approval/sign REFERENCE Information security policy QUESTION 84 Provide your risk assessment methodology, risk acceptance criteria, formalized risk assessment report, risk treatment plan and a statement of applicability? (can be based on OCTAVE, ISO and NIST SP guidelines) REFERENCE Risk management policy Risk report details

167 QUESTION 85 If remote access to organization's network is allowed, provide configuration screenshot for remote access technology (such as Remote VPN) showing session time-out defined after specific period of inactivity REFERENCE Palo alto Juniper

168 Cisco ASDM

169 QUESTION 86 Provide a policy which requires the following for user accesses covered information remotely: - prohibit copying, moving, or storing of covered information onto local hard drives and removable electronic media unless a valid business justification exists - Incase of a business justification, provide evidence that target hard drives or electronic media are adequately protrected

170 NOTES 1. Remote access policy QUESTION 87 Provide an organization chart (or equivalent documentation) which clearly outlines the information security roles and responsibility for all personnel. In addition provide following records in support of assigned security responsibilities: - recent Information security policy review / approval record - Information security policy communication to all users - any security alert communication to affected parties REFERENCE

171 QUESTION 88 Provide information security awareness material used for user training. In addition provide 5 sample training attendance records from last one year period for: - existing employees - recent fires - contractors The attached template is provided as a sample. NOTES 1. Security awareness training - i.e. PCI training, ISO training 2. attendance list for new joiner and existing staff - must sign 3. conduct yearly REFERENCE PPT slide Awareness Received status

172 QUESTION 89 Provide sample of 10 employee background check records from last year. The attached template is provided as a sample. NOTES 1.background check must be conducted i.e check with previous employee

173 REFERENCE

174

175

176

177

178

179 QUESTION 90 Provide the list of third party service providers as per the following criterion, - All third party service providers used by assessed entity to store, process, or transmit covered information on their behalf for business purpose - All third party service providers used by assessed entity to manage the components such as routers, firewalls, databases, physical security, and/or servers. NOTES REFERENCE Non-Disclosure Agreement PCIDSS COC expiry Declaration-Third Party Management

180 QUESTION 91 For all identified in-scope third party service providers provide following: - Current service agreement which covers third party's security responsibilities for handling covered information - Current compliance status against applicable regulations / data security standards - List of security requirements which are managed by each third party service provider on your behalf REFERENCE Service Agreement and Certificate of Compliance

181

182 QUESTION 92 Provide documented process followed to perform due diligence before a new third party service provider engagement. In addition provide sample due diligence report for any recently contracted third party service provider REFERENCE Declaration-Third Party Management Non-Disclosure Agreement Q92.Sample Due diligence for Service Providers Q92.Sample Third Part Management Policy QUESTION 93 This question applies only to service providers. Provide a sample written acknowledgement that outlines that you are responsible for security of your customers data. REFERENCE Non-Disclosure Agreement PCI DSS compliance Declaration-Third Party Management

183 QUESTION 94 Provide Organization's Incident Response Plan. In addition provide one of the following as evidence to confirm that documented Incident response procedure was followed: 1. Annual Incident Response plan test report OR 2. Sample report for one recently report security incident NOTES 1.training agenda 2.incident response plan 3. incident test response plan

184 4.incident plan training attandance list REFERENCE IncidentResponse InfoSecurity_incident_rpt Ticket Number Dare of Report Incident Detector s Information Date and Time Detected Employee ID Employee Name Business unit Phone number Involved staff s Information Involved staff Name 1 Involved staff Name 2 Security Incident Information Security Incident Description Security Incident Detail Impact Assessment Type of Incident Security Impact Information Identify the corrective action, action owner, and next action Resolution Information Security Incident Report Form

185 Resolution By Resolution Date Resolution Detail Root Cause and Lessons Learnt Root Cause Lessons learnt/ Preventive Actions Managers signature with date CISO signature with date

186

187

188

189

190 QUESTION 95 Provide Incident handling training records for team with security breach response responsibilities REFERENCE Sample Training Records: Incident Handling Training Records Sr No. Name Of The Employee Date Of Training Signature Comment 1 Ram March 31 st 2016 <Signature> 2 Shyam March 31 st 2016 <Signature> 3 Krishna March 31 st 2016 <Signature> 4

191

192