Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Transcription

1 Dan Lobb CRISC Lisa Gable CISM Katie Friebus

2 AGENDA Meet the speakers Compliance between QSA visits - Dan Lobb Transitioning from PCI DSS Katie Friebus Tips for Managing a PCI Compliance Program - Lisa Gable Questions I S A C A G E E K W E E K

3 MEET THE SPEAKERS Dan Lobb Dan is currently managing the Information Security Compliance Program for Macy s Inc. He has been focused on Information Security Compliance for the past 10 years at several leading companies; Visa, Coca-Cola, Blue Cross Blue Shield, and AT&T. Lisa Gable Lisa is the PCI Compliance Manager for Macy s Systems and Technology. Over the past 7 years at Macy s, Lisa has led efforts for various PCI related efforts including Assessment Management, Vulnerability Scanning and Risk Management Katie Friebus Katie is a Senior Compliance Analyst for Macy s Systems and Technology division. Katie helps to manage the annual PCI Assessment for Macy s as well as ongoing PCI compliance activities. Katie has over 6 years of information security experience both in the banking and credit card processing industries. I S A C A G E E K W E E K

4 PCI COMPLIANCE BETWEEN QSA VISITS DAN LOBB I S A C A GEEK W E E K

5 OUR CHALLENGE So many requirements So many systems So many owners KEYS TO SUCCESS Rank your risks Focused activities Automate I S A C A G E E K W E E K

6 RANK YOUR RISKS Concentrate on areas of concern Troublesome requirements Feedback and comments from assessors Control/process owner input Changed systems in the CDE New lines of business/acquisitions I S A C A G E E K W E E K

7 FOCUSED ACTIVITIES Divide to conquer Leverage other compliance efforts Other security framework activities Policy and procedure management I S A C A G E E K W E E K

8 AUTOMATE Iterative approach Fast and impactful Reporting and dashboards Make use of tools at your disposal Move beyond spreadsheets Policy and procedure management Introduce workflows I S A C A G E E K W E E K

9 TRANSITIONING FROM PCI DSS 3.1. TO 3.2 KATIE FRIEBUS I S A C A G E E K W E E K

10 COMMUNICATION OF CHANGE o PCI Council Communications Website Participating Organization o Qualified Security Assessor (QSA) I S A C A G E E K W E E K

11 WHAT CHANGED? Defining PCI Security Council Change Types Change Type Clarification Additional Guidance Evolving Requirement Definition Clarifies the intent of the requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Changes to ensure that the standards are up to date with emerging threats and changes in the market. I S A C A G E E K W E E K

12 KEY CHANGES o 47 Clarification, 3 Additional Guidance, 8 Evolving Requirements o Additional Requirements For Service Providers (Effective Feb 1, 2018): Key Management/ Cryptographic Architecture Detect and report on failures of critical security control systems Network Penetration Testing every 6 months PCI DSS Compliance Program Charter Quarterly Reviews: Personnel are following security policies and procedures o SSL /Early TLS Requirements and guidance moved to Appendix 2 June 30, 2018 TLS 1.1 or Higher Document exceptions I S A C A G E E K W E E K

13 KEY CHANGES o 6.4.6: PCI Requirements in Change Control (Effective Feb 1, 2018) Upon Completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. 1. Logging 2. Antivirus 3. File Integrity Monitoring 4. Vulnerability Scanning 5. Penetration Testing 6. Configurations 7. Diagram updates Allows for additional visibility within new changes to the CDE and identifying PCI gaps early in the process. I S A C A G E E K W E E K

14 KEY CHANGES o 8.3, 8.3.1, Multi-Factor Authentication for Non-console Administrative Access and Remote access within the CDE (Effective Feb 1, 2018) Multi-factor authentication requires that a minimum of two of the three authentication methods: 1.Something you know, such as a password or passphrase 2.Something you have, such as a token device or smart card 3.Something you are, such as a biometric. Non-console administrative access: access via means without having the device in front of you. I S A C A G E E K W E E K

15 NEXT STEPS o Analysis: What do these changes/updates mean for my organization? Section PCI DSS v3.1 PCI DSS v3.2 Change Type Impact N/A New requirement for change control processes to include verification of PCI DSS requirements impacted by a change. Effective February 1, 2018 Evolving Requirement This is a large impact. Multiple teams including Information Security, Change Management, development and Server management teams will be affected by these processes. I S A C A GEEK W E E K

16 NEXT STEPS o Communication: communicate key updates to stakeholders What is the requirement? How does it impact them? What needs to happen to maintain compliance? o Implementation: How does my organization prepare/implement these changes to processes? Size of effort Communication of process and procedure changes Implementation and tracking I S A C A GEEK W E E K

17 TIPS FOR MANAGING ONGOING PCI COMPLIANCE LISA GABLE I S A C A G E E K W E E K

18 ONGOING PCI COMPLIANCE Whew my assessment is over now I can take a break? Compliance program continues! CONTINUOUS COMPLIANCE Time bound requirements Defining and understanding the time bound requirements Development of a schedule for compliance review Influences on your PCI Compliance Program I S A C A G E E K W E E K

19 TIME BOUND REQUIREMENTS What are time bound requirements? Requirements that must be completed on a regular schedule or set frequency Frequency includes Annually Quarterly Monthly Daily As defined by your Risk Assessment process Why keep up with these requirements? 8/5/2016 I S A C A G E E K W E E K

20 CASE STUDY VULNERABILITY SCANNING Description All entities are required to run internal and external network vulnerability scans for the card holder data environment at least quarterly. PCI DSS Requirement 11.2 Testing Procedures Your assessor or internal audit group is required to ask for the last four tests you have completed. If you are planning for this requirement only during audit checks or just before your PCI assessment kicks off you are already too late! 8/5/2016 I S A C A G E E K W E E K

21 CASE STUDY VULNERABILITY SCANNING PCI DSS Requirement (Part 2) Description All entities are required to address vulnerabilities and perform rescans to verify all high risk vulnerabilities are resolved. Testing Procedures Your assessor or internal audit group is required to verify that all high risk vulnerabilities are addressed. Many requirements in the PCI-DSS have multiple components. Scanning is just the first part Part Two includes remediation and rescanning! 8/5/2016 I S A C A G E E K W E E K

22 ANNUAL REQUIREMENTS (OR AS CHANGED) Diagrams: network and data flows System configuration standards Maintain inventory of in-scope systems List of roles with access to PAN data Training for system developers Web facing application scanning Device lists Inventory of wireless access points Security awareness training Penetration testing Security policies and operational procedures 8/5/2016 I S A C A G E E K W E E K

23 QUARTERLY REQUIREMENTS (OR AS CHANGED) Remove data based on retention requirements Install any vendor-supplied patches (non critical) Internal and external network vulnerability scans Perform risk assessment 8/5/2016 I S A C A G E E K W E E K

24 MONTHLY REQUIREMENTS (OR AS CHANGED) Identify and review new security vulnerabilities; assign risk ranking Install any critical security patches Remove/disable inactive user accounts Change user passwords/passphrases including local accounts (every 60 days) 8/5/2016 I S A C A G E E K W E E K

25 DAILY REQUIREMENTS (OR AS CHANGED) Evaluate malware threats Review security events Review logs of system components DLP to ensure no PAN exists in test systems Logs of all critical systems Wireless scans to verify authorized and unauthorized wireless access points 8/5/2016 I S A C A G E E K W E E K

26 TIME BOUND REQUIREMENT PLANNING QTR 1 QTR 2 QTR 3 QTR 4 Regularly Monitor and Test Networks PCI Rqmt Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Requirement 11 - Regularly test security systems and processes Perform wireless scans to verify authorized and unauthorized wireless access points are identified 11.1.c Ongoing-Daily detection Maintain an inventory/justification of authorized wireless access points Access list maintained regularly Run internal network vulnerability scans Feb May Aug Nov Run external network vulnerability Apr Jul Oct Jan scans Perform external penetration test a July Perform internal penetration test a June Perform penetration test of segmentation controls/methods Security policies and operational procedures June 11.6 As changed and once annually (November 2016) 8/5/2016 I S A C A G E E K W E E K

27 INFLUENCES ON YOUR PCI PROGRAM Other Influencers Opportunities from your last assessment Feedback from your assessor supplemental findings Info Sec/IT Risk Management Control Owner Changes Change Management how is your CDE changing and are you aware? 8/5/2016 I S A C A G E E K W E E K

28 QUESTIONS I S A C A G E E K W E E K