1. Make certain you have reviewed the Lab Lecture and PCI DSS handout posted in the Course. 2. Visit ISACA’s site to learn more about COBIT at http://www.isaca.org/KnowledgeCenter/cobit/Documents/CobiT-4.1-Brochure.pdf . Think of the following questions: a. What is the purpose of COBIT? b. How does a company benefit from implementing COBIT? c. On what areas of IT Governance does COBIT focus? 3. Visit NIST’s site to learn more about the NIST SP 800-37 “Guide to Applying the Federal Risk Management Framework for Federal Information Systems” at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf a. Read the Abstract on Page iii and Pages 1 – 4 to understand purpose of this guideline. b. What are the six-steps that comprise the Risk Management Framework? (We’ll learn more about these later). c. What are the benefits to an agency to implementing RMF? 4. Read the supplemental information provided by NIST on Ongoing Authorization at http://csrc.nist.gov/publications/nistpubs/800-37-rev1/nist_oa_guidance.pdf a. Note that former Federal agency risk management processes advocated a program in which managers implemented IT security controls to manage IT security risks, but most then did a relatively poor job of following up to ensure that these controls stayed in place. A couple of years ago, the focus changed from requiring a compliance assessment every three years, to one where controls were being assessed for effectiveness on an ongoing basis. That is the purpose of this document. 😊 b. Read Section 2.1 for additional information on the six RMF steps. c. Read Section 2.2 to learn about federal systems’ Security Authorization steps. d. Read Section 2.3 to learn about how to create a Continuous Monitoring Plan. When finished, take the Lab Quiz posted in the Course. Main Goals of Payment Card Industry Data Security Standard (PCI DSS) Main Goals of PCI DSS ▪ Build and maintain a secure network that is PCI compliant. ▪ Protect cardholder data. ▪ Maintain a vulnerability management program. ▪ Implement strong access control measures. ▪ Regularly monitor and test networks. ▪ Maintain an information security policy. GOAL 1: Build and maintain a secure network that is PCI DSS compliant All merchants must protect cardholder information by installing a firewall and a router system. ▪ Install, configure, and maintain a firewall system to maintain control over an organization’s network; use a router device to connect networks that will make you a PCI compliant merchant. ▪ ▪ Next, execute the following steps: ▪ Perform testing when configurations change. ▪ Identify all connections to cardholder information. ▪ Review configuration rules every six months. Change all default passwords. Default passwords are provided when software is installed; they are discernible and can be easily discovered by hackers. GOAL 2: Protect cardholder data ▪ Cardholder data is any personal information about the cardholder that is found on the payment card and can never be saved by a merchant. ▪ Merchants can only display the maximum of the first six and last four digits of the primary account number. ▪ All information must be encrypted when transmitting data across public networks, such as the Internet, to prevent criminals from stealing the personal information during the process. GOAL 3: Maintain a vulnerability management program ▪ Computer viruses make their way onto computers in many ways, but mainly through e-mail and other online activities. ▪ Viruses compromise the security of personal cardholder information on a merchant’s computer, and therefore antivirus software must be present on all computers associated with the network. ▪ In addition to antivirus software, computers are also susceptible to a breach in the applications and systems installed on the computer. © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 1 Main Goals of Payment Card Industry Data Security Standard (PCI DSS) ▪ Merchants must install vendor-provided security patches within a month of their release to avoid exposing cardholder data. GOAL 4: Implement strong access control measures ▪ As a merchant, you must limit the accessibility of cardholder information. ▪ Install passwords and other security measurements to limit employee’s access to cardholder data. ▪ In order to trace employee’s activities when accessing sensitive information, assign each user an unreadable password used to access the cardholder data. ▪ Monitor the physical access to cardholder data; do not allow unauthorized persons the opportunity to retrieve the information by securing printed information as well as digital. ▪ Maintain a visitor log and save the log for at least three months. GOAL 5: Regularly monitor and test networks ▪ Keep system activity logs that trace all activity; review the log daily for security breaches. ▪ The information stored in the logs is useful in the event of a security breach to trace employee activities and locate the source of the violation. ▪ Each quarter, use a wireless analyzer to check for wireless access points to prevent unauthorized access. ▪ Also, scan internal and external networks to identify any possible vulnerable areas in the system. ▪ Install software to recognize any modification by unauthorized personnel. GOAL 6: Maintain an information security policy ▪ Establish a security policy that covers all PCI DSS compliance requirements and includes annual procedures to recognize any security breaches and day-to-day security policies. ▪ Perform background checks on potential employees and educate new and current employees about the compliance regulations. © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 2 Main Goals of Payment Card Industry Data Security Standard (PCI DSS) Additional Information ▪ To become PCI compliant, you need to complete a questionnaire. This questionnaire consists of yes-or-no questions about your current processing service practices. ▪ Insure all of your personal identification number (PIN) entry devices are PCI compliant. ▪ Merchants must install certified PCI compliant payment software on their terminal. Reference: http://www.pcifree.com/pci-dss.html URL Last Verified: 2014-06-18 © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 3
Purchase answer to see full attachment