Upload
it-governance-ltd
View
285
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Explains the importance of proper documentation for any PCI DSS implementation project, including details of tools to automate
Citation preview
Implementing PCI DSS best practice – versions 2.0 & 3.0
Geraint Williams & Alastair StewartIT Governance Ltd
www.itgovernance.co.uk
Introduction
• Geraint Williams• QSA at IT Governance Ltd• CREST Registered Tester
• Alastair Stewart• PCI DSS Consultant at IT Governance Ltd• MSc Information Management• Associate of (ISC)2 for CISSP• Adapted and assembled the new v3.0 toolkit
2
© IT Governance Ltd 2014
Agenda
• A QSA’s view of documentation and evidence• Why is the Toolkit useful?• PCI Documentation Requirements v2.0 & v3.0• Changes to the toolkit• Using the toolkit• Q&A
3
© IT Governance Ltd 2014
A QSA’s look at evidence
• Performing a PCI DSS audit requires observation and collection of evidence
• Evidence types:– Records, Sign-off sheets, Change Control– Log Files, Configuration Files, Setup Files
• Vulnerability scan and penetration test results (where applicable)
4
© IT Governance Ltd 2014
The standards view on evidence
5
© IT Governance Ltd 2014
Why all this evidence?
• Evidence is required to for compliance, and it must be continual between audits
• If you have a breach, your evidence will prove your compliance
• The forensics teams will need the data to carry out an investigation
6
© IT Governance Ltd 2014
Why a Toolkit?
• IS policies & procedures are mandated in the standard and must cover all requirements
• Large number of requirements to track compliance against
• Results in a large amount of documents to manage
7
© IT Governance Ltd 2014
• Construct an ISMS
Why a Toolkit?
• Assessment/Audit is only a snapshot
• Compliance is a complicated and continual process
• Compliance should be treated as a ‘Business as Usual’ process
• Continuous monitoring and control is needed
8
© IT Governance Ltd 2014
Assess /Reassess
Plan and Design
Implement
Evaluate
Why a toolkit?Alternatives
• ISO 27001/27002– Can help as a framework– Based on risk assessment– Will need tailoring to fit all the PCI DSS requirements
• COBIT– High level framework– Good for integrating with the rest of the IT– Need a more detailed ISMS to cover the PCI DSS
• Existing (custom) ISMS– Good starting point– Provides a template to fit PCI documents into
9
© IT Governance Ltd 2014
PCI DSS Documentation Requirements v2.0 • Requirement 12.1/12.1.1 – Establish, publish,
maintain, and disseminate a security policy that addresses all PCI DSS requirements. – Quite vague as to the details
• Further sub-requirements expand a little, it must include:– An annual risk assessment and review– Daily operation security procedures– Usage policies for critical technologies– Definitions of IS responsibilities for all personnel– Policies for managing service providers– An Incident Response plan
10
© IT Governance Ltd 2014
PCI DSS Documentation Requirements v2.0
• Other requirements mention documentation– Requirement 1.1.5: Documentation and justification
for use of services, protocols and ports allowed..– Requirement 2.2: Develop configuration standards for
all system components.– Requirement 3.1.1: Implement a data retention and
disposal policy.
• It can be difficult to work out what policies and documentation is required as it differs from one SAQ to another
11
© IT Governance Ltd 2014
PCI DSS Documentation Requirements v3.0
• Given more clarification• All the previous requirements still apply but the
detail is clarified• Replaces ‘addresses all PCI DSS requirements’
with separate IS policy and procedure sub-requirements for each requirement e.g.:– Req. 1.5 - ‘Ensure that security policies and
operational procedures for managing firewalls are documented, in use, and known to all affected parties.’
12
© IT Governance Ltd 2014
PCI DSS Documentation Requirements v3.0
• Much clearer as to which requirements need policies and procedures and which require documented evidence of their implementation
13
© IT Governance Ltd 2014
Changes to the Toolkit- v2.0 Toolkit
• Basic documentation toolkit
• Provided all the necessary policies as templates
• Standardised documentation
• Compatible with ISO 27001/27002
14
© IT Governance Ltd 2014
Changes to the Toolkit- v2.0 Toolkit
15
© IT Governance Ltd 2014
v2.0 Toolkit - Issues
• Difficult to manage which documents to use and which to edit
• Roles & Responsibilities not easy to manage• Little support in performing risk assessments• Only helps with documentation
16
© IT Governance Ltd 2014
v2.0 Toolkit – Example
• Used with a service provider with no existing ISMS• Created a compliant ISMS but required
customisation, based on applicable requirements– Some documents weren’t needed– Some clauses within documents weren’t needed
• Easy to fill out for those un-familiar with policy writing
• Saved a lot of initial time in setting up a standardised documentation set
17
© IT Governance Ltd 2014
Changes to the Toolkit- v3.0 Toolkit
• Updated all the documents to meet the new standard
• Added new documents for new requirements• Added new document to help with risk
assessments• Added a number of tools to help with the whole
compliance process
18
© IT Governance Ltd 2014
v3.0 Document Checker
• Easy to use tool which allows you to monitor progress towards completion of policies
• Maps requirement to documents/clauses• Shows which requirements are for which SAQ• Alternate document column for existing documents
19
© IT Governance Ltd 2014
v3.0 Gap Analysis Tool
20
© IT Governance Ltd 2014
v3.0 Gap Analysis Tool
• Executive Summary
21
© IT Governance Ltd 2014
v3.0 Toolkit other changes
• Included various guides on difficult topics such as scoping and encryption key management
• A simplified roles and responsibilities matrix for tracking ownership
• A risk treatment plan to assist in annual risk assessments
22
© IT Governance Ltd 2014
IT Governance PCI v3.0 Services
PCI DSS
PCI QSAPCI DSS
ConsultancyPCI ASV Scanning
Service
Vulnerability & Penetration
Testing
Classroom based PCI Courses
Online Staff Awareness
Training
Custom Designed Training Courses
PCI DSS BooksPCI DSS Toolkit
23Protect • Comply • Thrive© IT Governance Ltd 2014
Receive 20% discount off our
PCI DSS v3.0 Documentation Toolkit
Contact Adam Harrison at [email protected]
Or call on: 01353 771058
24
© IT Governance Ltd 2014
Special Offer
Where to find us
• Visit our website: www.itgovernance.co.uk
• E-mail us: [email protected]
• Call us: 0845 070 1750
• Follow us on Twitter: https://twitter.com/#!/itgovernance
• Read our blog: http://blog.itgovernance.co.uk/
• Join us on LinkedIn www.linkedin.com/company/it-governance
• Join us on Facebook www.facebook.com/ITGovernanceLtd
25Protect • Comply • Thrive
© IT Governance Ltd 2014
Other PCI DSS v3.0Products and Services
PCI DSS A Pocket Guide, third edition - http://www.itgovernance.co.uk/shop/p-1010-pci-dss-a-pocket-guide-third-edition.aspx
PCI Foundation - Overview & Introduction Training Course (1 Day)http://www.itgovernance.co.uk/shop/p-1017-pci-foundation-overview-introduction-training-course.aspx
PCI Implementation & Maintenance Training Course (2 days)http://www.itgovernance.co.uk/shop/p-1279-pci-implementation-maintenance-training-course.aspx
PCI DSS Staff Awareness e-learning coursehttp://www.itgovernance.co.uk/shop/p-1014-pci-dss-security-e-learning-technical-edition-online-access.aspx
26Protect • Comply • Thrive
© IT Governance Ltd 2014
Technical & Consultancy Services• Penetration Testing Servicehttp://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx
• PCI QSA Serviceshttp://www.itgovernance.co.uk/pci-qsa-services.aspx
• PCI DSS ASV Scanning Servicehttp://www.itgovernance.co.uk/pci-scanning.aspx
• PCI Hacker Guardian - Standard/ Enterprise Scanning Servicehttp://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx
• PCI DSS Consultancy Services - aligned to either Version 2 or Version 3– PCI DSS Scoping– PCI DSS Gap Analysis– Remediation support– Consultancy by the Hour - IT Governance LiveOnline
http://www.itgovernance.co.uk/pci-consultancy.aspx
27Protect • Comply • Thrive
© IT Governance Ltd 2014