Embed Size (px)
Citation preview
C o m p a s s E n v i r o n m e n t P C I A s s e s s m e n t P r o p o s a l f o r S a n D i e g o M T S
O c t o b e r 2 0 , 2 0 1 4
© 2014 AppliedTrust, All rights reserved. Confidential and Proprietary P a g e 1
Contract: G1500.2-13
Work Order Number: 2014-001
Work Order Title: Compass Environment PCI Assessment
Work Order Date: October 20, 2014
Statement of Work
This proposal is presented in response to discussions with San Diego Metropolitan Transit System (MTS) regarding the need to ensure that the organization’s newly acquired Compass environment meets the regulations of the Payment Card Industry Data Security Standard (PCI-DSS). MTS seeks assistance with performing an assessment of the organization’s PCI compliance and developing an understanding of any compliance gaps. AppliedTrust is ideally suited for this project because of our deep expertise with IT infrastructure and security, particularly our status as a PCI Qualified Security Assessor (QSA).
AppliedTrust will:
D e l i v e r a b l e P h a s e I : C o m p a s s E n v i r o n m e n t P C I A s s e s s m e n t
§ Conduct a face-to-face or virtual kickoff meeting with MTS to review the overall project goals and details.
§ Develop a project plan, complete with regular milestones, detailing schedule, tasks, and dependencies.
§ Collect and evaluate evidence of control design effectiveness in meeting PCI-DSS for the Compass environment. Activities include:
ú Reviewing the cardholder environment description to validate test samples. This will include all systems that collect, store, process, and transmit cardholder data.
ú Reviewing each PCI-DSS requirement through interviews and observations. A limited set of re-performance tests may be conducted to validate controls that cannot be satisfied through interviews or prior testing.
§ Perform OS-level examination of existing servers, including configuration, patch compliance, paths of trust, and vulnerability.
§ Conduct a manual assessment of a representative sample of ticket kiosk systems.
§ Review current network design in the context of PCI.
§ Review data center physical security (physical access, monitoring, etc.).
§ Review roles and access rights/permissions used to share information between systems.
§ Capture and analyze network traffic samples, specifically examining protocols and applications in use and protocol configuration.
§ Compare current Compass environment software, protocol, and system deployment against PCI recommended best practices.
§ Examine all external connectivity, including modems and wide area network (WAN) connections such as T1 circuits, including upstream ISPs and connections to remote offices.
§ Review remote access policy, architecture, and configuration, including levels of access for remote users.
§ Evaluate database security architecture and controls.
§ Perform comprehensive validation of network and remote access configurations, including firewalls, routers and switches, remote access servers, and other network devices; identify misconfigurations and security vulnerabilities.
C o m p a s s E n v i r o n m e n t P C I A s s e s s m e n t P r o p o s a l f o r S a n D i e g o M T S
O c t o b e r 2 0 , 2 0 1 4
© 2014 AppliedTrust, All rights reserved. Confidential and Proprietary P a g e 2
§ Interview key system/network administration staff and users; analyze existing practices and procedures to identify security weaknesses and necessary operational security improvements.
§ Examine firewall configuration, administration, and security (including proxy configuration).
§ Evaluate the effectiveness of the Compass environment’s overall network architecture.
§ Review and analyze current IT security policies to ensure alignment with PCI requirements.
§ MTS must provide all requested documentation at the time of kickoff.
§ Document PCI compliance gaps to MTS, including prioritized recommendations for meeting PCI compliance. The deliverable will consist of a written assessment of the Compass environment’s PCI compliance profile (12–20 pages), identifying prioritized recommendations for bridging identified gaps. An appendix containing the relevant PCI SAQ will also be included, dependent upon MTS’s SAQ validation type determined during the assessment.
§ Conduct a presentation of assessment findings and discussion of recommendations with MTS.
P h a s e I I : O p t i o n a l M i t i g a t i o n A s s i s t a n c e
§ Assist MTS with mitigating the security issues discovered during the Phase I assessment, at whatever level of involvement desired by MTS IT staff (e.g., phone Q&A, collaborative work, project outsourcing). Work will be billed hourly, with all hours approved by MTS in advance.
Pricing and Payment Terms
Work for this effort will be billed monthly under the terms of the Master Services Agreement between AppliedTrust and MTS under contract G1500.2-13 dated July 11, 2014, as follows:
D e l i v e r a b l e P r i c e
Compass Environment PCI Assessment Estimated Cost Based on MSA Rates:
Estimated Hours: 100
Estimated Amount: $16,000.00
Not to Exceed: $20,000.00*
*This figure includes reimbursement for the actual cost of travel, lodging, and meals at reasonable local rates for AppliedTrust engineers performing on-site work at MTS as defined in Travel Guidelines Applicable to MTS Contractors No. 44-C.
Optional Mitigation Assistance MSA Rates:
§ Senior Engineer: $165.00/hour
§ Engineer: $155.00/hour
§ Technical Writer: $120.00/hour
