pci_dss_v1-2 (Статьи, стандарты, спецификации), страница 10

[Two or three central timeservers within the organization receive external timesignals [directly from a special radio, GPS satellites, orother external sources based on International Atomic Timeand UTC (formerly GMT)], peer with each other to keepaccurate time, and share the time with other internalservers.]10.4.c Verify that specific external hosts are designatedfrom which the timeservers will accept NTP time updates(to prevent a malicious individual from changing the clock).Optionally, those updates can be encrypted with asymmetric key, and access control lists can be created thatspecify the IP addresses of client machines that will beprovided with the NTP service (to prevent unauthorized useof internal time servers).See www.ntp.org for more information10.5Secure audit trails so they cannotbe altered.10.5Interview system administrator and examinepermissions to verify that audit trails are secured so thatthey cannot be altered as follows:PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 47PCI DSS RequirementsTesting Procedures10.5.1 Limit viewing of audit trails tothose with a job-related need.10.5.1 Verify that only individuals who have a jobrelated need can view audit trail files.10.5.2 Protect audit trail files fromunauthorized modifications.10.5.2 Verify that current audit trail files are protectedfrom unauthorized modifications via access controlmechanisms, physical segregation, and/or networksegregation.10.5.3 Promptly back up audit trail filesto a centralized log server or media thatis difficult to alter.10.5.3 Verify that current audit trail files are promptlybacked up to a centralized log server or media that isdifficult to alter.10.5.4 Write logs for external-facingtechnologies onto a log server on theinternal LAN.10.5.4 Verify that logs for external-facing technologies(for example, wireless, firewalls, DNS, mail) are offloadedor copied onto a secure centralized internal log server ormedia.10.5.5 Use file-integrity monitoring orchange-detection software on logs toensure that existing log data cannot bechanged without generating alerts(although new data being added shouldnot cause an alert).10.5.5 Verify the use of file-integrity monitoring orchange-detection software for logs by examining systemsettings and monitored files and results from monitoringactivities.10.6Review logs for all systemcomponents at least daily.

Log reviewsmust include those servers that performsecurity functions like intrusion-detectionsystem (IDS) and authentication,authorization, and accounting protocol(AAA) servers (for example, RADIUS).Note: Log harvesting, parsing, andalerting tools may be used to meetcompliance with Requirement 10.610.6.a Obtain and examine security policies andprocedures to verify that they include procedures to reviewsecurity logs at least daily and that follow-up to exceptionsis required.10.7Retain audit trail history for atleast one year, with a minimum of threemonths immediately available for analysis(for example, online, archived, orrestorable from back-up).10.7.a Obtain and examine security policies andprocedures and verify that they include audit log retentionpolicies and require audit log retention for at least one year.In PlaceNot inPlaceTarget Date/Comments10.6.b Through observation and interviews, verify thatregular log reviews are performed for all systemcomponents.10.7.b Verify that audit logs are available for at least oneyear and processes are in place to restore at least the lastthree months’ logs for immediate analysis.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 48Requirement 11: Regularly test security systems and processes.Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software.

Systemcomponents, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.PCI DSS Requirements11.1Test for the presence of wirelessaccess points by using a wirelessanalyzer at least quarterly or deploying awireless IDS/IPS to identify all wirelessdevices in use.Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments11.1.a Verify that a wireless analyzer is used at leastquarterly, or that a wireless IDS/IPS is implemented andconfigured to identify all wireless devices.11.1.b If a wireless IDS/IPS is implemented, verify theconfiguration will generate alerts to personnel.11.1 c Verify the organization’s Incident Response Plan(Requirement 12.9) includes a response in the eventunauthorized wireless devices are detected.11.2Run internal and externalnetwork vulnerability scans at leastquarterly and after any significantchange in the network (such as newsystem component installations, changesin network topology, firewall rulemodifications, product upgrades).Note: Quarterly external vulnerabilityscans must be performed by anApproved Scanning Vendor (ASV)qualified by Payment Card IndustrySecurity Standards Council (PCI SSC).Scans conducted after network changesmay be performed by the company’sinternal staff.11.2.a Inspect output from the most recent four quartersof internal network, host, and application vulnerabilityscans to verify that periodic security testing of the deviceswithin the cardholder data environment occurs.

Verify thatthe scan process includes rescans until passing results areobtained.Note: External scans conducted after network changes,and internal scans, may be performed by the company’squalified internal personnel or third parties.11.2.b Verify that external scanning is occurring on aquarterly basis in accordance with the PCI SecurityScanning Procedures, by inspecting output from the fourmost recent quarters of external vulnerability scans toverify that:ƒFour quarterly scans occurred in the most recent 12month period;ƒThe results of each scan satisfy the PCI SecurityScanning Procedures (for example, no urgent, critical,or high vulnerabilities);ƒThe scans were completed by an Approved ScanningVendor (ASV) qualified by PCI SSC.Note: It is not required that four passing quarterly scansmust be completed for initial PCI DSS compliance if thePCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 49PCI DSS RequirementsTesting ProceduresIn PlaceNot inPlaceTarget Date/Commentsassessor verifies 1) the most recent scan result was apassing scan, 2) the entity has documented policies andprocedures requiring quarterly scanning, and 3)vulnerabilities noted in the scan results have beencorrected as shown in a re-scan.

For subsequent yearsafter the initial PCI DSS review, four passing quarterlyscans must have occurred.11.2.c Verify that internal and/or external scanning isperformed after any significant change in the network, byinspecting scan results for the last year. Verify that thescan process includes rescans until passing results areobtained.11.3Perform external and internalpenetration testing at least once a yearand after any significant infrastructure orapplication upgrade or modification (suchas an operating system upgrade, a subnetwork added to the environment, or aweb server added to the environment).These penetration tests must include thefollowing:11.3.a Obtain and examine the results from the mostrecent penetration test to verify that penetration testing isperformed at least annually and after any significantchanges to the environment. Verify that notedvulnerabilities were corrected and testing repeated.11.3.b Verify that the test was performed by a qualifiedinternal resource or qualified external third party, and ifapplicable, organizational independence of the tester exists(not required to be a QSA or ASV).11.3.1 Network-layer penetrationtests11.3.1 Verify that the penetration test includes networklayer penetration tests.

These tests should includecomponents that support network functions as well asoperating systems.11.3.2 Application-layer penetrationtests11.3.2 Verify that the penetration test includesapplication-layer penetration tests. For web applications,the tests should include, at a minimum, the vulnerabilitieslisted in Requirement 6.5.11.4Use intrusion-detection systems,and/or intrusion-prevention systems tomonitor all traffic in the cardholder dataenvironment and alert personnel tosuspected compromises. Keep allintrusion-detection and preventionengines up-to-date.11.4.a Verify the use of intrusion-detection systems and/orintrusion-prevention systems and that all traffic in thecardholder data environment is monitored.11.4.b Confirm IDS and/or IPS are configured to alertpersonnel of suspected compromises.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 50PCI DSS RequirementsTesting ProceduresIn PlaceNot inPlaceTarget Date/Comments11.4.c Examine IDS/IPS configurations and confirmIDS/IPS devices are configured, maintained, and updatedper vendor instructions to ensure optimal protection.11.5Deploy file-integrity monitoringsoftware to alert personnel tounauthorized modification of criticalsystem files, configuration files, orcontent files; and configure the softwareto perform critical file comparisons atleast weekly.Note: For file-integrity monitoringpurposes, critical files are usually thosethat do not regularly change, but themodification of which could indicate asystem compromise or risk ofcompromise.

File-integrity monitoringproducts usually come pre-configuredwith critical files for the related operatingsystem. Other critical files, such as thosefor custom applications, must beevaluated and defined by the entity (thatis, the merchant or service provider).11.5 Verify the use of file-integrity monitoring productswithin the cardholder data environment by observingsystem settings and monitored files, as well as reviewingresults from monitoring activities.Examples of files that should be monitored:ƒSystem executablesƒApplication executablesƒConfiguration and parameter filesƒCentrally stored, historical or archived, log and auditfilesPCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 51Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security for employees and contractors.A strong security policy sets the security tone for the whole company and informs employees what is expected of them.