pci_dss_v1-2 (Статьи, стандарты, спецификации), страница 9
Описание файла
Файл "pci_dss_v1-2" внутри архива находится в следующих папках: Статьи, стандарты, спецификации, PCI DSS. PDF-файл из архива "Статьи, стандарты, спецификации", который расположен в категории "". Всё это находится в предмете "информационное обеспечение разработок" из 11 семестр (3 семестр магистратуры), которые можно найти в файловом архиве МГТУ им. Н.Э.Баумана. Не смотря на прямую связь этого архива с МГТУ им. Н.Э.Баумана, его также можно найти и в других разделах. Архив можно найти в разделе "остальное", в предмете "информационное обеспечение разработок и исследований" в общих файлах.
Просмотр PDF-файла онлайн
Текст 9 страницы из PDF
Review collected data andcorrelate with other entries. Store for atleast three months, unless otherwiserestricted by law.Note: “Sensitive areas” refers to any datacenter, server room or any area thathouses systems that store, process, ortransmit cardholder data. This excludesthe areas where only point-of-saleterminals are present, such as thecashier areas in a retail store.In PlaceNot inPlaceTarget Date/Comments9.1.1 Verify that video cameras or other access controlmechanisms are in place to monitor the entry/exit pointsto sensitive areas. Video cameras or other mechanismsshould be protected from tampering or disabling.
Verifythat video cameras or other mechanisms are monitoredand that data from cameras or other mechanisms isstored for at least three months.9.1.2 Restrict physical access topublicly accessible network jacks.9.1.2 Verify by interviewing network administrators andby observation that network jacks are enabled only whenneeded by authorized employees. For example,conference rooms used to host visitors should not havenetwork ports enabled with DHCP.
Alternatively, verifythat visitors are escorted at all times in areas with activenetwork jacks.9.1.3 Restrict physical access towireless access points, gateways, andhandheld devices.9.1.3 Verify that physical access to wireless accesspoints, gateways, and handheld devices is appropriatelyrestricted.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 42PCI DSS Requirements9.2Develop procedures to help allpersonnel easily distinguish betweenemployees and visitors, especially inareas where cardholder data isaccessible.For purposes of this requirement,“employee” refers to full-time and parttime employees, temporary employeesand personnel, and contractors andconsultants who are “resident” on theentity’s site. A “visitor” is defined as avendor, guest of an employee, servicepersonnel, or anyone who needs to enterthe facility for a short duration, usually notmore than one day.9.3Make sure all visitors are handledas follows:Testing ProceduresNot inPlaceTarget Date/Comments9.2.a Review processes and procedures for assigningbadges to employees, and visitors, and verify theseprocesses include the following:Granting new badges, changing accessrequirements, and revoking terminated employeeand expired visitor badgesLimited access to badge system9.2.b Observe people within the facility to verify that it iseasy to distinguish between employees and visitors.9.3Verify that employee/visitor controls are in place asfollows:9.3.1 Authorized before enteringareas where cardholder data isprocessed or maintained9.3.1 Observe visitors to verify the use of visitor IDbadges.
Attempt to gain access to the data center toverify that a visitor ID badge does not permit unescortedaccess to physical areas that store cardholder data.9.3.2 Given a physical token (forexample, a badge or access device)that expires and that identifies thevisitors as non-employee9.3.2 Examine employee and visitor badges to verifythat ID badges clearly distinguish employees fromvisitors/outsiders and that visitor badges expire.9.3.3 Asked to surrender the physicaltoken before leaving the facility or at thedate of expiration9.3.3 Observe visitors leaving the facility to verifyvisitors are asked to surrender their ID badge upondeparture or expiration.9.4Use a visitor log to maintain aphysical audit trail of visitor activity.Document the visitor’s name, the firmrepresented, and the employeeauthorizing physical access on the log.Retain this log for a minimum of threemonths, unless otherwise restricted bylaw.In Place9.4.a Verify that a visitor log is in use to record physicalaccess to the facility as well as for computer rooms anddata centers where cardholder data is stored ortransmitted.9.4.b Verify that the log contains the visitor’s name, thefirm represented, and the employee authorizing physicalaccess, and is retained for at least three months.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 43PCI DSS RequirementsTesting Procedures9.5Store media back-ups in a securelocation, preferably an off-site facility,such as an alternate or back-up site, or acommercial storage facility.
Review thelocation’s security at least annually.9.5Verify that the storage location is reviewed at leastannually to determine that back-up media storage issecure.9.6Physically secure all paper andelectronic media that contain cardholderdata.9.6Verify that procedures for protecting cardholderdata include controls for physically securing paper andelectronic media (including computers, removableelectronic media, networking, and communicationshardware, telecommunication lines, paper receipts, paperreports, and faxes).9.7Maintain strict control over theinternal or external distribution of any kindof media that contains cardholder data,including the following:9.7Verify that a policy exists to control distribution ofmedia containing cardholder data, and that the policycovers all distributed media including that distributed toindividuals.9.7.1 Classify the media so it can beidentified as confidential.9.7.1 Verify that all media is classified so that it can beidentified as “confidential.”9.7.2 Send the media by securedcourier or other delivery method thatcan be accurately tracked.9.7.2 Verify that all media sent outside the facility islogged and authorized by management and sent viasecured courier or other delivery method that can betracked.9.8Ensure management approvesany and all media containing cardholderdata that is moved from a secured area(especially when media is distributed toindividuals).9.8Select a recent sample of several days of offsitetracking logs for all media containing cardholder data, andverify the presence in the logs of tracking details andproper management authorization.9.9Maintain strict control over thestorage and accessibility of media thatcontains cardholder data.9.9Obtain and examine the policy for controllingstorage and maintenance of hardcopy and electronic mediaand verify that the policy requires periodic mediainventories.9.9.1 Properly maintain inventory logsof all media and conduct mediainventories at least annually.In PlaceNot inPlaceTarget Date/Comments9.9.1 Obtain and review the media inventory log to verifythat periodic media inventories are performed at leastannually.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 44PCI DSS RequirementsTesting Procedures9.10Destroy media containingcardholder data when it is no longerneeded for business or legal reasons asfollows:9.10Obtain and examine the periodic media destructionpolicy and verify that it covers all media containingcardholder data and confirm the following:9.10.1 Shred, incinerate, or pulphardcopy materials so that cardholderdata cannot be reconstructed.9.10.1.a Verify that hard-copy materials are cross-cutshredded, incinerated, or pulped such that there isreasonable assurance the hard-copy materials cannot bereconstructed.In PlaceNot inPlaceTarget Date/Comments9.10.1.b Examine storage containers used forinformation to be destroyed to verify that the containersare secured.
For example, verify that a “to-be-shredded”container has a lock preventing access to its contents.9.10.2 Render cardholder data onelectronic media unrecoverable so thatcardholder data cannot bereconstructed.9.10.2 Verify that cardholder data on electronic media isrendered unrecoverable via a secure wipe program inaccordance with industry-accepted standards for securedeletion, or otherwise physically destroying the media (forexample, degaussing).PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 45Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.
Thepresence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of acompromise is very difficult without system activity logs.PCI DSS RequirementsTesting Procedures10.1Establish a process for linking allaccess to system components (especiallyaccess done with administrative privilegessuch as root) to each individual user.10.1Verify through observation and interviewing thesystem administrator, that audit trails are enabled andactive for system components.10.2Implement automated audit trailsfor all system components to reconstructthe following events:10.2Through interviews, examination of audit logs, andexamination of audit log settings, perform the following:10.2.1 All individual accesses tocardholder data10.2.1 Verify all individual access to cardholder data islogged.10.2.2 All actions taken by anyindividual with root or administrativeprivileges10.2.2 Verify actions taken by any individual with root oradministrative privileges is logged.10.2.3 Access to all audit trails10.2.3 Verify access to all audit trails is logged.10.2.4 Invalid logical access attempts10.2.4 Verify invalid logical access attempts are logged.10.2 5 Use of identification andauthentication mechanisms10.2.5 Verify use of identification and authenticationmechanisms is logged.10.2.6 Initialization of the audit logs10.2.6 Verify initialization of audit logs is logged.10.2.7 Creation and deletion ofsystem-level objects10.2.7 Verify creation and deletion of system levelobjects are logged.10.3Record at least the following audittrail entries for all system components foreach event:In PlaceNot inPlaceTarget Date/Comments10.3 Through interviews and observation, for eachauditable event (from 10.2), perform the following:10.3.1 User identification10.3.1 Verify user identification is included in log entries.10.3.2 Type of event10.3.2 Verify type of event is included in log entries.10.3.3 Date and time10.3.3 Verify date and time stamp is included in logentries.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 46PCI DSS RequirementsTesting Procedures10.3.4 Success or failure indication10.3.4 Verify success or failure indication is included inlog entries.10.3.5 Origination of event10.3.5 Verify origination of event is included in logentries.10.3.6 Identity or name of affecteddata, system component, or resource10.3.6 Verify identity or name of affected data, systemcomponent, or resources is included in log entries.10.4Synchronize all critical systemclocks and times.In PlaceNot inPlaceTarget Date/Comments10.4Obtain and review the process for acquiring anddistributing the correct time within the organization, as wellas the time-related system-parameter settings for a sampleof system components.
Verify the following is included inthe process and implemented:10.4.a Verify that a known, stable version of NTP(Network Time Protocol) or similar technology, kept currentper PCI DSS Requirements 6.1 and 6.2, is used for timesynchronization.10.4.b Verify that internal servers are not all receiving timesignals from external sources.
