• No results found

IT Assessment Procedures for Maxistar Medical Supplies Company. IT Assessment Procedures for Maxistar Medical Supplies Company

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IT Assessment Procedures for Maxistar Medical Supplies Company. IT Assessment Procedures for Maxistar Medical Supplies Company"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

IT Assessment Procedures for Maxistar Medical Supplies Company

0 | P a g e

IT Assessment

Procedures for Maxistar

Medical Supplies

Company

Compliance Assessment Procedures for PCI standards as applicable to the Maxistar Medical Supplies Company’s IT operations. This paper was created as part of a case study for CYBS 6355 in the spring 2015 semester at the University of Dallas.

James Konderla 3/18/2015

(2)

Table of Contents

Overview and Purpose of This Document ... 1 Compliance Assessment Procedures ... 2 References ... 5

(3)

IT Assessment Procedures for Maxistar Medical Supplies Company

1 | P a g e

Overview and Purpose of This Document

As Maxistar Medical Supplies Company grows and expands operations it becomes increasingly important to keep IT operations secure while also enabling the business to quickly and effectively meet customer needs. During a recent assessment Maxistar identified several changes that needed to be implemented to their IT operations to secure their business, the key change being Payment Card Industry (PCI) compliance. Specifically, Maxistar has decided to seek PCI Data Security Standard (DSS) compliance for their payment card-based systems and, as such, has asked that eight guidelines from the DSS standard be identified as priorities for this. Though there are more than eight requirements, we have identified the following eight standards as immediate priorities for Maxistar Medical Supplies Company’s PCI DSS Compliance program:

ď‚· Requirement 1.2.1 (Pertaining to Firewalls and Routers)

ď‚· Requirement 2.2.1 (Function limits on IT components)

ď‚· Requirement 3.2.1 (Card track data storage)

ď‚· Requirement 9.1.2 (Physical Network Security for Network Jacks)

ď‚· Requirement 10.5.5 (File-Integrity monitoring for Logs)

ď‚· Requirement 11.2.1 (Quarterly Vulnerability Scans)

ď‚· Requirement 12.5.2 (Security Alert Monitoring and Reporting)

ď‚· Requirement 12.6.1 (Training of Personnel)

In the following pages we have outlined the assessment objectives for the standards above as well as potential assessment methods and objects for each to enable Maxistar to easily administer these standards as quickly and easily as possible.

(4)

Compliance Assessment Procedures

The following eight PCI DSS requirements have been identified as priorities for compliance. These requirements are outlined below and shown with their required assessment procedures. Though these specific requirements were identified as priorities for Maxistar Medical Supplies Company they are only a sample of the PCI DSS requirements and should be treated as a guide while pursuing full PCI DSS Compliance.

Assessment Procedure

PCI-DSS 1.2.1 ASSESSMENT OBJECTIVE: Pertaining to firewalls and routers: Restrict Inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Examine Firewall Configurations To verify that all inbound and outbound traffic necessary for the cardholder agreement is identifiable, that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, that all non-necessary inbound and outbound traffic is specifically denied either by an explicit "deny all" rule or implicit deny after allow statement]

PCI-DSS 2.2.1 ASSESSMENT OBJECTIVE: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (Where virtualization technologies are used,

implement only one primary function per virtual system component.)

POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Inspect system Configurations of a sample to verify that only one primary function is implemented per virtual system component or device]

(5)

Test: [SELECT FROM: using a sample of system components, inspect enabled services to determine whether only 1 primary function is enabled on each system component]

PCI-DSS 3.2.1 ASSESSMENT OBJECTIVE: Verify that the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, etc.) is not stored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: using a sample of system components, examine data sources (including but not limited to: Incoming transaction data, logs, history files, trace files, database schemas, database contents) and verify that the full contents of any track from the magnetic stripe on the back of a card or equivalent data on a chip are not stored after authorization.] PCI-DSS 9.1.2 ASSESSMENT OBJECTIVE: Verify the implementation of physical and/or

logical controls to restrict access to publicly accessible network jacks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS: Interview: [SELECT FROM: security personnel, LAN administrators, any other parties responsible for restricting access to publicly accessible areas.] Examine: [SELECT FROM: Observe physical locations where publically accessible network jacks are located; review camera footage to verify jacks have not been accessed in public areas; review network logs to verify jacks in public areas have been unable to access restricted/secured network segments]

PCI-DSS 10.5.5

ASSESSMENT OBJECTIVE: Verify that file-integrity monitoring or change-detection software has been implemented on system logs to ensure that existing log data cannot be changed without generating alerts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: system settings, monitored files, results from file monitoring/change-detection activities/applications]

PCI-DSS 11.2.1

ASSESSMENT OBJECTIVE: Verify that quarterly internal vulnerability scans have been performed by qualified personnel. This includes rescans

(6)

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT ALL: review scan reports and verify that four quarterly internal scans occurred in the most recent 12-month periods; Review scan reports and verify that scan process includes rescans until all "high-risk" vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.] PCI-DSS

12.5.2

ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed to appropriate personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appriate

information security and business unit management personnel is formally assigned.]

PCI-DSS 12.6.1

ASSESSMENT OBJECTIVE: Verify that all personnel are trained in a security awareness program upon hire and at least once annually.

POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that the program provides multiple methods of communicating awareness and educating personnel; verify that personnel attend security awareness training upon hire and at least once annually]

Interview: [SELECT FROM: randomly sample personnel to verify they have completed awareness training and are aware of the importance of

(7)

IT Assessment Procedures for Maxistar Medical Supplies Company

5 | P a g e

References

Data Security Standard - Requirements and Security Assessment Procedures. (2013, November 1). Retrieved March 19, 2015, from

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Guide for Assessing the Security Controls in Federal Information Systems and Organizations. (2010, June 1). Retrieved March 19, 2015, from

References

Download now ( PDF - 7 Page - 558.13 KB )

Related documents

Keystrokes Inference Attack on Android: A Comparative Evaluation of Sensors and Their Fusion

motion changes (e.g. accelerometers), might also reveal information about taps on touch screens: the. Few researchers have already demonstrated the idea of channels into

GIS based Traffic Accident Analysis System

The Fig 5 shows that user has to select calculation on roads segments, or intersections to start SI calculation, the first result will be general severity indices

medical billing payment posting interview questions : The User's Guide

REVIEW AND DOWNLOAD THIS ENTIRE USER GUIDE OR TROUBLESHOOTING SECTION MEDICAL BILLING PAYMENT POSTING INTERVIEW QUESTIONS, TO SUPPLIES THE ANSWER AND THEN FOR. ANY

Does patenting help high-tech start-ups?

Any identification of the impact of patenting on firm performance relies on the assumption that all start-ups (in their first year of existence) have similar expecta- tions

Independent Service Provider Application Package

Failure to Provide Service: If ISP fails to provide Service or Services to Members as specified in the Agreement, fails to perform the other duties specified

Acoustic Correlates to Ambisyllabic Representations in American English

If syllable structure is available in the acoustic signal, we should find that vowel measurements in words containing medial onsets are different from those containing medial

Pre-service Teachers’ Motivation in Using Digital Technology

We hypothesized that: (1) learning goals would have stronger relations with DT applications (both personal use and classroom application) than would performance goals, and (2)

Information Security for IT Administrators

1, Guide for Applying the Risk Management Framework to Federal Information Systems, establishes a common risk management framework for all federal agencies to improve security