ISACA January 8, 2013

IT Auditor at Cintas Corporation

Internal Audit Department
Internal Security Assessor (ISA) Certification
September 2010
Annual re-certification
Currently responsible for SOX IT and PCI
testing as well various Corporate audits
Board of Governors, IIA Cincinnati Chapter
 The PCI DSS represents a common set of
industry tools and measurements to help
ensure the safe handling of sensitive
information.
The standard provides an actionable
framework for developing a robust account
data security process - including preventing,
detecting and reacting to security incidents.
Applies to any entity that stores, processes
and/or transmits CHD.
 PCI is not government legislation. It is an
industry regulation.
The major Card Brands (Visa, MC, Discover,
Amex) decided to create regulations which
were initially agreed upon by the Card Brands
in 2004.
PCI DSS version 1 is dated December 2004.
On June 30, 2005, the regulations took effect.
The PCI Security Standards Council came into
existence in 2006.
 The Council became responsible for the
development, management, education and
awareness of the PCI Data Security Standards.
Each of the Card Brands (Visa, MC, Discover,
Amex, JCB) have their own compliance
programs in accordance with their own
security risk management policies as well as
their own definitions of the levels and their
own penalizing/fining procedures for
companies who have a breach.
 4
Little credit card business
Some Card Brands do not have this level
Annual Compliance Validation
3
Less than a million credit card transactions
Some Card Brands do not have this level
Annual Self-Assessment
 2
Millions (1+ to <6) credit card transactions
All Card Brands have this level
Must internally audit with a PCI certified Internal
Security Assessor (ISA) using PCI DSS
1
Many millions (2.5+ to 6+) credit card transactions
All Card Brands have this level
Must audit either using a PCI certified external
Qualified Security Assessor (QSA) OR Internal Audit
with ISA certification using PCI DSS
 The PCI SSC Sponsor Company Internal Security
Assessor Program is a PCI DSS training and
qualification program for eligible internal audit
security professionals. The course helps
participants improve their organization's
understanding of PCI DSS and validate and
maintain ongoing compliance through:
Enhancing the quality, reliability, and consistency of
internal PCI DSS self-assessments
Supporting the consistent and proper application of PCI DSS
measures and controls
Effectively facilitating interactions with QSAs
https://www.pcisecuritystandards.org/index.php
 Version 2.0 as of October 2010
Version will be on a three year basis
The PCI documentation (end result) has
changed every year
 Build and Maintain a Secure Network
Protect Card Holder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
 1) Install and Maintain a firewall configuration
to protect Card Holder Data (CHD)
Firewall and Router configuration standards
Review Network Diagram
Firewall and Router connections are restricted
(inbound/outbound traffic)
No direct internet connection to CHD (DMZ)
2) Do not use vendor supplied defaults
Attempt to sign on with defaults
Hardening standards and system configuration
Non-console admin access is encrypted
 3) Protect stored CHD
Retention Policy and Procedures
Quarterly process for deleting stored CHD
Sample incoming transactions, logs, history files,
trace files, database schemas and content
Do not store full track, CVV or PIN
Render PAN unreadable (mask/truncate)
Encryption and key management
4) Encrypt transmission of CHD
Verify encryption and encryption strength
Verify wireless is industry best practice (no WEP)
 5) Use and regularly update Antivirus
software
All system have AV
AV is current, actively running and logging
6) Develop and maintain secure systems and
applications
Patch management current within one month
ID new security vulnerabilities with risk rating
Custom code is reviewed prior to release
Change management process
Developers are trained in secure coding techniques
 7) Restrict access to CHD by need-to-know
Review access policies
Confirm access rights for privileged users
Confirm access controls are in place
Confirm access controls default with deny-all
8) Assign a unique ID to each user
Verify all users have a unique ID
Verify authentication with ID/PW combination
Verify two-factor authentication for remote access
Verify terminated users are deleted
Inspect configurations for PW controls
 9) Restrict physical access to CHD
Access to computer rooms and data centers
Video cameras are in place and video is secure
Network jacks are secure not in visitor area
Process for assigning badges
Storage locations are secure (offsite media)
10) Track and monitor all access to network
resources
Review audit trails actions, time, date, user, etc.
Time server updates and distribution
Process to review security logs
 11) Regularly test security systems
Test for wireless access points
Internal and external network vulnerability scans
Internal and external penetration testing annually
File integrity monitoring tools are used
12) Maintain security policies
Policies are reviewed at least annually
Explicit approval is required for access
Auto disconnect for inactivity-internal and remote
Security awareness program is in place
Incident Response Plan
 ~260 tests
PCI DSS gives both the requirement and the test
Every test has to have an answer
Every bullet within each test must have an answer
If the requirement is not in place, a target date and
comments must be made
If there are compensating controls, a Compensating
Control Worksheet must be completed
 Attestation of Compliance
Executive Summary Score Report on
Compliance
Test Procedures Score Sheet Report on
Compliance
 This is the document that is submitted to the
appropriate companies
Scanning vendor
Merchant (i.e. Bank)
Card Brand Company (i.e. Amex)
Signed by ISA/QSA and Officers of the
Company
Brief overview of Company and Cardholder
Data Environment
Not a website copy/paste
My summation of the company (business, DC, locs)
 Brief overview of how the company stores,
processes and/or transmits cardholder data
Terminals
Applications
Third parties
State if we are compliant
All 12 Requirements are listed stating in
place or not in place and special like N/A
At the bottom explain special N/A may be
not a service provider
 Within the Attestation of Compliance
The special column is where to state if it is a
compensating control
NOTE: Only companies that have undertaken
a risk analysis and have legitimate
technological or documented business
constraints can consider the use of
compensating controls to achieve
compliance
Ex: cannot do 7 character pw on mainframe
 Detailed overview of CHDE explain the flow
from swipe
Phone orders
Online orders
Monthly charges
Any other way CHD is processed
Network diagram prepared by ISA/QSA
Validate and explain scope flat vs. segment
Validate myself
 Explain the environment
Personnel
Payment channels
IT Environment
Locations
Explain sampling method
Exclusions and why they were excluded
Wholly-owned Entities
International locations
Wireless Environment
 Service providers
Third-party applications
Individuals interviewed with titles
List of documentation reviewed
My contact information
Quarterly scan information
Findings and observations
 How each control was tested
Observation configuration or process
Sampling
Interview with whom
Document reviews
 Give yourself enough time to complete the
final reports
Answer all of the points in each test
Know your scope
Inventory the environment
Use a firewall to segment
If you are getting your QSA/ISA, complete the
training and study
Users/coworkers/employees do not
understand IT security (i.e. email)
 IT Auditor
Cintas Corporation
beckerc@cintas.com