Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
welcome to the cyber ery de mystifying PC ideas as compliance. Course
00:06
this module focus on the goals of the PC, idea says, and the requirements associating with them.
00:13
This video introduces you to requirements. Seven.
00:16
We will talk about the requirements associated with restricting access to sensitive information within the CD.
00:23
The learning objective of this video is to discuss some of the ins and outs of each of the mandates associative with restricting access to sensitive information within the cardholder data environment.
00:36
Requirement seven is really all about the concept of rules based access control.
00:41
Each individual in your organization should be assigned a role.
00:44
That role defines their job function and highlights all the things that person and roll needs to do to perform that job function
00:52
rules. I need access. The card data should be explicitly defined.
00:56
They have a need to know
00:58
everyone else that does not have a need to know should not be granted access
01:03
requirement. 711 States that
01:07
defined an up to date list of the rolls with access to the car data environment should be in place
01:14
on this list. You should include each role,
01:17
the definition of each role.
01:19
Access to data resource is
01:22
current privilege level,
01:23
and what privilege level is necessary for each person to perform normal business responsibilities?
01:30
Users must fit into one of the rules you outline
01:34
and a requirement. 712 the auditor will be looking for. We'll be looking at accounts that have more elevated rights to ensure that those rights are limited
01:44
toe on lee the administrative functions that they need.
01:47
So a database administrator is not a systems administrator.
01:49
The backup administrator is not the firewall administrator
01:53
unless as a merchant, you have a documented need that this person needs to perform these roles to do their job.
02:01
713 is a reflection of 712 except it's for non admin job functions.
02:07
For 714 you need tohave, an approval process in place for access to the CD and authorization to perform a role.
02:15
The auditor will be looking for documented proof that explicitly states that each person has a role role to perform that function for their job
02:27
with the seven to requirement. Grouping the approaches of Samos network traffic in the firewall requirements
02:34
if it's not explicitly accounted for and defined as a business need access should be denied by default.
02:40
This concept is applied to all of the components within the C, D E and all of the individual user accounts,
02:50
and the last requirement is that all of the policies and procedures are documented and disseminated.
02:54
Auditors will ask personnel how they're trained and where they can find documentation about how you are restricting access.
03:02
We'll also look to verify that the procedures are being followed.
03:07
The more documentation our artifact, you have to prove that you do what you say you do as a merchant. The better for the audit.
03:14
Italy's the audit process.
03:19
So in summary, we discussed all of the mandates associated with PC I. Requirement seven.
03:23
Pc I Requirement seven is all about making sure you restrict access to your CD
03:29
if your personnel does not have it explicitly stated reason for operating in the environment that they should not have access
03:38
enough for quick quiz.
03:40
In instances where a systems administrator needs to elevate his privileges to do database administrative work temporarily,
03:47
she could just add herself to the D B admits group.
03:55
There needs to be a formalized process to grant the systems admin additional privileges.
04:00
This process could be a simple as sending an email to ask for written authorization to do so, but there needs to be something in place, so the answer is false.
04:12
When granting permission to a new user to perform a job, function
04:15
you a permit. Full access.
04:18
Be deny all access until roll is defined.
04:23
See create two accounts, one for full access and another with minimal access
04:28
or D permit access. Once a user has verified identification,
04:36
this one's be
04:39
you deny all access until the role is defined.

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor