welcome to the cyber ery de mystifying PC ideas as compliance. Course
this module focus on the goals of the PC, idea says, and the requirements associating with them.
This video introduces you to requirements. Seven.
We will talk about the requirements associated with restricting access to sensitive information within the CD.
The learning objective of this video is to discuss some of the ins and outs of each of the mandates associative with restricting access to sensitive information within the cardholder data environment.
Requirement seven is really all about the concept of rules based access control.
Each individual in your organization should be assigned a role.
That role defines their job function and highlights all the things that person and roll needs to do to perform that job function
rules. I need access. The card data should be explicitly defined.
They have a need to know
everyone else that does not have a need to know should not be granted access
requirement. 711 States that
defined an up to date list of the rolls with access to the car data environment should be in place
on this list. You should include each role,
the definition of each role.
Access to data resource is
current privilege level,
and what privilege level is necessary for each person to perform normal business responsibilities?
Users must fit into one of the rules you outline
and a requirement. 712 the auditor will be looking for. We'll be looking at accounts that have more elevated rights to ensure that those rights are limited
toe on lee the administrative functions that they need.
So a database administrator is not a systems administrator.
The backup administrator is not the firewall administrator
unless as a merchant, you have a documented need that this person needs to perform these roles to do their job.
713 is a reflection of 712 except it's for non admin job functions.
For 714 you need tohave, an approval process in place for access to the CD and authorization to perform a role.
The auditor will be looking for documented proof that explicitly states that each person has a role role to perform that function for their job
with the seven to requirement. Grouping the approaches of Samos network traffic in the firewall requirements
if it's not explicitly accounted for and defined as a business need access should be denied by default.
This concept is applied to all of the components within the C, D E and all of the individual user accounts,
and the last requirement is that all of the policies and procedures are documented and disseminated.
Auditors will ask personnel how they're trained and where they can find documentation about how you are restricting access.
We'll also look to verify that the procedures are being followed.
The more documentation our artifact, you have to prove that you do what you say you do as a merchant. The better for the audit.
Italy's the audit process.
So in summary, we discussed all of the mandates associated with PC I. Requirement seven.
Pc I Requirement seven is all about making sure you restrict access to your CD
if your personnel does not have it explicitly stated reason for operating in the environment that they should not have access
enough for quick quiz.
In instances where a systems administrator needs to elevate his privileges to do database administrative work temporarily,
she could just add herself to the D B admits group.
There needs to be a formalized process to grant the systems admin additional privileges.
This process could be a simple as sending an email to ask for written authorization to do so, but there needs to be something in place, so the answer is false.
When granting permission to a new user to perform a job, function
you a permit. Full access.
Be deny all access until roll is defined.
See create two accounts, one for full access and another with minimal access
or D permit access. Once a user has verified identification,
you deny all access until the role is defined.