3.12 Requirement 9
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
3 hours 37 minutes
welcome to the cyber ery demystifying PC idea says compliance course,
this model will focus on the goals of the P. C. I. D. S s and the requirements associated with it.
This video introduces you to requirement night.
We'll talk about the requirement and the nuances associated with how do you handle physical security within the CD?
The learning objective of this video is to discuss how to implement physical security controls of the CD.
The requirement nine Group is all about physical security.
There's an old adage when it comes to protecting systems.
If the adversary has physical access to your device, the adversary has total access to your device,
and that is pretty much true.
Most security controls air rendered ineffective If the bad guy can physically control your system.
So the P C I s S C has come up with a number of standards for merchants to implement physical barriers to protect systems.
So requirement 911 is a little ambiguous.
What's considered to be a sensitive area
PC? I defined sensitive areas as any data center, server room or any area that houses systems that store process or transmit cardholder data.
Note that This excludes areas where only point of sale terminals are present, such as the cashier areas of a retail store.
This exclusion was included to recognize that set controls may not be practical or permitted in public basing areas where cardholders air using their own payment cards.
The purpose of the 911 requirement is to ensure that all entry and exit points the sensitive areas are controlled and monitored,
and that all individuals who physically access the area are identified.
So the access control mechanism needs to be one where you contract who is entering the identified sensitive areas.
Typically, this is in the form of a badge reader of some type.
If you have physical network Jax that can be accessed by the public, you need to take measures to disable them.
This could be at the switch port layer or just unplugging the jacket. The network closets.
You do not want to allow an attacker. Thio have potential unfettered access to the CD.
The same logic applies to 93 or 913
If an attacker could just plug into your network devices or the wireless access points, you could circumvent a lot of lot of your security controls.
Access points should be physically protected from someone potentially plugging directly into it.
Just put your access point in places that is not easily accessible to an attacker.
Physically protecting your environment relies heavily on proper training and procedures.
Training will have a recurring theme throughout. Requirement not,
it begins by putting in place, processes toe, identify personnel and outsiders and then training your staff to be able to quickly differentiate them.
Then you will be able to quickly tell if someone is doing things in your environment that they shouldn't be doing.
An auditor will just be looking to see that you have these processes in place. But crack best practice dictates that you have these badges in such a way that it will be difficult to copy or circumvent.
Relocation of access is important.
A terminate employees should not be able to maintain his or her batch.
An employee should not be able to quickly to turn or should be able to quickly determine if the visitor has overstayed the welcome or is in a place that they shouldn't be.
Much like the requirements in the identity management section, each employee must be explicitly greater access to sensitive areas based on job functions.
The auditor will be reviewing your processes and then validate that you are following them.
A lot of merchants failed the relocation portion of access rights because the system's tied to user account often aren't attached to physical access systems,
so organizations often forget to do both.
In all sensitive areas, visitors need to be escorted
as mentioned earlier. Visitors need to be given some identification that quickly identifies them as a visitor and has some method of expiration.
You need to collect the temporary badges, given the visitors before they leave or at the time of expiration,
and you must maintain a visitor log that is maintained for at least three months.
You must have in place processes and procedures around the security of your physical media's and backup
sensitive data could reside on your media and need to be protected as such.
Offsite storage of backups is not required, but preferred.
As long as you're able to physically protect your systems,
protect your backups, then it's fine.
Make sure you document that you have reviewed your policy every year.
The maintaining of the distribution of media requirements is relatively straightforward.
You need to classify your media so that the nature of the data can be determined, and it is not access by anyone who does not have explicit authorization.
If your ship your media, it needs to be tracked.
Also, any distribution of media needs to be explicitly approved.
Maybe you need to be able to track all of your media so that you can provide adequate protection for it all.
Also, if media has lost, that could be accounted for more quickly, and you'll be able to put in place a process to protect yourself from its potential disclosure.
You also need to be able to securely destroy media that could potentially hold cardholder data.
You need to be able to use means of destruction that make it infeasible to put the information back together.
So for a shredder, it needs to be a cross cut at a minimum.
For digital data, secure wiping software de grousing sufficient destruction of the media is acceptable.
The 99 grouping is to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
You can't physically protect something if you can't account for.
You can't protect it physically or otherwise. If you don't know where it or what it ISS,
you need to be able to account for all of the devices in your environment.
PC I mandates that you at least track the make model location and serial number or unique identifying of each of these devices.
Auditors will be taken a sample of devices in the environment to verify that you're tracking them in inventory.
Auditors will interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned et cetera.
Many breaches occur because adversary was able to compromise the physical devices, scanners, card readers, etcetera.
You should have in place processes to regularly check for tampering of your devices.
The 993 requirement is again about training.
Your staff needs to know what to do in all types of scenarios where an attacker may be trying to exploit the people.
The training typically happens annually, and that is enough for the requirement. But really to be ongoing,
they should be able to identify suspicious behavior and know what to do. In response to that
and the final requirement of this group is document document document.
All of your policies and procedures need to be put in writing and deliver to all those that are impacted.
So in summary, we discussed all of the mandates associated with PC I. Requirement nine
Requirement nine is all about how to physically secure your CD and training your personnel on howto handle adversaries who may be trying to infiltrate in the environment.
Okay, quick quiz.
How long should you store recorded footage from video cameras?
A. Three months
Be two months
C 12 months
D six months.
Video footage needs to be stored for atleast three months according to P. C. I. D. S s standards.
When shredding cardholder data, the shredder should at minimum be a strip cut.
Be cross cut
Si diamond cut,
cross cut shredding is the minimum necessary for shredding documents.
It's your false
visitors only need to be escorted to the confirmed destination.
This is false.
Visitors need to be escorted at all times