3.12 Requirement 9

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 37 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
welcome to the cyber ery demystifying PC idea says compliance course,
00:06
this model will focus on the goals of the P. C. I. D. S s and the requirements associated with it.
00:13
This video introduces you to requirement night.
00:16
We'll talk about the requirement and the nuances associated with how do you handle physical security within the CD?
00:24
The learning objective of this video is to discuss how to implement physical security controls of the CD.
00:32
The requirement nine Group is all about physical security.
00:36
There's an old adage when it comes to protecting systems.
00:39
If the adversary has physical access to your device, the adversary has total access to your device,
00:45
and that is pretty much true.
00:47
Most security controls air rendered ineffective If the bad guy can physically control your system.
00:53
So the P C I s S C has come up with a number of standards for merchants to implement physical barriers to protect systems.
01:03
So requirement 911 is a little ambiguous.
01:07
What's considered to be a sensitive area
01:10
PC? I defined sensitive areas as any data center, server room or any area that houses systems that store process or transmit cardholder data.
01:19
Note that This excludes areas where only point of sale terminals are present, such as the cashier areas of a retail store.
01:27
This exclusion was included to recognize that set controls may not be practical or permitted in public basing areas where cardholders air using their own payment cards.
01:38
The purpose of the 911 requirement is to ensure that all entry and exit points the sensitive areas are controlled and monitored,
01:46
and that all individuals who physically access the area are identified.
01:52
So the access control mechanism needs to be one where you contract who is entering the identified sensitive areas.
01:57
Typically, this is in the form of a badge reader of some type.
02:05
If you have physical network Jax that can be accessed by the public, you need to take measures to disable them.
02:10
This could be at the switch port layer or just unplugging the jacket. The network closets.
02:15
You do not want to allow an attacker. Thio have potential unfettered access to the CD.
02:23
The same logic applies to 93 or 913
02:27
If an attacker could just plug into your network devices or the wireless access points, you could circumvent a lot of lot of your security controls.
02:36
Access points should be physically protected from someone potentially plugging directly into it.
02:40
Just put your access point in places that is not easily accessible to an attacker.
02:49
Physically protecting your environment relies heavily on proper training and procedures.
02:53
Training will have a recurring theme throughout. Requirement not,
02:58
it begins by putting in place, processes toe, identify personnel and outsiders and then training your staff to be able to quickly differentiate them.
03:07
Then you will be able to quickly tell if someone is doing things in your environment that they shouldn't be doing.
03:12
An auditor will just be looking to see that you have these processes in place. But crack best practice dictates that you have these badges in such a way that it will be difficult to copy or circumvent.
03:23
Relocation of access is important.
03:25
A terminate employees should not be able to maintain his or her batch.
03:30
An employee should not be able to quickly to turn or should be able to quickly determine if the visitor has overstayed the welcome or is in a place that they shouldn't be.
03:40
Much like the requirements in the identity management section, each employee must be explicitly greater access to sensitive areas based on job functions.
03:51
The auditor will be reviewing your processes and then validate that you are following them.
03:55
A lot of merchants failed the relocation portion of access rights because the system's tied to user account often aren't attached to physical access systems,
04:05
so organizations often forget to do both.
04:12
In all sensitive areas, visitors need to be escorted
04:15
as mentioned earlier. Visitors need to be given some identification that quickly identifies them as a visitor and has some method of expiration.
04:25
You need to collect the temporary badges, given the visitors before they leave or at the time of expiration,
04:30
and you must maintain a visitor log that is maintained for at least three months.
04:39
You must have in place processes and procedures around the security of your physical media's and backup
04:45
sensitive data could reside on your media and need to be protected as such.
04:48
Offsite storage of backups is not required, but preferred.
04:53
As long as you're able to physically protect your systems,
04:57
protect your backups, then it's fine.
05:00
Make sure you document that you have reviewed your policy every year.
05:06
The maintaining of the distribution of media requirements is relatively straightforward.
05:13
You need to classify your media so that the nature of the data can be determined, and it is not access by anyone who does not have explicit authorization.
05:20
If your ship your media, it needs to be tracked.
05:24
Also, any distribution of media needs to be explicitly approved.
05:31
Maybe you need to be able to track all of your media so that you can provide adequate protection for it all.
05:39
Also, if media has lost, that could be accounted for more quickly, and you'll be able to put in place a process to protect yourself from its potential disclosure.
05:50
You also need to be able to securely destroy media that could potentially hold cardholder data.
05:57
You need to be able to use means of destruction that make it infeasible to put the information back together.
06:02
So for a shredder, it needs to be a cross cut at a minimum.
06:06
For digital data, secure wiping software de grousing sufficient destruction of the media is acceptable.
06:18
The 99 grouping is to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
06:28
requirement 991
06:30
You can't physically protect something if you can't account for.
06:33
You can't protect it physically or otherwise. If you don't know where it or what it ISS,
06:39
you need to be able to account for all of the devices in your environment.
06:44
PC I mandates that you at least track the make model location and serial number or unique identifying of each of these devices.
06:53
Auditors will be taken a sample of devices in the environment to verify that you're tracking them in inventory.
07:00
Auditors will interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned et cetera.
07:11
Many breaches occur because adversary was able to compromise the physical devices, scanners, card readers, etcetera.
07:18
You should have in place processes to regularly check for tampering of your devices.
07:26
The 993 requirement is again about training.
07:30
Your staff needs to know what to do in all types of scenarios where an attacker may be trying to exploit the people.
07:36
The training typically happens annually, and that is enough for the requirement. But really to be ongoing,
07:44
they should be able to identify suspicious behavior and know what to do. In response to that
07:51
and the final requirement of this group is document document document.
07:55
All of your policies and procedures need to be put in writing and deliver to all those that are impacted.
08:03
So in summary, we discussed all of the mandates associated with PC I. Requirement nine
08:07
Requirement nine is all about how to physically secure your CD and training your personnel on howto handle adversaries who may be trying to infiltrate in the environment.
08:18
Okay, quick quiz.
08:20
How long should you store recorded footage from video cameras?
08:24
A. Three months
08:26
Be two months
08:28
C 12 months
08:30
D six months.
08:35
Video footage needs to be stored for atleast three months according to P. C. I. D. S s standards.
08:46
When shredding cardholder data, the shredder should at minimum be a strip cut.
08:52
Be cross cut
08:54
Si diamond cut,
08:54
de shred
09:01
cross cut shredding is the minimum necessary for shredding documents.
09:07
It's your false
09:09
visitors only need to be escorted to the confirmed destination.
09:16
This is false.
09:18
Visitors need to be escorted at all times
Up Next