3.16 Requirement 12 Part 2

00:00

Welcome to the cyber demons to find PC Idea, says Compliance Course.

00:04

This module will focus on the goals of the P. C. I. D. Assessing the requirements associated with

00:11

this video introduces you to requirement 12 Daddy eight through 12 11.

00:17

In this video, we'll talk about what is the requirements needed for the management of service providers. And we'll go over some of the requirements around how you handle incident Response.

00:31

Requirement 12 is directed at the establishment in maintenance of security policies that direct the operation of your environment.

00:39

Every individual requirement group ends with you needing to create policies and procedures.

00:44

So a lot of those mandates

00:47

of the book this Requirement group are satisfied by those.

00:51

This requirement group is a formalization of a lot of the procedures that you should have in place to protect your CD.

00:57

This group also has things you should do to maintain your policy and mandates that you disseminate the policies to your step.

01:06

The 12 8 grouping is around managing your service providers.

01:10

Service providers are commonly a potential attack vector that the bad guys can leverage to steal your data.

01:17

So it is important that you have controls even around the vendors that you trust.

01:22

12 81 is just that. You should have a list of your service providers in a detailed description of the service's they provide.

01:30

This will also help your auditors and determining the scope of the audit.

01:34

They'll be able to see where your environment ends and where the service provider begins.

01:38

So network diagrams air very helpful here

01:42

for 12 8 to you need to maintain a written agreement of the service is that they will be providing an understanding of how they're able to secure the data that they're responsible for.

01:53

This can take the form of a service level agreement

01:57

whenever you engage with a service for a writer, you need to do a risk assessment to determine how their involvement in your environment could impact the security posture of your environment.

02:07

You need to have a written, established process for how you will bet your service providers and how you will continually assess their PC. I compliance at least annually.

02:17

Proper due diligence is a vague term that varies based on the merchant,

02:22

but you should at least

02:23

have be able to demonstrate something tangible that you do to evaluate any of the past breaches or interview some customers to evaluate their security.

02:34

12 85 is to document any outsource PC I requirements that are managed by the service provider.

02:39

For example, if someone else is handling your firewalls, this needs to be documented and explain that the PC I requirements associated with fireballs are outsourced to your provider.

02:53

12 9 Just says that any service provider needs the document and demonstrate to its customers that they're responsible for the security of cardholder data that they process

03:07

12

03:07

53 states that you need to have an incident response plan

03:12

12 10 says that you need to implement it and gives guidance as to what should be in it

03:17

now. This one is a really in depth requirement.

03:21

It is to make sure you have an incident response policy that everyone is trained on.

03:27

An incident response policy is an in depth topic

03:30

that is beyond the scope of this course.

03:34

I say that to say that a lot of thought needs to go into your incident response, and it's another portion of the section that could benefit from a tabletop exercise to test its effectiveness.

03:45

You have to identify. When an incident, it rises to the level of meeting escalation.

03:50

And when the contact credit card providers to initiate forensic activities,

03:54

you're auditor will be looking to see the depth of your incident response policies and to see who was aware of their roles in the process.

04:02

Here's an image of some of the high level phases that are associated with the incident response process.

04:09

If you're looking at building out of incident response program from scratch, looking through how to implement these faces would be a good start.

04:18

Here's a quick look at the list of minimum details that need to be involved in your incident response plan.

04:26

Clear roles and responsibilities are essential to an effective incident response plan.

04:36

Tabletop exercises or live fire incident Testing's are great ways to test your plan.

04:43

Also, if you're able to incorporate your penetration testing assessments into the testing of your incident response, it will be a great Rhea World example of how your incidents should be hand.

04:57

Now, the 12 10 3 requirement does not mean you need to have a 24 by seven staff.

05:03

You just need to have someone on call and readily available to respond to an incident.

05:10

If whoever you should have this person be, it needs to be documented to be able to show the auditors

05:16

that's that should also be trained on what they need to do in the event of an incident.

05:25

Now I think this requirement is worded a little oddly. But what they're saying is that

05:30

in an incident you should be leveraging your tools to determine what to do to detect and respond to that incident.

05:38

These alerts could be a bill alarms that you need to launch your incident response process

05:46

when following best practices in developing your incident response plan.

05:49

The last stage is lessons learned.

05:54

You should be able to grow from incidents to find out what controls failed and how you can respond better.

06:00

Your incident response plans should have a step that shows you how you're evolving in terms of dealing with incidents.

06:09

12 11 Requirement Group is for service providers, but it is not a bad idea to apply across all merchants.

06:16

Regular reviews. To confirm that your people are operating as you have mandated can only helps improve your security,

06:24

constantly assessing your procedures and how well your staffer. Performing the procedures will help you determine gaps in your security posture.

06:35

Okay, so this video went over the mandates associative requirements. 12 8 through 12 11

06:41

we went over how to handle service providers and incidents within the city.

06:48

Enough were quick quiz

06:50

window personnel need to be available to respond toe alerts

06:55

during business hours.

06:57

Jury off business hours

07:00

during our specified in policy

07:02

or 24 hours a day.

07:08

There needs to be someone available to respond to an alert 24 hours a day.

07:13

This does not mean they have to be on site. They could just be available via phone call or some other method.

07:20

When dealing with service providers, Merchant should

07:24

perform a risk assessment,

07:27

get the best price for the service, is

07:30

get references

07:31

or maintain a list of all the service's they offer to customers.

07:40

Technically, getting references could be a part of performing a risk assessment,

07:44

and all of these options could be true. But from a PC, I perspective, a risk assessment must be done regularly when using service providers.

07:56

Your incident response process should be evaluated

07:59

every year,

08:01

every quarter,

08:03

every six months,

08:03

her after every incident.