3.8 Requirement 5

00:00

Welcome to the cyber ery demystifying PC idea says Compliance Course.

00:06

This model will focus on the goals of the P. C. I. D. S s and the requirements associating with them.

00:12

This video introduces you to requirement five.

00:16

We will talk about the requirements associated with maintaining antivirus and anti malware within the CD.

00:24

But learning objective of this video is to explore had to satisfy requirements around maintaining an antivirus program for your cardholder data. Admired

00:35

requirements five and six are part of what merchants must do to maintain a vulnerability management program

00:41

requirement via focuses on the merchants ability to implement and maintain an antivirus solution in the CD.

00:48

Anti virus is meant to combat malware that could attempt to run in the network that is typically injected via many business approved activities, including employee email and the use of Internet mobile computers and storage devices,

01:02

resulting in the exploitation of the system vulnerabilities.

01:06

PC I mandates an anti virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.

01:15

Additional anti malware solutions may be considered as a supplement to anti virus software, but they do not replace the need for anti virus software to be in place,

01:27

and then I virus. Software can also be known as anti malware. Is a computer program used to detect, prevent and remove now where software

01:38

antivirus software was originally developed to detective. Remove computer viruses, hence the name.

01:44

However, with the expansion and development other kinds of malware

01:47

antivirus software started to provide production from various kinds of threats to systems

01:55

requirement. Five doubt one states that anti virus must be on systems commonly affected by malicious software.

02:00

Easy question. Here is which systems air commonly affected, in which systems or not?

02:07

As an auditor, my guidance is if there's an antivirus solution on the market that supports the operating system in question in the CD,

02:15

it should probably have antivirus on it.

02:17

A common question

02:20

is Lennox or is Mac OS systems commonly affected by malware?

02:23

The answer is yes.

02:25

If you do a quick Google search, you'll see some chatter about how some folks didn't have tohave anti virus on their systems and past the audit.

02:32

Well, maybe that was true,

02:35

but maybe they had some mitigating mitigating circumstances.

02:38

But I can tell you a lot of auditors don't feel that way.

02:42

I would recommend having a conversation with your cue essay before the audit about the matter. To see their position,

02:49

an auditor will be taking a sample size of the systems in the CD to determine if anti virus is installed.

02:55

The auditor will also interview that administrators to understand how they're keeping up with the evolving threat landscape to determine its systems that used to not require anti virus will now require

03:07

requirement 5.1 dot one. It's just a validation. That inner virus solution you have in place does what it says it does.

03:15

It is not sufficient to just detect him out where

03:17

the solution must detect, remove and actively protect against known malware samples.

03:23

The editor's job is not to test the solution by injecting malware and seeing how well it performs.

03:29

The auditor will just review vendor provided documentation toe, understand its capabilities.

03:35

If you're using some well known in a virus solution and you haven't experienced auditor, they would already be familiar with the capabilities.

03:45

As I mentioned earlier, an auditor will look to see how well you are keeping apprised of your current threat landscape

03:51

In order to protect your environment, you have to keep up to date on what's going on.

03:55

Requirement 5.1 dot two reflects this by mandating that there be some process to continually monitor the threats to your environment.

04:03

The auditor will evaluate or validate this by interviewing personnel toe. Understand the measures that are being taken

04:11

again. It is helpful to have this documented with artifacts that reflect that you are doing in dissed by regularly taking steps to evaluate

04:18

and our by our solutions

04:24

for requirement 52

04:26

The merchant must make sure that the anti by our solutions have their signatures kept up to date.

04:31

Perform regular scans

04:33

and generate logs.

04:35

Something to consider and deploying your entire solution is that

04:40

are you going to allow each of your in points to reach out to the Internet to update the signatures?

04:46

In order to do this, you will have to explicitly about this traffic out of the CD and documented as noted in the firewall requirements,

04:54

or you're going to have a central repositories for each of the clients to pull updated signatures from and only allow outbound traffic from that centralized source.

05:02

These are designed to decisions that you have to make and make sure it's fully documented for the auditor.

05:10

As you could see, some requirements have impacts on others, and you have to continually consider the implications. One requirement may have one another.

05:18

The auditor will make sure that scans are run regularly and that the logs are maintained.

05:27

But this requirement is pretty self explanatory.

05:30

Regular users should not be able to disable antivirus protection mechanisms.

05:35

This includes firewalls and prayers.

05:40

There may be instances where something needs to be disabled for a short period of time, but there needs to be an explicit, defined process that must be followed, and it should only be temporary.

05:49

An auditor will look to see that this plan exists and how it is followed.

05:55

The auditor will also validate that normal user accounts cannot impact antivirus configurations.

06:02

And once again, the last requirement is that all of the policies and procedures are documented and disseminated.

06:08

Auditors will ask personnel how they're trained and where they will find documentation about anti buyer solutions.

06:15

Also, we will look to verify that the procedures are being followed,

06:18

the more documentation or our effects, you have to prove that you do what you say you do as a merchant, the better

06:25

Italy's audit process.

06:29

In summary, we discussed all of the mandates associated with P. C. I. A Requirement five

06:34

Requirement five is all about making sure you have protections in place against

06:40

viruses.

06:42

You not only need to make sure you have protections in place for anti virus, but you have to make sure they're being maintained and updated.

06:48

A lot of current operating systems happens, built in now, or is quickly attainable. But for legacy systems, you have to make sure something is in place.

06:59

Very quick. Quiz.

07:00

True or false?

07:02

Lennox operating systems do not require antivirus because viruses are mainly targeted at window systems.

07:13

Viruses. A malware is constantly being developed for all of the major operating systems, including Lennox and Mac OS.

07:23

True or False

07:24

and I virus Email filters is a valid substitution for anti virus. On end points,

07:32

there are no substitution is allowed for anti buyers. You may have solutions to supplement and a virus at the end point, but not replace

07:44

tour falls.

07:45

And users should be allowed to disable antivirus toe executed needed program.

07:55

End user shouldn't ever be allowed to disable an IRS