all right, so we've talked about the PC idea says that an overview level. What we really want to do now is get into a little bit more detail.
And so, of course, we've already said it's a framework that provides ah set of guidelines, if you will. Specifically, there are 12 individual requirements that must be met to be in compliance with P. C. I. D. S s. And ultimately I have these category categorized based on the goals.
So if you'll take a look at this chart, it's a pretty good chart. This comes from
PC I security standards dot org's where a lot of my information comes from anything that you want to get more information on. Further validation off there a couple of good sites that are usually referenced here in reference at the end of the document.
So when we look at providing security in privacy for this information, one of the first goals is we have to build and maintain a secure network. We're in an interconnected world, and information is being transmitted across the office as well as across the globe.
So we need to make sure that our network configuration is secure
a couple of ways that we're going to do that is we need a firewall. We need routers. Ah, we need security mechanisms in place. Ah, we need to avoid using vendor supply default settings. And this is something I see over and over.
Things out of the box are designed to be easy,
not secure. And if you want to make them secure, usually there additional configuration options. And by the way, we'll talk about each of these rules in more depth. I'm just giving you a quick overview now. All right, then. So we've got a secure network. Now we have to take specific steps to secure its cardholder data,
so we're gonna protect it while it's in storage. We're gonna encrypt it while it's transmitted, so we can use encryption to protect store data. But we also need to make sure that when it's transmitted specifically across open or public networks, that it is protected from a cryptography standpoint,
we've got to maintain a vulnerability management program. We've got to take an honest look, an assessment off our organization. What vulnerabilities accessed exist And what mitigating strategies can we put in place? So here, one of the ways that we, uh
uh, protect ourselves from some of the common vulnerabilities is with anti virus software
on our client systems on our servers and so on. And we need to make sure that if we're developing applications when we're developing systems, that those air secure inherently
for so long we've asked ourselves, Does it work? And is it secure? We now have to focus on the idea that if it doesn't work securely than it doesn't work it all well, that has to start at the design level. When we first have the beginning ideation of a project.
We have to start thinking about it from a secure perspective.
And we have to manage security and keep that at the forefront of our concerns and all the way out through the system development life cycle.
All right, then we wanna look att, access control measures. And when we do talk about access control, it's all about how a subject can or what a subject can do with an object. So whether it's a user accessing a file or record, uh, you know, the user would be the subject,
but also we have other subjects, like processes, systems,
other elements that are active entities. So any time a subject access is an object, we have to have a means of limiting that interaction. So we can do that by making sure we implement principles of least privilege and need to know.
We can also make sure that every subject has a unique identify WR, and that's for the purpose of accountability. You know, years and years ago, I remember a lot of small offices. Everybody shared the same user account, and sadly, usually that user account was administrator.
There's no way to track actions to individuals if we do that.
So every subject needs a unique identify. And then, on top of that, we need to make sure that physical access is protected as well. Sometimes we overlook just the very basics of physical access. If I can gain access into your building or organization,
that's half my battle. Whether I want an electronic attack or physical attack,
if I want to do shoulder surfing or social engineering, so you wanna limit access from a physical perspective.
All right, Next goal. We want a monitor networks on. We want to test them, so we've gotta monitor access to the network who accesses cardholder data and a lot of thes air related. So, you know, going back to being able to identify individuals by unique I. D. Number that's important there. And
we also want to conduct regular tests,
honor systems and their processes. And then last but not least, we need an information security policy. And, you know, we accomplish that by developing a policy and making sure its core focus, our is security.