Requirement 12 – Resources

Requirement 12: Maintain a policy that addresses information security for all personnel

IT Security Policies
– www.sans.org/security-resources/policies/
– http://www.princeton.edu/oit/it-policies/it-security-policy/

IT Risk Assessment
– http://www.isaca.org/
-http://www.isaca.org/chapters2/Pittsburgh/events/Documents/Event_Archive_2010_2011/10OctPresentationHandouts.pdf

PCI DSS Roadmap
https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf

Service Provider Due Diligence
– https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf
– http://www.itduediligenceguide.com/free-checklist-download/
– https://vendorrisk.com/

Security Awareness Training
– http://www.securingthehuman.org/
– http://phishme.com/security-awareness-engaging/

There are many freely available PowerPoint training slides available that can be used as a starting point such as:
– www.cs.uwp.edu/Classes/Cs490/project/UserSecurityAwareness.ppt
– http://legacy.wlu.ca/docsnpubs_detail.php?grp_id=47&doc_id=20476
– www.pi.ac.th/up_news/c6f798Security_Awareness_Training.ppt
– https://ifap.ed.gov/presentations/attachments/04EACSession46.ppt
– http://www.isqworld.com/free-ppt-for-security-awareness-training-for-top-management/

Requirement 11 – Resources

Requirement 11: Regularly test security systems and processes

Wireless testing
– Kismet, airmon, airodump
– www.visiwave.com

Wireless IDS / IPS
– http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/secwlandg20/wireless_ips.html
– http://www.sans.org/reading-room/whitepapers/detection/inexpensive-wireless-ids-kismet-openwrt-33103
– http://www.arubanetworks.com/

Sample Incident Response Plan
– https://cio.unm.edu/standards/docs/unm-pci-incident-response-plan-1306.pdf

Vulnerability scanning tools
– Nessus (www.tenable.com/‎)
– Qualys (www.qualys.com/‎)
– Nexpose (www.rapid7.com/products/nexpose/)

List of Approved Scanning Vendors (ASVs)
– https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Penetration testing methodology
– NIST SP800-115 – csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
– SANS – http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67

Requirement 10 – Resources

Requirement 10: Track and monitor all access to network resources and cardholder data

Audit log settings best practice
– http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
– http://www.sans.org/security-resources/idfaq/logging-windows.php
– http://www.govhealthit.com/sites/govhealthit.com/files/resource-media/pdf/elm_ _compliance_best_practices_govt_-_healthcare.pdf
– http://www.sans.org/reading-room/whitepapers/detection/logging-monitoring-detect-network-intrusions-compliance-violations-environment-33985
– http://www.linuxjournal.com/article/5476?page=0,0
– http://www.bhconsulting.ie/Best%20Practises%20for%20Log%20Management.pdf

Security information and event management system (SIEM)
– https://code.google.com/p/security-onion/
– https://www.splunk.com
– https://www.alienvault.com
– https://australia.emc.com/security/rsa-envision.htm
– https://logrhythm.com/
– https://www.mcafee.com/au/products/siem/index.aspx

Review log checklist
– http://zeltser.com/log-management/security-incident-log-review-checklist.html

Setting up a NTP server
– Linux: http://ubuntuforums.org/showthread.php?t=862620
– Windows: support.microsoft.com/kb/816042

Sample security log policy
– http://www.dpc.sa.gov.au/sites/default/files/pubimages/documents/ocio/ISMFguideline23%28monitoring%29.pdf

File integrity monitoring
– www.tripwire.com/it-security-software/scm/file-integrity-monitoring/
– https://www3.trustwave.com/file-integrity-monitoring.php
– https://www.alienvault.com/solutions/pci-dss-file-integrity-monitoring

Requirement 9 – Resources

Requirement 9 – Restrict physical access to cardholder data

Visitor management
– Visitor management (http://www.visitormanagementsystem.com.au/)
– idbadges (http://www.idbadges.com/)
– Visitor Book (http://www.swipedon.com/visitor-registration-app/)
– VisitLog (http://www.visitlog.se/en/)
– Reception for iPad (http://furio.co/portfolio/reception-for-ipad/)

Secure deletion software
– Eraser (eraser.heidi.ie/)
– Secure eraser (http://www.secure-eraser.com/)

Data classification
– Varonis (http://www.varonis.com/go/multimedia/varonis-idu-classification-framework.html)
– Banyan solutions (http://www.banyansolutions.com/solutions)

Requirement 8 – Resources

Requirement 8 – Assign a unique ID to each person with computer access

Identification / Authentication
– Active Directory
– Free radius server (http://freeradius.org/)
– Open LDAP (www.openldap.org/)

Two factor authentication
Free
– Toopher Authentication (https://www.toopher.com/)
– Google Authenticator (code.google.com/p/google-authenticator/)
– Pin Grid Authentication (http://pingrid.org/downloads.html)
– Transakt Authentication (http://gettransakt.com/transakt/)
– Microsoft Authenticator App (http://www.windowsphone.com/en-us/store/app/authenticator)
– Duo Security Authentication (https://www.duosecurity.com/editions)

Commercial
– RSA SecurID (www.tokenguard.com/)
– Vasco DIGIPASS (https://www.vasco.com/)
– Yubikey (http://www.yubico.com)
– Gridsure (http://gridsure-security.co.uk)

Requirement 7 – Resources

Requirement 7 – Restrict access to cardholder data by business need to know

User rights review
Active Directory – manual review
Controlcase compliance software (Controlcase compliance software)

Requirement 6 – Resources

Requirement 6: Develop and maintain secure systems and applications

Patching
– Microsoft System Center Configuration Manager (SCCM) (www.microsoft.com)
– Shavlik Patch for Microsoft System Center (http://www.shavlik.com)
– Secunia PSI (http://secunia.com/)
– GFI LanGuard (www.gfi.com/LanGuard_2014)
– Kaseya (www.kaseya.com/features/security-management/patch-management)
– Lumension (https://www.lumension.com/…/patch-management-software.aspx)

Vulnerability research
– www.rapid7.com/db/
– nvd.nist.gov/
– www.cvedetails.com/
– www.exploit-db.com/
– https://cve.mitre.org/
– www.securityfocus.com/vulnerabilities
– secunia.com › Community

Software development best practices
– https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet
– https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
– www.microsoft.com/security/sdl/
– http://www.mcafee.com/au/resources/data-sheets/foundstone/ds-secure-software-dev-life-cycle.pdf
– http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?
– http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/
– https://www.isc2.org/uploadedFiles/%28ISC%292_Public_Content/Certification_Programs/CSSLP/ISC2_WPIV.pdf

Change control
– https://files.sans.org/summit/scada09/PDFs/Sample%20IT%20Change%20Management%20Policies%20and%20Procedures%20Guide%20%283%29.pdf

Security testing of web applications
– BURP (portswigger.net/burp)
– Acunetix (https://www.acunetix.com)
– WebInspect (http://www8.hp.com/au/en/software-solutions/software.html?compURI=1341991#.VCqrKBbggf4)
– Appscan (www.ibm.com/software/products/en/appscan)

Requirement 5 – Resources

Requirement 5: Use and regularly update anti-virus software or programs

Anti-virus
As per Requirement 1, deploy anti-virus across the environment. Many options (http://www.thetoptens.com/best-antivirus-software/)
Consider also deploying anti-malware, such as Malwarebytes. (www.malwarebytes.org/‎)

Requirement 4 – Resources

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Buy server certificates
– www.thawte.com/
– www.verisign.com.au
– www.digicert.com/

Configure web servers to only use strong encryption
– http://httpd.apache.org/docs/current/ssl/ssl_howto.html
– http://technet.microsoft.com/en-us/library/cc962039.aspx
– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Ensure that your servers are not vulnerable to Heartbleed
– https://lastpass.com/heartbleed/
– tif.mcafee.com/heartbleedtest
= safeweb.norton.com/heartbleed

Do not use cleartext protocols
– Remove the use of Telnet and FTP. Use SSH and sFTP.

Wireless security
– Do not use WEP. Use WPAv2 with a strong passphrase. Consider using MAC filtering.

Requirement 3 – Resources

Requirement 3: Protect stored cardholder data

Card contents stored on network
As per scoping, use tools to find credit cards on network

Data Rentention Policy for PCI
http://vpf.mit.edu/site/content/download/11924/50757/file/MITPCISecurityPolicy.pdf

Cryptography and key management – HSM information
– https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide
– https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-solo
– http://security.stackexchange.com/questions/36664/criteria-for-selecting-an-hsm

PKI design for PCI compliance
– http://social.technet.microsoft.com/Forums/windowsserver/en-US/0dfd74c7-5b18-4939-b147-350250f92ee2/pki-design-for-pci-compliancy?forum=winserversecurity

Secure USB
Many sites, e.g. http://secureusb.com.au/