Saturday, November 2, 2013

Study material - Chronology of Required Events

Lots of dates and times were presented.  In trying to organize my thoughts, I've extracted all timing requirements and consolidated them below:

Immediately - respond to security breaches (Req 12)

15 minutes - Timeouts should be set to 15 minutes of inactivity (Req 8)

1 day - Vendors or guests temporary access to enter secure facility suggested at one day (Req 9)
1 day - Review network and data center access logs - can be done programatically (Req 10)

Weekly - Look for changes to critical files ( Req 11)
Weekly - Look for unusual changes to dates on system or application executable files (Req 11)

Monthly - Install vendor-supplied security patches within one month of release (Req 6.1)
Monthly - Address critical vulnerabilities within one month (Req 6)

90 days - Remove inactive user accounts (Req 8.5.5)
90 days - Change passwords (password obsolescence) (Req 8.5.9)

Quarterly - Identify purge candidates in database (Req 3.1.1)
Quarterly - Keep usage logs readily available with 12 months accessible (Req 5)
Quarterly - Address non-critical vulnerabilities within three months (Req 6)
Quarterly - (minimum) Storage of video captured from secure-room access (Req 9.1.1)
Quarterly - Run a wireless access scan (Req 11.1)
Quarterly - Run network vulnerability scans (Req 11.2)

Six months - Review firewall and router rule sets (Req 1.1.6)
Six months - Sample terminated users to ensure deactivation (Req 8.5.4)

Annual - Keep usage logs accessible one year with three months readily available (Req 5)
Annual - Conduct a vulnerability assessment for public facing web apps (Req 6.6)
Annual - Review security for offsite backup storage (Req 9.5)
Annual - Inventory media (req 9.9.1)
Annual - Retain network and data center logs (Req 10)
Annual - Run penetration tests (Req 11)
Annual - Conduct Risk Assessment (Req 12.1.2)
Annual - Educate personnel (Req 12.6.1)
Annual - All personnel acknowledge that they have read and understood policy&procedures (Req 12.6.2)
Annual - Monitor Service providers PCI DSS compliance (Req 12.8.4)
Annual - Test Incident Response Plan (Req 12.9.2)
Annual - Review, document and validate Compensating Controls (Appendix B)


  1. very helpful - keep posting!

    did you take exam?

  2. Thanks so much. May i request you to keep sharing these valuable stuff from the exam perspective. I am planning to sit for PCIP next month ( Feb 2017) Thank you very much. Appreciate it!