Monday, November 11, 2013

The Exam - I Passed

Well, that's finally done!

Some notes on the process ...

Testing Center

I arrived 1 hour early.  I did a last minute review of some notes.
You need to show two pieces of I.D.
You have to basically empty your pockets before entry.  No wallet, keys, pencils, etc.  They put all my personal stuff in a basket and locked it up in a cabinet.
Use the restroom before going in.
For the exam, I received a mylar sheet and a marker to use.  I did a "brain dump" of a couple last minute memorizations

The Test.

Overall, the testing program is pretty intuitive, how to flag questions, how to go back, etc.
The clock starts ticking when you click on the [begin] button.
You have 90 minutes for 60 questions.
In the upper right side of the screen is the question number and the remaining time.
All questions are multiple choice.
You can "flag" questions to come back to later, so your answers aren't final until you hit the final submit.
I went through my flagged questions (about 20) a second time.
There were 3-4 that I was pretty uncertain of, but was able to eliminate a couple completely wrong answers to increase my odds.
I went through the entire exam a second time to review my answers.
I finished in 59 minutes.  I was not at all rushed.
When I hit the final [complete] button the results were near instantaneous.
I received a "Congratulations - pass" display with some other text and a printout.
No score was shown

Observations / Advice.

The bulk of my time, perhaps 90% + was spent on PCI DSS.  This worked, but next time I'll invest some energy in P2PE and PA-DSS
I hadn't expected questions that referenced the requirement numbers only, so next time I would memorize those.  For example (there is no Requirement 13.2) a question may ask:
According to Requirement 13.2, which of the following is true:  A  B  C  or D
Expect more than one correct answer.  You'll need to pick the "best right" answer.  Be sure that your best answer directly answers the question.

An electronic certificate was mailed in approximately 24 hours - No hardcopy is provided.


Sunday, November 10, 2013

EXAM - Pre-exam Thoughts

This certification has not been out for very long.

There are only about 1000 PCIP's in the world.

A couple things that I'm used to finding for exam prep are not evident with this new certification:

1)  I can't seem to find a clear detailed scope of what material the exam will cover.  I've extracted some objectives from a training class and am assuming that this will be fairly accurate.  Rumor is that you need a 75% passing grade.

2)  Since this is still pretty new, there are not a lot of posts/emails to be found on experiences with the exam.

3)  I have not been able to locate any practice exams or sample questions.  I will try to create some myself within this blog.

4)  I have been seeing cases where expert opinion regarding PCI varies according to who you talk to.  Many items appear to be open to interpretation.  This is not really what you want going into a multiple choice exam.

Not bitchin' / Just sayin'

Minor issues (I hope).  We will forge ahead.

Saturday, November 9, 2013

EXAM - How the heck can I take it?

Doing an internet search will not help you get this thing moving.

You'll need to access this page directly   [HERE]

Yeow!  Here are the costs:


Fee Category
Non-Participating Organization
Participating Organization
PCIP Application Administration Fee – includes first two years of qualification, account maintenance and listing
$995
$395
Account Maintenance Renewal Fee - assessed after the first two year period and every two years thereafter
$99
$99
PCIP Training/eLearning Course - includes access to eLearning course and ability to take the exam once.
$1250
$995
PCIP Exam Fee
$395
$395
PCIP Exam Retake Fee
$395
$395


Here is a breakdown of the steps you need to take:

1) Pre-Register. 

Go to this site [HERE], and enter your demographic information. You will need to know if your company is a Participating Organization (PO) and if they are, enter the reference code.

This takes all of 2 minutes.

Upon submitting my info, I received an email confirmation almost immediately stating that they've received my registration.

2)  Registration is reviewed.

You have no additional actions yet.  My review and reply to this pre-registration took just about 4 hours.  I wonder if this would take longer on the weekend with nobody in the office?

Here is a copy of the email I received:

PCI Security Standards Council

7/24/2013 10:50:01 AM
Dear Dan Whatsyername,

Thank you for showing interest in the PCIP Program. You will receive two invoices in the next couple of days. One for the application fee and one for the training and/or exam fee. Once the invoices are paid you will receive credentials to log into the portal to submit your PCIP Professional Application.

If you have any questions please contact pcip@pcisecuritystandards.org

Thank You,

Dawn Perna
PCIP Program Manager

T: +1 (781) 876-6222
pcip@pcisecuritystandards.org

Please do not reply directly to this email.


So now I wait for the invoices and will update this post when I do.

3)  Invoice

Well that didn't take long.

Approx. 4 more hours later and I have the first .pdf invoice by email.

Dear PCIP Candidate,

Thank you for your interest in the PCIP Program. Attached is an invoice for your PCIP Application fee.
                       
Please note that until payment is received, we are unable to issue login credentials for the PCIP Application.  All application fees are NON-TRANSFERABLE and NON-REFUNDABLE.

Best regards,
Lynsey

Lynsey Chaplik, Sr. Staff Accountant
Accounts Receivable
PCI Security Standards Council, LLC
401 Edgewater Pl., Ste. 600
Wakefield, MA 01880 USA


Options for payment include:

          1)  Mail invoice and a personal check.
          2)  Mail invoice and include your credit card number, exp date, security code
          3)  Wire transfer the loot
          4)  Fax invoice with a credit card number.

Funny.  They shouldn't have to tell an exam candidate "do not email credit card info", but they do.  I would suggest that if you do email your credit card info that they automatically fail you on the exam giving you a score of "LOL".

They won't take phone orders either.

Now I just need to come up with some cash and get the second invoice.

This isn't going to be cheap.

4)  Second Invoice.

The second invoice for the exam came 24 hours later.  They've processed these pretty fast.

But, man, this sure isn't cheap (have I said this before?).

I need to work on some funding before I can progress.

5)  OK, Work paid

Here's the latest email:

PCIP Registration

We have received payment for your application fee. Thank you.

You now need to login to the website portal to complete the second part of your PCIP application.

To login to the PCI SSC portal please visit https://programs.pcissc.org and choose the 'PCIP Application' area.

Your username to access the portal is below
Username: xxxxxxxxxxx

You can retrieve your password using the 'Forgot Password' feature located here.

https://programs.pcissc.org



Please do not reply directly to this email.


6)  Complete the second part of the Application

Click on the link indicated in the email above
https://programs.pcissc.org

 Then there are three parts:

          A)  Download and sign the "ATTESTATION" document at 
               https://programs.pcissc.org/user/pcipreg/PCIP%20Application%20Attestation.pdf 

          B)  Upload a copy of your resume

          C)  Upload your signed copy of the "ATTESTATION" document from step A above and click on the check box if you agree to "advocate, adhere to, and support the Code of Professional Responsibility".

7)  OK, I did some of this stuff. 

And received the following email from the testing center:



On Tuesday, October 15, 2013 11:57 AM, "PearsonVUEConfirmation@pearson.com" <PearsonVUEConfirmation@pearson.com> wrote:
 
**PLEASE DO NOT REPLY TO THIS E-MAIL**

PCI Security Standards Council has requested a Pearson VUE Web Account be created to allow you to schedule and manage your exam appointments at www.pearsonvue.com. Below are your username and temporary password.

Username:
myname123
Temporary Password:
NotGonnaHappen

When you first sign in, as a security measure for your protection, you will be required to select a new password. We recommend choosing your new password carefully to make it hard for anyone else to guess.

We recommend choosing a new password that is both easy to type and easy to remember so that you do not have to record it where someone else might see it. Your new password must contain at least seven characters and may not contain your username. Use both uppercase and lowercase letters as well as numbers and/or symbols, preferably in unexpected ways. Avoid names and words that would be easy to guess.

THE PCI SECURITY STANDARDS COUNCIL STRONGLY RECOMMENDS THAT YOU SCHEDULE YOUR EXAM IMMEDIATELY AS NEARBY TEST SITES MAY NOT HAVE AVAILABILITY TOWARDS THE END OF YOUR SCHEDULED TESTING WINDOW. NO EXTENSIONS WILL BE GRANTED DUE TO NEARBY TEST SITE AVAILABILITY.

If you have any questions, please visit our website at pearsonvue.com/pci/contact to find the contact information for your testing program.

Thank you for choosing Pearson VUE!
 
8)  Now to set up a testing date.

I'm not ready for this, but having the date set will get me to move more in a more focused manner.

IMPORTANT NOTE:  It looks like there is ~ a 30 day window to select the date.  I didn't complete this process in a timely manner and was left with a very small window.

Friday, November 8, 2013

EXAM - PCIP Exam Objectives

The only place I could really determine the scope/objectives of the exam were extracted from a PCIP training course description.

They include:

1.    Principles of PCI DSS, PA-DSS, PTS, P2PE, and PIN Security

2.    Understanding PCI DSS v2.0 requirements and intent (two documents below)

       Payment Card Industry (PCI) Data Security Standard
       Navigating PCI Requirements

3.    Overview of basic payment industry terminology
      

       How Credit Card Payments Work - authorize.net video 
       PCI Security Standards Glossary

4.    Appropriate uses of compensating controls

       Refer to Appendices B & C in the following document:
       Payment Card Industry (PCI) Data Security Standard

5.    How and when to use Self-Assessment Questionnaires (SAQs)
       SAQ Info

6.   Recognizing how new technologies affect the PCI (P2PE, tokenization, mobile, cloud)
      Note:  at the seminar I attended we were informed that guidlines and supplemental documents
      were not included in the exam.

       Point to Point Encryption (P2PE) FAQ's       
       https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf        PCI DSS Cloud Computing Guid e lines

      
7.    PCI Code of Professional Responsibility
       Link to Code of Professional Responsibility

8.   Case study application

Thursday, November 7, 2013

Study Material - Code of Professional Responsibility


Located at https://programs.pcissc.org/user/pcipreg/PCIP%20Code%20of%20Professional%20Responsibility.pdf

Copyright 2012 PCI Security Standards Council, LLC

Appendix B

Code of Professional Responsibility

The PCI Security Standards Council (PCI SSC) is an open global forum for the ongoing development,enhancement, storage, dissemination and implementation of security standards for account data protection. PCI SSC’s mission is to enhance payment account data security by driving education and awareness of the PCI SSC security standards (the “PCI Standards”). To help achieve this goal, PCI has adopted this Code of Professional Responsibility to help ensure information security professionals adhere to the highest standards of ethical and professional conduct. Adherence with this Code will help ensure the safe handling of cardholder information and enhance payment card data security.

All PCI SSC qualified individuals and all PCI SSC qualification candidates must advocate, adhere to, and support the following Code of Professional Responsibility. PCI SSC qualified individuals who intentionally or knowingly violate any principle of this Code will be subject revocation of qualification and/or other disciplinary action by PCI SSC.

Principles

Professional Competence and Due Care

Perform each aspect of your work honorably, responsibly, and legally

Act in the best interests of all entities that you provide services or support to, while maintaining high standards of conduct and being consistent with the PCI Standards and guidance

Deliver diligent and competent services in accordance with the PCI Standards and applicable laws

Render only those services for which you are fully competent and qualified

Promptly advise all entities that you provide services or support to on changes in PCI

Standards and guidance

Participate in learning throughout your career to maintain the knowledge, skills and expertise needed in the payment security industry

Promote current information security best practices and standards Security and Confidentiality

Respect and safeguard confidential, proprietary, or otherwise sensitive information with which you come into contact in the course of professional activities, unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties

Take affirmative steps to comply with the PCI Standards to assure that confidential information is maintained securely

Immediately notify the appropriate authorities and proper industry personnel should you suspect a compromise or breach in security

Integrity

Refrain from conduct which would damage or reflect poorly on the reputation of PCI SSC, its standards, the profession, or the practice of colleagues, clients, and employers

Report ethical violations to PCI SSC in a timely manner

Refrain from any activities which might constitute a conflict of interest

Perform all duties with objectivity

Compliance with Industry Laws and Standards

Perform duties in accordance with the PCI Standards

Comply with existing laws and regulations, with local laws taking precedence over PCI Standards

Cooperate with law enforcement agencies

Violation and Enforcement

Depending on the severity of the violation, disciplinary action could include:

Warning

A written warning could be issued that specifies the consequences if the situation occurs again, or if there is another violation.

Suspension

PCI SSC qualification could be suspended for all programs in which the individual participates.

Revocation

PCI SSC qualification could be revoked for all programs in which the individual actively participates.

PCI SSC is committed to enforcing its Code of Professional Responsibility, and has adopted a procedure that allows fair and objective review of allegations of violations of the Code.


Copyright 2012 PCI Security Standards Council, LLC

Monday, November 4, 2013

Exam Prep - Online Security Quizzes

Here's a list of some free online security quizzes.
There are many more available, but at the time of this post, these have no sign-up requirements, there are no necessary downloads and no personal information is required.

These do not directly relate to the PCIP exam since, well, none exist at this time.
But since PCIP has strong hooks into IT Security, these may be of value.  
Obviously anything noted in the PCI DSS has precedence over what's in these quizzes

-  A multiple guess quiz that I made up from the PCI DSS documentation.
   This is contained within the blog

 http://pcip-study.blogspot.com/2013/05/study-questions.html

-  A short answer/definition quiz that I also made up using the PCI glossary.
   You can also find this within this blog

http://pcip-study.blogspot.com/2013/05/study-questions-short-answer.html

-  An "Internet Safe Shopping" quiz from McAfee
   10 question. Rather basic.

http://home.mcafee.com/SafetyQuiz/QuizShopping.aspx?culture=en-US&

-  About.com "Computer Security 101" quiz
   10 question. Also pretty basic.

http://netsecurity.about.com/library/blquiz1-1q.htm

- ProProfs.com "Internet Security Quiz" by Brian Leng
  10 questions.  Click on the "Start" button for the online version.

http://www.proprofs.com/quiz-school/story.php?title=internet-security-quiz-brian-leng

-  A COMPTIA Security+ practice exam from GoCertify.com.
   15 questions.  I like this one best.

http://www.gocertify.com/quizzes/comptia/security-plus-sy0301.html

-  CNN.com technology poll.
   8 Questions - A public poll that will show you results

http://www.cnn.com/2009/TECH/09/28/online.safety.quiz/

-  And finally, here is a whole list of security exams from whatis.com
   These are also very good and detailed

http://whatis.techtarget.com/reference/Security-Quizzes


Saturday, November 2, 2013

VIDEO - Fundamentals of PCI


A quick Cisco video

https://www.youtube.com/watch?v=EKa8L45RLQ8

And a one hour Cisco video

Episode 99: PCI Compliance Made Simple

 

Study material - Chronology of Required Events

Lots of dates and times were presented.  In trying to organize my thoughts, I've extracted all timing requirements and consolidated them below:

Immediately - respond to security breaches (Req 12)

15 minutes - Timeouts should be set to 15 minutes of inactivity (Req 8)

1 day - Vendors or guests temporary access to enter secure facility suggested at one day (Req 9)
1 day - Review network and data center access logs - can be done programatically (Req 10)

Weekly - Look for changes to critical files ( Req 11)
Weekly - Look for unusual changes to dates on system or application executable files (Req 11)

Monthly - Install vendor-supplied security patches within one month of release (Req 6.1)
Monthly - Address critical vulnerabilities within one month (Req 6)

90 days - Remove inactive user accounts (Req 8.5.5)
90 days - Change passwords (password obsolescence) (Req 8.5.9)

Quarterly - Identify purge candidates in database (Req 3.1.1)
Quarterly - Keep usage logs readily available with 12 months accessible (Req 5)
Quarterly - Address non-critical vulnerabilities within three months (Req 6)
Quarterly - (minimum) Storage of video captured from secure-room access (Req 9.1.1)
Quarterly - Run a wireless access scan (Req 11.1)
Quarterly - Run network vulnerability scans (Req 11.2)

Six months - Review firewall and router rule sets (Req 1.1.6)
Six months - Sample terminated users to ensure deactivation (Req 8.5.4)

Annual - Keep usage logs accessible one year with three months readily available (Req 5)
Annual - Conduct a vulnerability assessment for public facing web apps (Req 6.6)
Annual - Review security for offsite backup storage (Req 9.5)
Annual - Inventory media (req 9.9.1)
Annual - Retain network and data center logs (Req 10)
Annual - Run penetration tests (Req 11)
Annual - Conduct Risk Assessment (Req 12.1.2)
Annual - Educate personnel (Req 12.6.1)
Annual - All personnel acknowledge that they have read and understood policy&procedures (Req 12.6.2)
Annual - Monitor Service providers PCI DSS compliance (Req 12.8.4)
Annual - Test Incident Response Plan (Req 12.9.2)
Annual - Review, document and validate Compensating Controls (Appendix B)