Friday, May 17, 2013

Seminar Notes - Requirements 9 and 10

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 9 - Restrict Physical Access to Data

"Media" = all paper and electronic resources
"Onsite personnel" = FTE's, part-time, temp employees, contractors and consultants
"Visitor" = vendor or huest of any on-site personnel, service workers and anyone that needs to enter the facility, usually less than one day.

Limit and monitor access
Use visitor logs with physical audits
Store backups in a secure location
Develop procedures to easily distinguish between on-site personnel and visitors
Physically secure all media
Get management approval of all removed media
Destroy media when no longer needed
Use video cameras and/or access controls to monitor physical access -
      Review and store at least three months

Visitors:
1)  Authorize
2)  Use a physical token such as a badge
3)  Surrender the physical token when leaving or expired.

Req 10 - Track and monitor all access to network and data.

Track activities
Establish a process linking all access to specific users
Implement audit trails (automated) [link - definition]
Synchronize all system clocks
Secure audit trails so they cannot be altered
Review audit trails at least daily
Retain audit trails one year
Track all actions by admin or root accounts
Track all access to cardholder data
Monitor log deletes and unusual shrinkage or growth
Harvesting and parsing tools may be used

No comments:

Post a Comment