Upload
amit-srivastava
View
232
Download
0
Embed Size (px)
Citation preview
8/18/2019 Cyber Security Unit 5
1/12
UNIT5
MATTER MARKED RED IS IMPORTANT
Security Assurance Approaches
Today’s world requires that digital data be accessible, dependable and protected from misuse. Unfortunately,this need for accessible data also exposes organisations to a variety of new threats that can affect their information. Often organisations invest huge resources trying to protect their IT infrastructure withoutassessing the ris s to their critical information. These organisations fail to realise that the primary ob!ective isto protect mission"critical information rather than the IT infrastructure.
Organisations deploy established information security control framewor s as business needs and regulatoryrequirements become imminent. #ost of these framewor s have evolved from industry best practices andrecommend information security ris assessment aligned to the organisation’s ris management framewor asone of the control ob!ectives. The challenge enterprises face today is in adopting a robust, process"orientedinformation security ris assessment framewor to comply with the control ob!ective.
1.The Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
approach is one such framewor that enables organisations to understand, assess and address their informationsecurity ris s from the organisation’s perspective. O$T%&' is not a product, rather it is a process"drivenmethodology to identify, prioritise and manage information security ris s. It is intended to help organisations(
• )evelop qualitative ris evaluation criteria based on operational ris tolerances
• Identify assets that are critical to the mission of the organisation
• Identify vulnerabilities and threats to the critical assets
• )etermine and evaluate potential consequences to the organisation if threats are realised
• Initiate corrective actions to mitigate ris s and create practice"based protection strategy
The O$T%&' approach was developed by the *oftware 'ngineering Institute +*'I at $arnegie #ellonUniversity to address the information security compliance challenges faced by the U* )epartment of )efense+)o) . *'I is a U* federally funded research and development centre sponsored by the )o).
The OCTAVE MethodThe O$T%&' #ethod has been designed for large organisations having multi"layered hierarchy andmaintaining their own computing infrastructure. The organisational, technological and analysis aspects of aninformation security ris evaluation are underta en by a three"phased approach with eight processes + figure 3
8/18/2019 Cyber Security Unit 5
2/12
• Phase 1 !ui"d asset#$ased threat %rofi"es &orga'isatio'a" e(a"uatio') -The analysis teamdetermines critical assets and what is currently being done to protect them. The security requirementsfor each critical asset are then identified. inally, the organisational vulnerabilities with the existing
practices and the threat profile for each critical asset are established.
• Phase * Ide'tif+ i'frastru,ture (u"'era$i"ities &te,h'o"ogi,a" e(a"uatio') -The analysis teamidentifies networ access paths and the classes of IT components related to each critical asset. The teamthen determines the extent to which each class of component is resistant to networ attac s and
establishes the technological vulnerabilities that expose the critical assets.• Phase 3 De(e"o% se,urit+ strateg+ a'd -itigatio' %"a's &strateg+ a'd %"a' de(e"o%-e't) -The
analysis team establishes ris s to the organisation’s critical assets based on analysis of the informationgathered and decides what to do about them. The team creates a protection strategy for the organisationand mitigation plans to address identified ris s. The team also determines the /next steps’ required forimplementation and gains senior management’s approval on the outcome of the whole process.
8/18/2019 Cyber Security Unit 5
3/12
2.COB T ( Control Objectives for Information and related Technologies )
It is a methodology for evaluating a company0s IT department that was published in 1223 by the ITGovernance Institute and the I*%$% + Information Systems Audit and Control Association represented in
rance by the % %I + rench %ssociation of %udit and IT %dvice .
This approach is based on a process benchmar , ey goal indicators +45Is and ey performance indicators+46Is that are used to monitor the processes in order to collect data that the company can use to reach itsgoals.
The $O7IT approach puts forward 89 processes organi:ed in 9 larger functional areas that cover 81; goals(
• )eliver < *upport• #onitor • 6lanning < Organisation• %cquire < Implement
SECURIT. O/ IT S.STEMS
Used in computer security, intrusion detection refers to the process of monitoring computer and networ
activities and analy:ing those events to loo for signs of intrusion in your system. The point of loo ing for
http://www.isaca.org/http://www.isaca.org/http://www.isaca.org/
8/18/2019 Cyber Security Unit 5
4/12
unauthori:ed intrusions is to alert IT professionals and system administrators within your organi:ation to potential system or networ security threats and wea nesses.
IDS — A Passive Security Solution
A' i'trusio' dete,tio' s+ste- &IDS) is designed to monitor all inbound and outbound networ activity and
identify any suspicious patterns that may indicate a networ or system attac from someone attempting to
brea into or compromise a system. I)* is considered to be a passive"monitoring system, since the main
function of an I)* product is to warn you of suspicious activity ta ing place = not prevent them. %n I)*
essentially reviews your networ traffic and data and will identify probes, attac s, exploits and other
vulnerabilities. I)*s can respond to the suspicious event in one of several ways, which includes displaying an
alert, logging the event or even paging an administrator. In some cases the I)* may be prompted to reconfigure
the networ to reduce the effects of the suspicious intrusion.
%n I)* specifically loo s for suspicious activity and events that might be the result of a virus , worm or hac er .
This is done by loo ing for nown intrusion signatures or attac signatures that characteri:e different worms or
viruses and by trac ing general variances which differ from regular system activity. The I)* is able to provide
notification of only nown attac s.
The term I)* actually covers a large variety of products, for which all produce the end result of detecting
intrusions. %n I)* solution can come in the form of cheaper shareware or freely distributed open
source programs, to a much more expensive and secure vendor software solution. %dditionally, some I)*s
consist of both software applications and hardware appliances and sensor devices which are installed at
different points along your networ .
Misuse Detection vs. Anomaly Detection
In misuse detection, the I)* analy:es the information it gathers and compares it to large databases of attac
signatures. 'ssentially, the I)* loo s for a specific attac that has already been documented. >i e a virus
detection system, detection software is only as good as the database of intrusion signatures that it uses to
compare pac ets against. In anomaly detection, the system administrator defines the baseline, or normal, state
of the networ 0s traffic load, brea down, protocol , and typical pac et si:e. The anomaly detector monitors
networ segments to compare their state to the normal baseline and loo for anomalies.
Passive Vs. Reactive Systems
In a passive system, the I)* detects a potential security breach, logs the information and signals an alert. In a
reactive system, the I)* responds to the suspicious activity by logging off a user or by reprogramming the
firewall to bloc networ traffic from the suspected malicious source.
Network-based vs. ost-based IDS
http://www.webopedia.com/TERM/I/intrusion_detection_system.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/S/system.htmlhttp://www.webopedia.com/TERM/T/traffic.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/D/data_logging.htmlhttp://www.webopedia.com/TERM/V/virus.htmlhttp://www.webopedia.com/TERM/W/worm.htmlhttp://www.webopedia.com/TERM/H/hacker.htmlhttp://www.webopedia.com/TERM/I/intrusion_signature.htmlhttp://www.webopedia.com/TERM/S/shareware.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/server_appliance.htmlhttp://www.webopedia.com/TERM/D/database.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/P/protocol.htmlhttp://www.webopedia.com/TERM/I/intrusion_detection_system.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/S/system.htmlhttp://www.webopedia.com/TERM/T/traffic.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/D/data_logging.htmlhttp://www.webopedia.com/TERM/V/virus.htmlhttp://www.webopedia.com/TERM/W/worm.htmlhttp://www.webopedia.com/TERM/H/hacker.htmlhttp://www.webopedia.com/TERM/I/intrusion_signature.htmlhttp://www.webopedia.com/TERM/S/shareware.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/server_appliance.htmlhttp://www.webopedia.com/TERM/D/database.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/P/protocol.html
8/18/2019 Cyber Security Unit 5
5/12
Intrusion detection systems are networ or host based solutions. ?etwor "based I)* systems + ?I)* are often
standalone hardware appliances that include networ intrusion detection capabilities. It will usually consist of
hardware sensors located at various points along the networ or software that is installed to system computers
connected to your networ , which analy:es data pac ets entering and leaving the networ . @ost"based I)*
systems +@I)* do not offer true real"time detection, but if configured correctly are close to true real"time.
IPS — AN A!"IV# S#!$RI"% S&'$"I&N
IPS or i'trusio' %re(e'tio' s+ste- 0 is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system ernel to networ data pac ets. It provides
policies and rules for networ traffic along with an I)* for alerting system or networ administrators to
suspicious traffic, but allows the administrator to provide the action upon being alerted. Ahere I)* informs of
a potential attac , an I6* ma es attempts to stop it. %nother huge leap over I)*, is that I6* has the capability
of being able to prevent nown intrusion signatures, but also some un nown attac s due to its database of
generic attac behaviors. Thought of as a combination of I)* and an application layer firewall for protection,
I6* is generally considered to be the Bnext generationB of I)*.
$urrently, there are two types of I6*s that are similar in nature to I)*. They consist of host"based intrusion
prevention systems + @I6* products and networ "based intrusion prevention systems + ?I6* .
Network-based vs. Host-based IPS
@ost"based intrusion prevention systems are used to protect both servers and wor stations through software
that runs between your system0s applications and O* ernel. The software is preconfigured to determine the
protection rules based on intrusion and attac signatures. The @I6* will catch suspicious activity on the system
and then, depending on the predefined rules, it will either bloc or allow the event to happen. @I6* monitors
activities such as application or data requests, networ connection attempts, and read or write attempts to name
a few.
?etwor "based intrusion prevention systems +often called inline prevention systems is a solution for networ "
based security. ?I6* will intercept all networ traffic and monitor it for suspicious activity and events, either
bloc ing the requests or passing it along should it be deemed legitimate traffic. ?etwor "based I6*s wor s in
http://www.webopedia.com/TERM/N/NIDS.htmlhttp://www.webopedia.com/TERM/I/IPS.htmlhttp://www.webopedia.com/TERM/k/kernel.htmlhttp://www.webopedia.com/TERM/H/HIPS.htmlhttp://www.webopedia.com/TERM/N/NIPS.htmlhttp://www.webopedia.com/TERM/S/server.htmlhttp://www.webopedia.com/TERM/w/workstation.htmlhttp://www.webopedia.com/TERM/N/NIDS.htmlhttp://www.webopedia.com/TERM/I/IPS.htmlhttp://www.webopedia.com/TERM/k/kernel.htmlhttp://www.webopedia.com/TERM/H/HIPS.htmlhttp://www.webopedia.com/TERM/N/NIPS.htmlhttp://www.webopedia.com/TERM/S/server.htmlhttp://www.webopedia.com/TERM/w/workstation.html
8/18/2019 Cyber Security Unit 5
6/12
several ways. Usually pac age" or software"specific features determine how a specific ?I6* solution wor s,
but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect
commands not normally executed on the networ and more.
/IRE A22S
% firewall is a system designed to prevent unauthori:ed access to or from a private networ . irewalls can be
implemented in both hardware and software , or a combination of both.
ow are (irewalls $sed)
irewalls are frequently used to prevent unauthori:ed Internet users from accessing private networ s connected
to the Internet, especially intranets . %ll messages entering or leaving the intranet pass through the firewall,
which examines each message and bloc s those that do not meet the specified security criteria.
ardware and So*tware (irewalls
irewalls can be either hardware or software but the ideal firewall configuration will consist of both. In
addition to limiting access to your computer and networ , a firewall is also useful for allowing remote access
to a private networ through secure authentication certificates and logins.
@ardware firewalls can be purchased as a stand"alone product but are also typically found in broadband
routers, and should be considered an important part of your system and networ set"up. #ost hardware
firewalls will have a minimum of four networ ports to connect other computers, but for larger networ s,
business networ ing firewall solutions are available.
*oftware firewalls are installed on your computer +li e any software and you can customi:e itC allowing you
some control over its function and protection features. % software firewall will protect your computer from
outside attempts to control or gain access your computer.
!&MM&N (IR#+A'' "#! NI,$#S
irewalls are used to protect both home and corporate networ s. % typical firewall program or hardware device
filters all information coming through the Internet to your networ or computer system. There are several types
of firewall techniques that will prevent potentially harmful information from getting through(
Pa, et /i"ter
>oo s at each pac et entering or leaving the networ and accepts or re!ects it based on user"defined rules.
6ac et filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is
susceptible to I6 spoofing .
http://www.webopedia.com/TERM/A/access.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/I/intranet.htmlhttp://www.webopedia.com/TERM/S/security.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/I/IP_spoofing.htmlhttp://www.webopedia.com/TERM/A/access.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/I/intranet.htmlhttp://www.webopedia.com/TERM/S/security.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/I/IP_spoofing.html
8/18/2019 Cyber Security Unit 5
7/12
A%%"i,atio' 4ate a+
%pplies security mechanisms to specific applications, such as T6 and Telnet servers. This is very effective,
but can impose a performance degradation.
Cir,uit#"e(e" 4ate a+
%pplies security mechanisms when a T$6 or U)6 connection is established. Once the connection has beenmade, pac ets can flow between the hosts without further chec ing.
Pro6+ Ser(er
Intercepts all messages entering and leaving the networ . The proxy server effectively hides the true networ
addresses.
In practice, many firewalls use two or more of these techniques in concert. % firewall is considered a first line
of defense in protecting private information. or greater security, data can be encrypted .
OR2D# IDE# E! SECURIT.
There are many security issues related to the AAA. Aithin the scope of this paper, we will only discuss thecommunications security aspect, both at the networ and the application level, and the payment security aspect.
17COMMUNICATIONS SECURIT.
The communication between a web browser and a web server is secured by the **>DT>* protocol.@istorically, *ecure *oc ets >ayer +**> was an initiative of ?etscape $ommunications. **> E.F contains anumber of security flaws which are solved in **> 8.F. **> 8.F was adopted by the I'T Transport >ayer *ecurity +T>* wor ing group, which made some small improvements and published the T>* 1.F G2H standard.
**>DT>*J is used in this paper, as **>J is an acronym everyone is quite familiar withC however, the use of T>* in applications is certainly preferred to the use of the **> protocols. Aithin the protocol stac , **>DT>*is situated underneath the application layer. It can in principle be used to secure the communication of anyapplication, and not only between a web browser and server. **>DT>* provides entity authentication, dataauthentication, and data confidentiality. In short, **>DT>* wor s as follows( public" ey cryptography is usedto authenticate the participating entities, and to establish cryptographic eysC symmetric ey cryptography is
used for encrypting the communication and adding #essage %uthentication $odes +#%$s , to provide dataconfidentiality and data authentication respectively. Thus, **>DT>* depends on a 6ublic 4ey Infrastructure.6articipating entities +usually only the server should have a publicDprivate ey pair and a certificate. Kootcertificates +the certification authorities’ certificates that are needed to verify the entities’ certificates should besecurely distributed in advance +e.g., they are shipped with the browsers . 6rivate eys should be properly
protected. ?ote that these two elements, i.e., distribution of root certificates in browsers and the protection of private eys, is actually one of the wea and exploited points with respect to AAA security . #ore detailedinformation on **>DT>*, the security flaws in **> E.F, and the differences between **> 8.F and T>* 1.F, can
be found in Kescorla .
2.PAYMENT SECURITY
http://www.webopedia.com/TERM/F/FTP.htmlhttp://www.webopedia.com/TERM/T/Telnet.htmlhttp://www.webopedia.com/TERM/T/TCP.htmlhttp://www.webopedia.com/TERM/U/UDP.htmlhttp://www.webopedia.com/TERM/P/proxy_server.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/E/encryption.htmlhttp://www.webopedia.com/TERM/F/FTP.htmlhttp://www.webopedia.com/TERM/T/Telnet.htmlhttp://www.webopedia.com/TERM/T/TCP.htmlhttp://www.webopedia.com/TERM/U/UDP.htmlhttp://www.webopedia.com/TERM/P/proxy_server.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/E/encryption.html
8/18/2019 Cyber Security Unit 5
8/12
%lthough numerous different electronic payment systems have been proposed that can be or are used on theAAA, including micro"payment systems and cash"li e systems, most transactions on the web are paid usingcredit cards. #ostly, customers !ust have to send their credit card number to the merchant’s web server. This isnormally done /securely’ over **>DT>*, but some serious problems can still be identified. Users have todisclose their credit card number to each merchant. This is quite contradictory to the fact that the credit cardnumber is actually the secret on which the whole payment system is based +note that there is no electronicequivalent of the additional security mechanisms present in real world credit card transactions, such as face"to"face interaction, physical cards and handwritten signatures . 'ven if the merchant is trusted and honest this isris y, as one can obtain huge lists of credit card numbers by hac ing into +trustworthy, but less protectedmerchants’ web servers. #oreover, it is possible to generate fa e but valid credit card numbers, which is of great concern for the on"line merchants. Thus, merchants bear ris in card"not"present transactions
IRE2ESS SECURIT.
5*# and A%6 are currently probably the two most popular and widely used wireless technologies. They are briefly presented in the following paragraphs. Thereafter, some other systems and initiatives in the wirelessworld are discussed.
4SM
5*#, 5lobal *ystem for #obile communications, is the currently very popular digital cellular telecommunications system specified by the 'uropean Telecommunications *tandards Institute +'T*I . Inshort, 5*# intends to provide three security services temporary identities, for the confidentiality of the user identityC entity authentication, that is, to verify the identity of the userC and encryption, for the confidentiality
of user"related data +note that data can be contained in a traffic channel, e.g., voice, or signaling channel, e.g.,*#* messages .
AP
The Aireless %pplication 6rotocol +A%6 is a protocol stac for wireless communication networ s. A%6 is bearer independentC the most common bearer is currently 5*#
INFORMATION SECURITY AUDIT
%n i'for-atio' te,h'o"og+ audit , or i'for-atio' s+ste-s audit , is an examination of the managementcontrols within an Information technology +IT infrastructure . The evaluation of obtained evidence determinesif the information systems are safeguarding assets, maintaining data integrity , and operating effectively toachieve the organi:ation0s goals or ob!ectives. These reviews may be performed in con!unction with a financialstatement audit , internal audit , or other form of attestation engagement.
IT audits are also nown as Bautomated data processing +%)6 auditsB and Bcomputer auditsB. They wereformerly called B electronic data processing +')6 auditsB.
https://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processinghttps://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processing
8/18/2019 Cyber Security Unit 5
9/12
%n IT audit is different from a financial statement audit . Ahile a financial audit0s purpose is to evaluatewhether an organi:ation is adhering to standard accounting practices , the purposes of an IT audit are toevaluate the system0s internal control design and effectiveness. This includes, but is not limited to, efficiencyand security protocols, development processes, and IT governance or oversight. Installing controls arenecessary but not sufficient to provide adequate security. 6eople responsible for security must consider if thecontrols are installed as intended, if they are effective if any breach in security has occurred and if so, whatactions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased
observers. These observers are performing the tas of information systems auditing. In an Information *ystems+I* environment, an audit is an examination of information systems, their inputs, outputs, and processing.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organi:ation0sinformation. *pecifically, information technology audits are used to evaluate the organi:ation0s ability to
protect its information assets and to properly dispense information to authori:ed parties. The IT audit aims toevaluate the following(
Types of IT audits&arious authorities have created differing taxonomies to distinguish the various types of IT audits. 5oodman <>awless state that there are three specific systematic approaches to carry out an IT audit(
• Te,h'o"ogi,a" i''o(atio' %ro,ess audit . This audit constructs a ris profile for existing and new
pro!ects. The audit will assess the length and depth of the company0s experience in its chosentechnologies, as well as its presence in relevant mar ets, the organi:ation of each pro!ect, and thestructure of the portion of the industry that deals with this pro!ect or product, organi:ation and
industry structure.
• I''o(ati(e ,o-%ariso' audit . This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company0s researchand development facilities, as well as its trac record in actually producing new products.
• Te,h'o"ogi,a" %ositio' audit ( This audit reviews the technologies that the business currently has
and that it needs to add. Technologies are characteri:ed as being either BbaseB, B eyB, BpacingB orBemerging
IT AUDIT PROCESSThe following are basic steps in performing the Information Technology %udit 6rocess( G9H
1. 6lanning
E. *tudying and 'valuating $ontrols
8. Testing and 'valuating $ontrols
9. Keporting
https://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/School_(discipline)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Information_technology_audit#cite_note-4https://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/School_(discipline)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Information_technology_audit#cite_note-4
8/18/2019 Cyber Security Unit 5
10/12
L. ollow"up
3. reports
OVERVIE O/ SECURIT. STANDARDS ISO #18899 STANDARD
I*ODI'$ 1MM22(EFFL establishes guidelines and general principles for initiating, implementing, maintaining,
and improving information security management in an organi:ation. The ob!ectives outlined provide general
guidance on the commonly accepted goals of information security management. I*ODI'$ 1MM22(EFFL contains
best practices of control ob!ectives and controls in the following areas of information security management(
security policyC
organi:ation of information securityC
asset managementC
human resources securityC
physical and environmental securityC
communications and operations managementC
access controlC
information systems acquisition, development and maintenanceC
information security incident managementC
business continuity managementC
compliance.
The control ob!ectives and controls in I*ODI'$ 1MM22(EFFL are intended to be implemented to meet the
requirements identified by a ris assessment. I*ODI'$ 1MM22(EFFL is intended as a common basis and practical
guideline for developing organi:ational security standards and effective security management practices, and to
help build confidence in inter"organi:ational activities.
The standard contains 1E sections( ris assessment and treatmentC security policyC organi:ation of information
securityC asset managementC access controlC information security incident managementC human resources
securityC physical and environmental securityC communications and operations managementC information
systems acquisition, development and maintenanceC business continuity managementC and compliance.
8/18/2019 Cyber Security Unit 5
11/12
Aithin each section, information security control ob!ectives are specified and a range of controls are outlined
that are generally regarded as best practices. or each control, implementation guidance is provided. 'ach
organi:ation is expected to perform an information security ris assessment prior to implementing controls.
ntroduction and !C "ata #ecurity #tandard Overvie$The 6ayment $ard Industry +6$I )ata *ecurity *tandard +)** was developed to encourage and enhancecardholder data security and facilitate the broad adoption of consistent data security measures globally. 6$I)** provides a baseline of technical and operational requirements designed to protect cardholder data. 6$I)** applies to all entities involved in payment card processing N including merchants, processors, acquirers,issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. 6$I)** comprises a minimum set of requirements for protecting cardholder data, and may be enhanced byadditional controls and practices to further mitigate ris s. 7elow is a high"level overview of the 1E 6$I )**requirements.
6$I )** originally began as five different programs( &isa0s $ardholder Information *ecurity6rogram , #aster$ard 0s *ite )ata 6rotection, %merican 'xpress 0 )ata *ecurity Operating 6olicy, )iscover 0sInformation *ecurity and $ompliance, and the $7 0s )ata *ecurity 6rogram. 'ach company0s intentions were
roughly similar( to create an additional level of protection for card issuers by ensuring that merchants meetminimum levels of security when they store, process and transmit cardholder data. The 6ayment $ard Industry*ecurity *tandards $ouncil +6$I **$ was formed, and on )ecember 1L, EFF9, these companies aligned their individual policies and released version 1.F of the 6ayment $ard Industry )ata *ecurity *tandard +6$I )** .
In *eptember EFF3, the 6$I standard was updated to version 1.1 to provide clarification and minor revisions toversion 1.F.
&ersion 1.E was released on October 1, EFF;. &ersion 1.1 BsunsettedB on )ecember 81, EFF;. &ersion 1.E didnot change requirements, only enhanced clarity, improved flexibility, and addressed evolving ris s and threats.In %ugust EFF2 the 6$I **$ announced the move from version 1.E to version 1.E.1 for the purpose of ma ing
https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttp://pcidsscompliance.net/https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttp://pcidsscompliance.net/
8/18/2019 Cyber Security Unit 5
12/12
minor corrections designed to create more clarity and consistency among the standards and supportingdocuments.
&ersion E.F was released in October EF1F and is active for merchants and service providers from anuary 1,EF11 to )ecember 81, EF19.
&ersion 8.F was released in ?ovember EF18 and is active from anuary 1, EF19 to )ecember 81, EF1M.
&ersion 8.1 was released in %pril EF1L