Dan's Internal Audit Corner

Auditing security using the PCI standard and related guidance - (Because personal information must be protected)

Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2005@yahoo.com.

We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.

Read on…

Canadian CIOs lash out at compliance pressures, i.e. they're sick and tired of being needled by auditors and forced to adopt inefficient policies, and they're not afraid to talk about it. Read exclusive excerpts from a roundtable where the frustrations came to the forefront.

Various significant incidents regarding breaches in personal data continue to occur way too regularly. Rather than blame the auditors for indicating compliance and regulatory requirements need to be met, perhaps the CIO community should promote the required changes as the opportunity it truly presents – that is, for the CIO to establish a secure environment for the organization’s information assets.

Provided below are extensive resources regarding the PCI data standard and its related guidance; plus leading resources supporting information security and the auditing of information security.

Have you assessed your information security and privacy efforts lately? (it is a management responsibility to do so regularly).

Have another great month.

Dan Swanson

PCI Related Resources

1. PCI Security Standards Council

2. The PCI Data Security Standard (PCI DSS)

a) The Specification

b) The core of the PCI DSS– (a 1 page summary of principles & requirements)

c) The actual PCI Data Security Standard (PCI DSS

d) Other supporting documents

Glossary
This document defines terms used in DSS v 1.1 and the other resources available to approved scanning vendors and qualified security assessors.

Payment Card Industry Self-Assessment Questionnaire (pdf)
PCI DSS Payment Card Industry Self-Assessment Questionnaire (locked word)
The PCI Self-Assessment Questionnaire (SAQ) is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005, and it will be valid until version 1.1 of the SAQ is released.

PCI DSS Security Audit Procedures (pdf)
PCI DSS Security Audit Procedures (locked word)
This document is designed for use by assessors conducting onsite reviews for merchants and service providers required to validate compliance with Payment Card Industry (PCI) Data Security Standard (DSS) requirements. The requirements and audit procedures presented in this document are based on the PCI DSS.

PCI DSS Security Scanning Procedures
This document explains the purpose and scope of the Payment Card Industry (PCI) Security Scan for merchants and service providers who undergo PCI Security Scans to help validate compliance with the PCI Data Security Standard (DSS). Approved Scanning Vendors (ASVs) also use this document to assist merchants and service providers in determining the scope of the PCI Security Scan.

PCI DSS Summary of Changes
The Payment Card Industry Data Security Standard (DSS) v 1.1 has replaced the DSS v. January 2005, and the PCI Security Standards Council will no longer recognize DSS v. 2005 after December 31, 2006. This Summary of Changes document provides an overview of the significant differences between the two versions.

PCI DSS Validation Requirements for Qualified Security Assessors (QSAs) v 1.1.
To be recognized as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A (the “Agreement”).
PCI Qualified Security Assessor (QSA) Agreement
Sample QSA Feedback Form

PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs)v 1.1
To be recognized as an ASV by PCI SSC, the ASV, ASV employees, and the ASVs scanning solution must meet or exceed the requirements described in this document and execute the “PCI ASV Compliance Test Agreement” attached as Appendix A (the “Agreement”) with PCI SSC. The companies that qualify are identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.
PCI ASV Compliance Test Agreement
Sample ASV Feedback Form

PCI DSS Technical and Operational Requirements for Approved Scanning Vendors (ASVs) v 1.1
This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programs. Security scanning companies interested in providing scan services in conjunction with the PCI program must comply with the requirements set forth in this document and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process.

3. MasterCard Site Data Protection Program

http://www.mastercard.com/us/sdp/index.html

4. PCI Security Standards Council Statement on Recent Data Breaches

Jan, 2007

5. The Tripwire Prescriptive Guide: Expert Advice on IT Governance, Security, Compliance & Operations. (Note - it has a chapter on PCI).

6. New IT Audit Checklist: Payment Card Industry (PCI)

Information Security Resources

1. National Association of Corporate Directors (NACD), “Information Security Oversight: Essential Board Practices”:

2. The Computer Emergency Response Team (CERT) —part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University:

Governing for Enterprise Security
Risk-Centered Practices
Build Security In Initiative (sponsored by the Department of Homeland Security Cyber Security Division):
Evaluations & Practices for Insider Threat:
Computer security incident response team (CSIRT) development:

3. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC):

4. Corporate Information Security Working Group (CISWG

(under Security Standards, Frameworks and Guidelines)
[Documents archived by the American Institute of Certified Public Accountants (AICPA):

5. ISO 27001

6. US General Accounting Office, “Executive Guide: Information Security Management: Learning from Leading Organizations”:

7. Microsoft Security Risk Management Guide:

8. The International Systems Security Engineering Association (ISSEA)

9. The Center for Internet Security (CIS)

10. The Information Systems Security Association (ISSA)

Information Security Auditing Resources

1. The Institute of Internal Auditors, IT Security

2. US General Accounting Office (GAO), “Management Planning Guide for Information Systems Security Auditing” (PDF):

3. Information Systems Audit and Control Association (ISACA), “Control Objectives for Information and related Technology (COBIT)”

4. Who is Responsible for Information Security

5. Treasury Board of Canada, Internal Audit:

6. The Center for Education and Research in Information Assurance and Security

7. U.S. Security Awareness, Information Security Auditing page

8. Open Compliance and Ethics Group (OCEG), “Internal Audit Guide (IAG)”

9. IT Audit Checklist: Information Security

10. Other Security Management resources – (MASSIVE).

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®