Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

ISO20000-1 mapping to PCI

77 vues

Publié le

Iso20000 1

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

ISO20000-1 mapping to PCI

  1. 1. Updated by JS on Sep. 26, 2020 PCI DSS version 3.2.1 Relevant Requirements 4 4.1 The organizastion shall determine external and internal issues that are relevant to its purpose and that affect its ability to acheive the intended outcome(s) of its SMS. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 12.2 Implement a risk assessment process, that: •Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), •Identifies critical assets, threats, and vulnerabilities, and •Results in a formal, documented analysis of risk. Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30. 4.2 a) The organization shall determine: the interested parties that are releant to the SMS and services; b) the relevant requirements of these interested parties. 4.3 the organization shall determine the boundaries and applicability of the SMS to establish its scope. (※1. DOCUMENT※) When determining the scope, the organization shall consider 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: a) the external and internal issues referred to in 4.1(Understanding the orgamization and its context) - b) the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties) - c) the services delivered by the organization 12.4.1 Overall accountability for maintaining PCI DSS compliance 4.4 Mapping ISO20000(Service Mamagement System) to PCI DSS v3.2.1 ISO20000-1: 2018 Clauses modified adjusting to PCI DSS Context of the organization Understanding the orgamization and its context 12.9 Additional testing procedure for service provider assessments only: Review service provider’s policies and procedures and observe templates used for written agreement to confirm the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Determing the scope of the SM system SM System (Including each SM Process) Understanding the needs and expectations of interested parties
  2. 2. The orgaization shall establish, implement, maintain and countinually improve an SMS. Including the pcesses needed and their interactions, in accordance with the - 5 5.1 Top management shall demonstrate leadership and commitment with respect to the - a) ensuring that the SM policy and SM objectives are established and are compatible with the strategic direction of the organization; 【General management practice in ITIL 4】 12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: •Overall accountability for maintaining PCI DSS compliance •Defining a charter for a PCI DSS compliance program and communication to executive management A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: ・ Overall accountability for maintaining PCI DSS compliance ・ Defining a charter for a PCI DSS compliance program ・ Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually b) ensuring the integration of the SM Plan is created (※2. DOCUMENT※), implemented and maintained in order to support the SM policy, and the achievement of the SM objectives and service requirements; - c) ensuring that apprpriate levels of authority are assigned for making decisions related to the SMS and the services; d) enduring that what constitues value for the organization and its customers is determined;e) ensuring there is control of other parties involved in the service lifecycle; f) ensuring the integration of the SMS requirements into the organization's business processes;e) ensuring there is control of other parties involved in the service lifecycle; f) ensuring the integration of the SMS requirements into the organization's business processes;g) ensuring that the resources needed for the SMS and the services are available; h) communicating the importance of effective service management; achieving the sercice management objectives, delivering value and conforming to the SMS requirements;i) ensuring that the SMS achieves its intended outcomes; j) directing and supporting persons to contribute to the effectiveness of the SMS and the services;k) promoting continual improvement of the SMS and the services; l) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. 5.2 Leadership 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity responsibilities for all personnel. 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned. Policy Leadership and commitment
  3. 3. 5.2.1 Establishing the SM policy top management shall establish a SM policy that a) is appropriate to the purpose of the organiation b) provides a framework for setting SM objectives 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry- accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: •Center for Internet Security (CIS) •International organization for Standardization (ISO) •SysAdmin Audit Network Security (SANS) Institute •National Institute of Standards Technology (NIST) 6.5 Address common coding vulnerabilities in software-development processes as follows: •Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. •Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these c) includes a commitment to satisfy applicable requirements d) includes a commitment to Continual Improvement of the SMS and the services. 5.2.2 Communicating the SM policy - The SM policy shall - 12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: •Overall accountability for maintaining PCI DSS compliance •Defining a charter for a PCI DSS compliance program and communication to executive management 12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: •Overall accountability for maintaining PCI DSS compliance •Defining a charter for a PCI DSS compliance program and communication to executive management
  4. 4. a) be available as documented information(※3. DOCUMENT※) 1.5 Ensure that security policies and operational procedures for managing firewalls are documented 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented 8.8 Ensure that security policies and operational procedures for identification and authentication are documented 9.10 Ensure that security policies and operational procedures for restricting physical access b) be communicated within the organization c) be avaibale to interested parties, as appropriate. 5.3 12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners) 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. Oranizational roles, responsibilities, and authorities(※4. DOCUMENT※)【ITIL2011: N/A】 【ITIL4: Organizational Change Management practice; General management practice】
  5. 5. top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the service are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 6.4.5.a Examine documented change-control procedures and verify procedures are defined for: •Documentation of impact. •Documented change approval by authorized parties. 7.1.a Examine written policy for access control, and verify that the policy incorporates 7.1.1 through 7.1.4 as follows: •Defining access needs and privilege assignments for each role. •Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities. •Assignment of access based on individual personnel’s job classification and function. •Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved. 8.1.2 For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. 12.3.1 Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies. 12.4.1 Defining a charter for a PCI DSS compliance program and communication to executive management 12.5 Examine information security policies and procedures to verify: •The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management. •The following information security responsibilities are specifically and formally assigned: 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned. 12.5.2 Verify that responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned. 12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned. 12.5.4 Verify that responsibility for administering (adding, deleting, and modifying) usera) ensuring that the SMS conforms to the requirements of this doc b) reporting on the performance of the SMS and the services to top management. 12.5 Examine information security policies and procedures to verify: •The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management. •The following information security responsibilities are specifically and formally assigned: 6 6.1 Actions to address risks and oppourtunities Planning
  6. 6. 6.1.1 When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - a) give assurance that the SMS can achieve its intended outcomes - b) prevent, or reduce, undesired effects - c) achieve Continual Improvement of the SMS and the services. - 6.1.2 The organization shall determine and document (※5. DOCUMENT※) - a) risks related to 1) the organization 2) not meeting the service requirements 3) the involvement of other parties in the service lifecycle; b) the impact on customers of risks and opportunities for the SMS and the services c) risk acceptance "Criteria" d) approach to be taken for the management of risks. 6.1.3 The organization shall plan - a) actions to address these risks and opportunities and their priorities; - b) how to - 1) integrate and implement the actions into its SMS processes; - 2) evaluate the effectiveness of these actions - 6.2 SM objectives and planning to achieve them - 6.2.1 Establish SM objectives (※6. DOCUMENT※) - The orgaization shall establish SM objectives at relevant functions and levels. The SM objectives shall - a) be consistent with the SM Policy - b) be measurable - 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high”, “medium”, or “low”) to newly discovered security vulnerabilities. 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 10.8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: •Performing a risk assessment to determine whether further actions are required as a result of the security failure 12.2 Implement a risk assessment process, that: •Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), •Identifies critical assets, threats, and vulnerabilities, and •Results in a formal, documented analysis of risk. Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30. A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes: •Description of usage, including what data is being transmitted, types and number of
  7. 7. c) take into account applicable requirements 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry- accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: •Center for Internet Security (CIS) •International organization for Standardization (ISO) •SysAdmin Audit Network Security (SANS) Institute •National Institute of Standards Technology (NIST) 6.5 Address common coding vulnerabilities in software-development processes as follows: •Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. •Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. d) be monitored - e) be communicated - f) be updated as appropriate 6.4.6 For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change. 11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives. 12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. 12.2 Implement a risk assessment process, that: •Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)6.2.2 When planning how to achieve the SM objective management shall determine; a) what will be done b) what resource will be required c) who will be responsible d) what it will be completed e) how the results will be evaluated Plan to achieve objectives (※7. DOCUMENT※) 12.5 Assign to an individual or team the following information security management responsibilities: 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
  8. 8. 6.3 Plan the SMS - the organization shall create (※8. DOCUMENT※), implement and maintain a SM plan. Planning shall take into consideration the SM policy, SM objectives, risks and oppportunities, service requirements and requirements specified in this docs. - a) list of services; - b) known limitations that can impact the SMS and the services. - c) obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.10.1.a Verify that the incident response plan includes:   Analysis of legal requirements for reporting compromises (for example, California Bill d) authorities and responsibilities for the SMS and the services 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity responsibilities for all personnel. 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned. e) human, technical, informatwion and financial resources necessary to operate the SMS and the services N/A f) approach to be taken for working with other parties involved in the service lifecycle 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, g) technology used to support the SMS -
  9. 9. h) how the effectiveness of the SMS and the services will be measured, audited, reported and improved. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities Other planning activities shall maintain alignment with the SM plan. - 7 7.1 The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the SM objectives. 12.5 Examine information security policies and procedures to verify:   The formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management.   The following information security responsibilities are specifically and formally assigned: 7.2 the organization shall - a) determine the Necessary Competence of person doing work under its control that afffects the performance and effectiveness of the SMS and the services b) ensure that these persons are competent on the basis of approproate education, training, or experience c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken 12.6.1.b Verify that personnel attend security awareness training upon hire and at least annually. d) retain Appropriate Documented Info as Evidence of competence(※10. DOCUMENT※) 12.6.2 Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy. Note applicable actions can include, for example, the provision of training to, the mentoring of, or the re-assignment of currently employed persons; or the hiring or contracting of competent persons. - 7.3 ES1.1# List all other assessors involved in the assessment. If there were none, mark as Not Applicable. (add rows as needed) Assessor name:Assessor PCI credentials: (QSA, PA-QSA, etc.) 2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components. 6.3.2.b Code changes are reviewed by individuals who are knowledgeable in code-review techniques and secure coding practices. 11.2.1 Scans must be performed by qualified personnel. 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV). 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. Resources(※9. DOCUMENT※) Competence 【ITIL2011: N/A】【ITIL4: Workforce & Talent Management practice; General management practice】 Awareness(※11.DOCUMENT※) Support of the SMS
  10. 10. Persons doing work under the organization's control shall be aware of - a) the SM policy - b) the SM objectives - c) the services releavant to their work - d) their contribution to the effectiveness of the SMS, including the benefits of improved performance - e) the implications of NC with the SMS requirements. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.10.1.a Verify that the incident response plan includes:   Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected7.4 The organization shall determine the internal and external communications relevant to the SMS and the services (※12. DOCUMENT※) including a) on what it will communicate b) when to communicate c) with whom to communicate d) how to communicate e) who will be responsible for the communication. 7.5 7.5.1 The organiation's SMS shall include a) documented Info requiremed by this doc b) documented Info determined by the organization as being necessary for the effectiveness of the SMS. Notes the extent of documented info for an SMS can differ from one organization to another the size of organization and its type of activities, processes, products and services, and resources the complexity of processes and their interactions the competence of persons 7.5.2 Creating and updating - General Documented Information (※DOCUMENT※) Communications - 12.10.1.a •Communication strategies. Verify that the incident response plan includes: ・Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum. Provide the name of the assessor who attests that the incident response plan was verified to include: •Roles and responsibilities. •Communication strategies. •Requirement for notification of the payment brands. •Specific incident response procedures. •Business recovery and continuity procedures. •Data back-up processes. •Analysis of legal requirements for reporting compromises. •Coverage for all critical system components. •Responses for all critical system components. •Reference or inclusion of incident response procedures from the payment brands.
  11. 11. When creating and updating documented Info the organization shall ensure - a) identification and description(e.g. a title, date, author, or reference number) (※ 13. DOCUMENT※) ES#4.9 documentation reviewed b) format(e.g. language, software version, graphics or diagrams)and media(e,g, hardcopy or paper, electronic) - c) review and approval for suitability and adequacy. - 7.5.3 Control of documented information - 7.5.3.1 documented info required by the SMS and by this doc shall be controlled to ensure - a) it is available and suitable for use, where and when it is needed 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. b) it is adequetely protected (e,g, from loss of confidentiality, improper use, or loss of - 7.5.3.2 For the control of documented info, the organization shall address the following activities, as applicable - a) distribution, access, retreival and use b) storage and preservation, including preservation of readability c) control of changes(e.g.version control) 1.1.3 Current diagram that shows all cardholder data flows across systems and networks. 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. d) retention and disposition - documented info of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified, as appropriate, and - Note access can imply a decision regarding the permission to view the documented Info only, or the permission and authority to view and change the documented info. - 7.5.4 SMS documented information (※DOCUMENT※) - the documented information for the SMS shall include - a) scope of the SMS in 4.3 (Determing the scope of the SM system); - 9.10 Ensure that security policies and operational procedures for restricting physical access
  12. 12. b) policy and objectives for service management c) SM Plan d) change management policy, information security policy and service continuity plans e) processes of the organization's SMS f) service requirements g) service catalogues h) service level agreements(SLA) i) contracts with external suppliers j) agreements with internal suppliers or customers acting as asupplier k) procedures that are required by this doc - 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Documentation of impact   Documented change approval by authorized parties   Functionality testing to verify that the change does not adversely impact the security of the system   Back-out procedures 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 8.8 Ensure that security policies and operational procedures for identification and
  13. 13. l) records required to demonstrate evidence (※14. DOCUMENT) of conformity to the requirements of this doc and the organization's SMS. 1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all:   Network connections and   Changes to firewall and router configurations 3.1.c For a sample of system components that store cardholder data:   Examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy   Observe the deletion mechanism to verify data is deleted securely. 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Documentation of impact   Documented change approval by authorized parties 7.1 Examine written policy for access control, and verify that the policy incorporates 7.1.1 through 7.1.4 as follows:   Defining access needs and privilege assignments for each role   Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities   Assignment of access based on individual personnel’s job classification and function   Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved. 8.1.2 For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. 12.3.1 Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.7.6 The organization shall determine (※15. DOCUMENT※) and maintain the knowledge necessary to support the operation of the SMS and the services. The knowledge is specific to the organization, its SMS, services and interested parties. Knowledge is used and shared to support the achivement of the intended outcome and the operation of the SMS and the services. 2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components. 6.3.2.a Examine written software-development procedures and interview responsible personnel to verify that all custom application code changes must be reviewed (using either manual or automated processes) as follows:   Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code-review techniques and secure coding practices. 8 8.1 the organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1(Actions to address Risks and Opportunities) by - a) establishing performance "Criteria" for the processes based on requirements; - Knowledge 【ITIL2011: Knowledge Management process】 【ITIL4: Knowledge Management : General management practice】 Operation planning and control Operation
  14. 14. b) implementing control of the processes in accordance with performance "Criteria" 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 10.8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: •Performing a risk assessment to determine whether further actions are required as a result of the security failure 12.2 Implement a risk assessment process, that: •Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), •Identifies critical assets, threats, and vulnerabilities, and •Results in a formal, documented analysis of risk. Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30. A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes: •Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;c) keeping documented info to the extent necessary to have confidence that the processes have been carried out as planned (※16.DOCUMENT※) - the organiation shall control planned changed to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. 6.4.5.a Examine documented change-control procedures and verify procedures are defined for: •Documentation of impact. •Documented change approval by authorized parties. •Functionality testing to verify that the change does not adversely impact the security of the system. •Back-out procedures. The organization shall ensure that outsourced processed are controlled. 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8.1 Maintain a list of service providers including a description of the service provided. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. 8.2 8.2.1 Service delivery - The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. - 8.2.2 Plan and services - Service portfolio 【ITIL2011: Service Portfolio Management Process】【ITIL4: Portfolio Management Practice: General management practic】
  15. 15. The service requirements for existing services, new services and changes to services shall be determined and documented.(※17. DOCUMENT※) The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. The organization shall propose changes where needed to align the services with the SM Policy, SM objectives and service requirements, taking into consideration known limitations and risks. The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and SM objectives, taking into consideration N/A 8.2.3 Control of parties involved in the service lifecycle 8.2.3.1 The organization shall retain accountability for the requirements specified in this doc and the delivery of the services regardless of which party is involved in performinng activities to support the service lifecycle. The organization shall determine and apply "Criteria" or the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an externail supplier, and internal supplier or a customer acting as a supplies. Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. The organiztion shall determine and document (※18. DOCUMENT※) a) services that are provided or operated by other parties b) service components that are provided or operated by other parties c) processes, or parts of processes, in the organization's SMS that are operated by other parties. The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service lifecycle including the planning, design, transition, delivery and improvement of services. 8.2.3.2 The organization shall define and apply relevant controls for other parties from the following - a) measurement and evaluation of process performance 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities b) measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. - 8.2.4 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. on what it will communicate
  16. 16. The organization shall create (※19.DOCUMENT※)and maintain one or more service catalogues. The service catalogue shall include information for the organization, customers, users and other interesed parties to describe the services, their intended ourcomes and dependencies between the serices. The orgaization shall provde access to appropriate parts of the service catalogue to its cusomers, users and other interested parties. 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. 8.2.5 The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c (Plan the SMS obligations). 8.2.6 Configuration management 【ITIL2011: Service Asset Management & Configuration Management process 】  【ITIL4: Configuration Management practice: Service management practice】 The types of CI shall be defined. Services shall be classified as CIs. Configuration information shall be recorded (※21.DOCUMENT※) to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuraiton information recorded for each CI shall a) unique indetification b) type of CI c) description of the CI - d) relationship with other CIs - e) status - CI shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. Configuration information shall be made available for other SM activities as - 8.3 8.3.1 General The organization may use suppliers to a) provide or operate services. b) provide or operate service components 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Relationship and agreement Asses management (※20.DOCUMENT※) 【ITIL2011: Service Asset Management & Configuration Management process】 【ITIL4: IT Asset Management; Service management practice】 2.4 Maintain an inventory of system components that are in scope for PCI DSS. 9.9.1 Maintain an up-to-date list of devices. The list should include the following:   Make, model of device   Location of device (for example, the address of the site or facility where the device is located)   Device serial number or other method of unique identification. 12.3 Develop usage policies for critical technologies and define proper use of these technologies. 12.3.3 A list of all such devices and personnel with access
  17. 17. c) operate processes, or parts of processes, that are in the organization's SMS. Figure 2 illustrate the usage, agreements and relationships between business relationship management, service level management and supplier management. 8.3.2 The costomers, users and other interested parties of the services shall be idenfified and documented. (※22.DOCUMENT※)The organization shall have one or more designated individuals responsible for managing customer relationships and maintainning custmer satisfaction. The organization shall establish arrangements for communicating with its customers and other interested parties. The coomunitation shall promote understanding of the evolving business enviroment in which the services operates and shall enable the organization to respond to new or changed service requirements. At planned intervals, the organization shall review the performance trends and the outcomes of the services. At planned intervals, the organization shall measure satisfaction with the service based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved thru the normal channels, a method of escalation shall be provided, 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. 8.3.3 The organization and the customer shall agree the services to be delivered. For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements(※23.DOCUMENT※). The SLAs shall include service level targes, workload limits and exceptions. At planned intervals, the organization shall monitor, review and report (※ 24..DOCUMENT※)on 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. a) performance against service level targets N/A b) actual and periodic changes in workload compared to workload limits in the N/A 8.3.4 8.3.4.1 Management of external suppliers - The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to - environment. 12.10.1.a Verify that the incident response plan includes:   Analysis of legal requirements for reporting compromises (for example, California Bill 1386, Supplier management 【Supplier management process】【ITIL4: Supplier management practice; General management practice】 SLM 【ITIL2011: SLM process】 【ITIL4: SLM practice; Service management practice】 Business relationship management 【ITIL2011: Business relationship management process】 【ITIL4: Relationship Management; General management practice】 【ITIL4: Business Analysis Practice; Service management practice】
  18. 18. a) scope of the serviecs, service components, processes or parts of processes to be provided or operated by the external supplier 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. b) requirements to be met by the external supplier c) service level targets or other contractual obligations d) authorities and responsibilities of the organization and the external supplier. The organiazation shall assess the alignment of service level targets or other contractual obligations ofr the external supplier against SLAs with customers, and manage identified risks. The orgaization shall define and manage the interfaces with the external supplier. At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. At planned intervals, the organization shall review the contract against current service requirements. Changes indetified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. Disputes between the organization and the external supplier shall be recorded and 8.3.4.2 Manamgenet of internal suppliers and customers acting as a supplier For each internal supplier or custmer actinng as a supplier, the organization shall develop, agree and maintain a documented agreement(※25.DOCUMENT※) to define the service level targets, other commitments, activities and interfaces between the parties. At plannned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other 8.4 8.4.1 Budgeting and accounting for services The organization shall budget and account for services or groups of services in accordance with its financial management policies and proecsses. Costs shall be budgeted to enable effective financial control and decision-making for services. At planned intervals, the organization shall monitor and report (※ 26.DOCUMENT※)on atual costs agaist the budget, review the financial 8.4.2 At planned intervals, the organization shall a) determine current demand and forecast future demand for services b) monitor and report (※27.DOCUMENT※)on demand and consumption of services.8.4.3 The capacity requirements for human, technical, information and financial resources shall be determined(※28.DOCUMENT※), documented and maintained taking into consideration the service and performance requirements. The organization shall plan capacity to include Capacity managementt 【ITIL2011: Capacity Management Process】 【ITIL4: Capacity management practice; Service management practice】 Demand management 【ITIL2011: Demand Management Process】【ITIL4: N/A】 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity responsibilities for all personnel. 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned. 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. Supply and demand 【ITIL2011: Demand Management Process】【ITIL4: N/A】 9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from 12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. 11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives. N/A
  19. 19. a) current and forecast capacity based on demand for services b) expected impact on capaity of agreed service level targets, requirements for service c) timescales and threshholds for changes to service capacity. - The organization shall provide sufficient capacity to meet agreed capacity and performance requirements. The organization shall monitor capacity usage, analyse capacity and performance data and identify opportunities to improve performance. - 8.5 8.5.1 8.5.1.1 change management policy A change mangement policy shall be established and documented (※ 29.DOCUMENT※)to define a) service components and other items that are under the cotrol of change management b) categories of change, including emergency change, and how they are to be managed c) "Criteria" to determine changes with the potential to have a major impact on customers or services. 8.5.1.2 Change management initiation Requests for change, includiing proposals to add, remove or transfer services (RFP), shall be recorded (※30.DOCUMENT※)and classfied. The organization shall use service design and transition in 8.5.2 (Service design and transition).for: a) new services with the potential to have a major impact on customers or other services as determined by the change management policy b) changes to services with the potential to have a major impact on cuotmers or other services as determined by the change management policy c) categories of change that are to be managed by service design and transition according to the change management policy d) removal of a service e) transfer of an exsiting service from a cusomter or other party ot the organization. Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3 (Change management activities). 8.5.1.3 Change management activities Change management 【ITIL2011: Change Management Process】 【ITIL4: Change Control practice; Service management practice】 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Documentation of impact   Documented change approval by authorized parties   Functionality testing to verify that the change does not adversely impact the security of the system   Back-out procedures 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 6.3.2.a Examine written software development procedures and interview responsible personnel to verify that all custom application code changes must be reviewed (using either manual or automated processes) as follows: 12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: •Change management processes A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes: •Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments immediately available for analysis (for example, online, archived, or restorable from backup). Service design, build and transition 【ITIL2011: Design Coordination Process】 【ITIL4: Service Design practice; Service management practice】
  20. 20. The organization and intertested parties shall make decisions on the approval and priority of requests for change Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on a) existing services b) customers, users and other interested parties c) poicies and plans required by this doc d) capacity, service availability, service continuity and information security e) other requests for change, releases and plans for deployment. Approved changes shall be repared, verified and, where possible, tested, Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be inveistigated and agreed actions taken. The organization shall review changes for effectiveness and take actions agreed with intered parties. At planned intervals, request for change records (RFC) (※31.DOCUMENT※) shall be analysed to detect trends. The resultes and conclusions drawn from analysis shall be recorded(※32.DOCUMENT※) and reviewed to identify8.5.2 8.5.2.1 Plan new or changed services - Planning shall use the service requirements for the new or changed services determined in 8.2.2 (Plan and services) and shall include or contain a reference to - a) authorities and reponsibilities for design, build and transition activities b) activities to be performed by the organization or other parties with their timesales c) human, technical, informatwion and financial resources N/A d) dependencies on other services 12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided. e) testing needed for the new or changed services 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Functionality testing to verify that the change does not adversely impact the security of the system 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security f) service acceptance "Criteria" N/A Service design and transition 【ITIL2011: Design Coordination process】 【ITIL4: Service Design practice; Service management practice】 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity responsibilities for all personnel. 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.
  21. 21. g) intended outcomes from delivering the new or changed services, expressed in measureable terms. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities h) impact on the SMS, other services, planned changes, customers, users and other interested parties. 6.4.5.1 Verify that documentation of impact is included in the change control documentation for each sampled change. A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:   Business-impact analysis to determine potential PCI DSS impacts for strategic business decisions For services that are to be removed, the planning shall additionally include the dates for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. For services that are to be transferred, the planning shall additionally include the date for the transfer of the services and the activities for the transfer of data, documented information(※33.DOCUMENT※), knowlege and service components. The CIs affected by new or changed services shall be managed through configuration management. - 8.5.2.2 The new or changed service shall be designed and documented (※ 34.DOCUMENT※)to meet the service requirements determined in 8.2.2(Plan and services). The design shall include relevant items from the following - a) authorities and responsibilities of the parties involved in the delivery of the new or changed services 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity responsibilities for all personnel. 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned. b) requirements for changes to human, technical, information and financial resources N/A Design 【ITIL2011: Transition Planning & Support process】 【ITIL4: Transition Planning & Support ; General management practice】
  22. 22. c) requirements for appropriate education, training and experience 2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components. 6.3.2.b Code changes are reviewed by individuals who are knowledgeable in code-review techniques and secure coding practices. 11.2.1 Scans must be performed by qualified personnel. 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV). 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. d) new or changed SLAs, contracts and other documented agreements (※ 35.DOCUMENT※)that support the services 12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. e) changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowleged 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities f) impact on other services 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. 6.4.5.1 Verify that documentation of impact is included in the change control documentation for each sampled change. A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:   Business-impact analysis to determine potential PCI DSS impacts for strategic business decisions
  23. 23. g) updates to the service catalogue. 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 8.5.2.3 The new or change services shall be built and tested to verify that they meet the service requirements, conform to the documented design (※36.DOCUMENT※) and meet the agreed service acceptance "Criteria". If the service acceptance "Criteria" are not met, the organization and interested parties shall make a decision on necessary actions and deployment. "Release and deployment management" shall be used to deploy approved new or changed services into the live environement. Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended ourcomes. 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 8.5.3 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. The organization shall plan the deployement of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include refrences to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and mehtods of deployment. The release shall be verified against documented acceptance "Criteria" (※ 37.DOCUMENT※)and approved before deployment. If the acceptance "Criteria" are not met, the organiation and interested parties shall make a decision on necessary actions and deployment. Before deployment of a release into the live environement, a baseline of the affected CIs shall be taken. The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. The success or faulure of releases shall be monitored and analysed. Measurements shall include incidents released to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded (※38.DOCUMENT※)and reviewed to identify opportunities for improvement. Information about the sucess or failure of releases and future release dates shall be made available for other SMactivities as appropriate. 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Documentation of impact   Documented change approval by authorized parties   Functionality testing to verify that the change does not adversely impact the security of the system   Back-out procedures 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 8.6 8.6.1 Incidents shall be - Build and transition 【ITIL2011: Transition Planning & Support process】 【ITIL4: Transition Planning & Support ; General management practice】 Release and deployment management 【ITIL2011: Release and deployment process】【ITIL4: Release practice; Service management practice】 【ITIL4: Deployment Management; Incident management 【ITIL2011: Incident Management process】【ITIIL4: Service management process】 Resolution and fulfilment
  24. 24. a) recorded and classified (※39.DOCUMENT※) b) prioritized taking into consideation impact and urgency c) escalated if needed d) resolved e) closed Records of incidents shall be updated with actions taken The organization shall determine "Criteria" to indentify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for manageing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. 8.6.2 Service request shall be - a) recorded and classified(※40.DOCUMENT※) b) prioritized taking into consideation impact and urgency c) fulfilled d) closed Records of service reuests shall be updated with actions taken. Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. 8.6.3 The organization shall analyse data trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurenence or recurrence of incidents. - Problems shall be - Service request management 【ITIL2011:Service request management process】【ITIL4: Service request management Practice; Serice management practice】 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:   That applicable critical vendor-supplied security patches are installed within one month of release.   All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:   That applicable critical vendor-supplied security patches are installed within one month of release.   All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily: 10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected. 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. 12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned 12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. Problem management 【ITIL2011: Problem management process】【ITIL4: Problem management practice; Service management practice】
  25. 25. a) recorded and classified(※41.DOCUMENT※) b) prioritized c) escalated if needed d) resolved if possible e) closed Recorded of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. 6.4.5.a Examine documented change control procedures and verify procedures are defined for:   Documentation of impact   Documented change approval by authorized parties   Functionality testing to verify that the change does not adversely impact the security of the system   Back-out procedures 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security Where the root cause has been indentified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known erorrs shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other SMactivities as appropriate. N/A At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. N/A 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:   That applicable critical vendor-supplied security patches are installed within one month of release.   All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). 10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily: 10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected. 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. 12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned 12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.
  26. 26. 8.7 8.7.1 At planned intervals, the risks to service availability shall be assessed and documented. (※42.DOCUMENT※)The organization shall determine the service availability requirements and targets. The agreed requreiments shall take into consideration relevant business requirements, service requirements, SLAs and risks. N/A Service availability requirements and targets shall be documented and maintained. (※43.DOCUMENT※) N/A Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be monitored, the resultes recorded (※ 42.DOCUMENT※)and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. N/A Note Risks identified in 6.1 (Actions to address Risks and Opportunities) can provide input to the risks for service availability, service continuity and information security. N/A 8.7.2 At planned intervals, the risks to service continuity shall be assessed and documented.(※44.DOCUMENT※) The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. - 8.7.3 8..7.3. Information sercurity policy - Service availability management 【ITIL2011: Availability Management Process】 【ITIL4: Availability Mnagement Practice; Service management practices】 Service continuity management 【ITIL2011: N/A】 【ITIL4: Service Continuing Management Practice: General management practices】 Information security management 【ITIL2011: Information Security Management Process】 【ITIL4: Information Security Management Practice; General management practices】 Service assuarance
  27. 27. Management with appropriate authority shall approve and information security policy relevant to the organization. The information security policy shall be documented (※45.DOCUMENT※) and take into consideration the service requirements and the obligations in 6.3 c (Plan the SMS - reguratory). 1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all: •Network connections, and •Changes to firewall and router configurations. 3.1.a Examine the data-retention and disposal policies, procedures and processes to verify they include the following for all cardholder data (CHD) storage: 3.5 Examine key-management policies and procedures to verify processes are specified to protect keys used for encryption of cardholder data against disclosure and misuse and include at least the following: 4.2.a If end-user messaging technologies are used to send cardholder data, observe processes for sending PAN and examine a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies. 5.3.c Describe how processes were observed to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by- case basis for a limited time period. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: •In accordance with PCI DSS (for example, secure authentication and logging). •Based on industry standards and/or best practices. •Incorporate information security throughout the software development life cycle. 6.4 Examine policies and procedures to verify the following are defined: •Development/test environments are separate from production environments with access control in place to enforce separation. 6.4.2 Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment. 6.4.3.a Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development. 8.1.a Review procedures and confirm they define processes for each of the items below atThe information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within -
  28. 28. a) the organization A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:   Managing PCI DSS business-as-usual activities   Managing annual PCI DSS assessments   Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)   Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions b) customers and users 12.9 Additional testing procedure for service provider assessments only: Review service provider’s policies and procedures and observe templates used for written agreements to confirm the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. c) external suppliers, internal suppliers and other intested parties. 12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners). 8.7.3.2 Information security controls - At planned intervals, the information security risks to the SMS and the services shall be assessed and documented.(※46.DOCUMENT※) Informaton security controls shall be determinedm implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented.(※47.DOCUMENT※) 12.2.b Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment. A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following:   Confirmation that all BAU (Business As Usual)activities (e.g., A3.2.2, A3.2.6, and A3.3.1) are being performed   Confirmation that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)   Documenting how the reviews were completed, including how all BAU activities were verified as being in place.   Collection of documented evidence as required for the annual PCI DSS assessment   Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in A3.1.3)   Retention of records and documentation for at least 12 months, covering all BAU activities The organization shall agree and implement information security controls to address information security risks related to external organizations. 12.2 Implement a risk-assessment process that:   Is performed at least annually and upon significant changes to the environment (for
  29. 29. The organiation shall monitor and review the effectiveness of information security controls and take necessary actions. 8.7.3.3 Information security incidents - Information security incidents shall be - a) recorded (※47.DOCUMENT※) and classified b) prioritized taking into consideration the information security risk c) escalated if needed d) resolved e) closed The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security shall be reported and reviewed to identify opportunities for improvement. Note The ISO27000 series specifies requirements and provides guidance to support the implementation and operation of an information security management system, ISO27013 provides guidance on the integration of ISO27001 and ISO20000-1(This document). - 9 9.1 The organization shall determine - a) what needs to be monitored and measured for the SMS and the services Performance evaluation Monitoring, Measurement, Analysis and Evaluation(※48.DOCUMENT※) 【ITIL2011: Event Management process】【ITIL4: Monitoring and event management practice: Service management practice】 1.1.7.a Verify that firewall and router configuration standards require review of firewall and 10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily: 10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. 11.1.2 Implement incident response procedures in the event unauthorized wireless access 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:   That applicable critical vendor-supplied security patches are installed within one month of release.   All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). example, acquisition, merger, relocation, etc.),   Identifies critical assets, threats, and vulnerabilities, and   Results in a formal, documented analysis of risk. A3.3.1.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:   Restoring security functions   Identifying and documenting the duration (date and time start to end) of the security failure   Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause   Identifying and addressing any security issues that arose during the failure   Performing a risk assessment to determine whether further actions are required as a result of the security failure   Implementing controls to prevent cause of failure from reoccurring   Resuming monitoring of security controls PCI DSS Reference: Requirements
  30. 30. b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results c) when the monitoring and measuring shall be performed d) when the results from monitoring and measurement shall be analysed and evaluated. The organization shall retain appropriate documented info (※49.DOCUMENT※) as evidence of the results 10.7.a Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online. The organization shall evaluate the SMS performance against the SM objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effetiveness of the services agaist the service requirements. - 9.2 Internal Audit (※50. DOCUMENT※) 9.2.1 The organization shall conduct internal audits at planned ientervals to privide info on whether the SMS. a) conforms to 1) the organization's own requirements for its SMS 2) the requirements of this doc b) is effectively implemented and maintained. 9.2.2 The organization shall a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration 1) the importance of the processes concerned 2) changes affecting the organization 3) the results of previous audits b) define the audit "Criteria" and scope for each audit router rule sets at least every six months. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 10.6.1 Review the following at least daily:   All security events   Logs of all system components that store, process, or transmit CHD and/or SAD   Logs of all critical system components   Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.4 Examine configuration standards and processes to verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2. 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities 12.2 Implement a risk assessment process, that: •Is performed at least annually and upon significant changes to the environment (for (N/A - Internal audit is not mandate for PCI DSS version 3.2.1)
  31. 31. c) select auditors and conduct audits to ensure objectivity and the impartiality of the audits process d) ensure that the results of the audits are reported to relevant management e) retain documented info (※51.DOCUMENT※)as evidence of the implementation of the audit programme(s) and the audit results 9.3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. The management review shall include consideration of a) the status of actions from previous management reviews b) changes in external and internal issues that are relevant to the SMS N/A c) Info on the SMS performance and effectiveness of the SMS, including trends in - 1) NC and corrective actions 6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: •Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code review techniques and secure coding practices. •Code reviews ensure code is developed according to secure coding guidelines. •Appropriate corrections are implemented prior to release. •Code review results are reviewed and approved by management prior to release. 2) monitoring and measurement evaluation results 3) audit results d) Opportunities for Continual Improvement (OFI) 【ITIL2011:N/A】 【ITIL4: Service Continuity management practice; Service management practice 】 - - 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 10.6.1 Review the following at least daily: •All security events •Logs of all system components that store, process, or transmit CHD and/or SAD •Logs of all critical system components •Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 11.2.3.b Review scan reports and verify that the scan process includes rescans until:   For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.   For internal scans, all “high risk” vulnerabilities Management Review (※DOCUMENT※)
  32. 32. e) feedback from customers and other interested parties 12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. 11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives. f) adherence to and suitability of the SM policy and other policies required by this doc - g) achievement of SM objectives - h) performance of the services - i) performance of other parties involved in the delivery of the services - j) current and forcast human, technical, informatiion and financial resource levels, and human and technical resource capabilities. 【ITIL2011: Financial Service Management process】 【ITIL4: Service Financial Management; General 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. k) resultes of risk assessment and the effectiveness of actions taken to address risks and opportunities 【ITIL2011: N/A】【(ITIL4: Risk Management: General management practices】 A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: ・ Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually l) current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities N/A The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. N/A The organization shall retain documented information(※52.DOCUMENT※) as evidence of the resultes of management reviews. N/A 9.4 Service reporting N/A The organization shall determine reporting requirements and their purpose. N/A Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivey of the sercices. Service reporting shall include trends. N/A The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. N/A note The reports that are required are specified in the relevant clauses of this document. Additional reports can also be produced. N/A 10 10.1 10.1.1 When a non NC occures, the ornigazaition shall a) react to the NC, and as applicable 1) take action to control and correct it Improvement 6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: NC and Corrective Action (※53.DOCUMENT※)【ITIL2011: N/A】 【ITIL4: Continual improvement practice; General management practices】
  33. 33. 2) deal with the consequences 12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: •Overall accountability for maintaining PCI DSS compliance •Defining a charter for a PCI DSS compliance program and communication to executive management A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: ・ Overall accountability for maintaining PCI DSS compliance ・ Defining a charter for a PCI DSS compliance program ・ Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually b) evaluate the need for action to eliminate the causes of the NC, in order that it does not recur or occur elsewhere, by 1) reviewing the NC 2) determining the causes of the NC 3) determining if similar NC exist, or can potentially occur c) implement any action needed d) review the effectiveness of any corrective action taken e) make changes to the SMS, if necessary 12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. 11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives. 10.1.2 The organization shall retain documented info as evidence (※54.DOCUMENT※)of - a) the nature of the NC and any subsequent actions taken CAP of the PCI DSS on-site assessment b) the results of any corrective action. CAR of the PCI DSS on-site assessment 10.2 The organizaion shall - the organization shall continually improve the suitability, adequency and effectiveness of the SMS and the services. The organization shall determine evaluation "Criteria" to be applied to the opportunities for improvement when making decisions on their approval. Evaluation "Criteria" shall include alignment of the improvement with SM objectives. Continual Improvement 10.8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include:   Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause   Performing a risk assessment to determine whether further actions are required as a result of the security failure   Implementing controls to prevent cause of failure from reoccurring A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:   Managing PCI DSS business-as-usual activities   Managing annual PCI DSS assessments   Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)   Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions

×