ROC Assessment Overview

advertisement
PCI DSS v3.0
Report on Compliance (ROC)
Assessment Overview
Jeff Messer
Director, TAAS
01/08/2015
1
Agenda










2
What / Why / Who
ROC Schedule
Request for Information (RFI) Process Overview
Onsite Assessment
Remote Assessment and Remediation Activities
Draft ROC Report
Quality Assurance and Draft Review
Final Report
Challenges from Experience
Questions
What / Why / Who
 What is a ROC?
o Report on Compliance
 Why do we need to do a ROC?
o Because you’re a Level 2 merchant you are required to have an onsite
assessment performed on an annual basis.
 Who is involved?
o Business
o IT
3
ROC Schedule
 Period 1 - Pre-Assessment
o Documentation and Preparation
o Cardholder Data Environment (CDE) Review
• All the People, Processes and Technologies, involved in Storing,
Transmitting or Processing cardholder data (CHD).
 Period 2 – Assessment
o ROC Process - Report on Compliance validation
4
ROC Process Flowchart
5
RFI Process - Overview
 The Coalfire RFI Process is intended to prepare for and
facilitate a smooth PCI DSS assessment project.
 Successful completion of each RFI Phase is critical for
meeting timeline expectations for the ROC.
6
RFI Phase 1
 Phase 1 Documents
o
o
o
o
o
7
Exec 1 – Business Description
Exec 2 – Department Scope Identification Process
Exec 3 – Dataflow Diagram(s) / Campus Scope Narrative
Exec 4 – Network Diagram(s)
Exec 5 – CDE Inventory
Exec 1 – Business Description
 Non-marketing explanation of:
o
o
o
o
o
o
8
Lines of business (e.g. retail, ecommerce, brick-n-mortar, etc.)
Operating locations
Revenues
Number of employees
Number of IT employees
Major IT contract providers.
Exec 2 –Scope Identification Process
 Covers all of the methods and processes used to identify and
document all instances of cardholder data (electronic /
paper)
 Include any data discovery tools, manual or automated
processes used to ensure that no cardholder data exists
outside of the CDE.
9
Exec 3 – Dataflow Diagram(s) / Dept. Scope
Narrative
 Describe all manners in which you accept and
process payment card transactions from card data
capture through settlement.
 Descriptions need to be accompanied with data
flow diagrams that highlight the flow of CHD
o Into the CDE
o Throughout the CDE
o Out of the CDE
10
Exec 4 – Network Diagram(s)
 Depicting the CDE
 All of the CDE boundaries
 How it is connected to (and/or segmented from)
other networks.
 The diagrams should be both high-level and
detailed.
11
Exec 5 – CDE Inventory
 CDE Inventory spreadsheet documents all in-scope systems
that make up the CDE.
 The invent must be align with all information previously
provided.
 Completion of this inventory is critical for scheduling and
sampling purposes.
12
RFI Phase 2
 Phase 2 Documents
o Provide a complete “RFI Phase 2” document
• Mapping your documentation to all applicable PCI DSS requirements
• Identifying the Owner(s) for each and the Owner Contact(s) for each
requirement.
o Provide the documentation to Coalfire.
o Onsite scheduling:
• Interviews (Interview Schedule)
• Assessments
• Evident Collection
13
RFI Phase 2 Spreadsheet
14
Onsite Assessment
 Assess all in-scope facilities
 Conduct interview sessions with key personnel
 Perform all necessary technical validation
15
Remote Assessment & Remediation
 Remote Assessment
o This time period is to complete any review activity that was not
completed during the onsite assessments.
 Remediation
o This time period is to validate that any issues identified during
the assessment, have been addressed (i.e. remediated).
16
Draft ROC Report
 We begin writing the ROC report as soon as the Phase 1
documentation is collection and is complete.
 After all review and remediation activities have completed,
the draft report will be issued.
17
Quality Assurance and Draft Review
 The draft report will be reviewed both by the Campus and by
Coalfire’s QA process.
 The draft will go through iterations until it successfully
completes both reviews.
18
Final Report
 Campus approves the content of the draft report.
 Final Report on Compliance (ROC) and the associated
Attestation of Compliance (AOC) will be signed and issued.
19
Challenges from Experience
 Take this seriously, you don’t want to be a headline.
 Most merchants overestimate their level of control and
underestimate the scope of their environment.
 Read the PCI DSS v3.0 to ensure you understand the
requirements.
 Think out of the box, don’t assume you know your scope,
take time to validate it.
 Surprises found during the penetration testing and
vulnerability scanning
 Remediation always takes longer than you think.
20
Questions?
21
Download