Data Security Standards: Requirements and Security Assessment Procedures - Assignment Example

Data Security Standards: Requirements and Security Assessment Procedures Name Course Institution December 11, 2016 Part 1 A firewall is a device used to control internal and external computer traffic and traffic in and out of the more sensitive areas within the trusted networks. Such sensitive areas are such as the cardholder data environment. Generally, a firewall is in control of all network traffic and stops the untrusted and insecure transmissions (Security Standards Council (SSC), 2016). Since firewall is key protection device, it is needed to protect the unauthorized system access by untrusted networks. The external networks provide unprotected pathways to the system that seem insignificant. The configurations of the router and the firewall must be evaluated to ascertain outbound traffic from the cardholder data environment to the internet. Part 2 Default passwords and other security settings set by the vendors are well known by the cyber criminals and can easily be determined through public information. It is advisable to disable or change these passwords and settings prior to installation of a system on the network. Some of the common default passwords that are set by the vendor are those that are used by security software, operating systems, payment applications, point of sale terminals, as well as application and system accounts (Security Standards Council (SSC), 2016). The reason why it is necessary to change default passwords and other system settings is that cyber criminals can use these default passwords and other related settings to tamper with the system. Part 3 Protect cardholder data has critical components such as masking, truncation, hashing and encryption. If one gains access to encrypted data by avoiding the security controls and without proper cryptographic keys, the data will be unusable since it cannot be read by the intruder. More techniques of ensuring safety of cardholder information must be treated as risk easing opportunities. Some of the ways of reducing risk include avoid sending insecure PANs using vulnerable messaging techniques such as live chat applications and emails (SSC), 2016). Part 4 Sensitive information that needs to be transmitted through networks that can be accessed with ease by unauthorized persons must be encrypted. The malicious persons target the poorly configured networks. These attackers take advantage of the weaknesses to obtain privileged access to cardholder data environments (Security Standards Council (SSC), 2016). In order to protect private data of the cardholder when transmitting through vulnerable networks, only authentic certificates and keys are allowed, ensure the protocol being used supports only the secure configurations and versions and that the strength of the encryption is suitable for the technique used (Security Standards Council (SSC), 2016). Part 5 Undesirable software such as worms, Trojans, and viruses invades the network during various business processes such as use of internet, email, storage equipment, and mobile computers, leading to exploitation of vulnerabilities of the system (Security Standards Council (SSC), 2016). This normally happens to systems where virus protection software is not installed and that are not protected against malware and. It is therefore necessary to install virus protection programs and update them regularly in order to protect the system from existing and future software threats. Part 6 Malicious people may gain privileged access to system taking advantage of the security weaknesses. In this case, therefore, most of these security liabilities are corrected by default security settings. In addition, a process to identify system liabilities should be established using reputable external sources to provide vulnerability information, and assign a risk ranking to the new discoveries of security liabilities (Security Standards Council (SSC), 2016). Part 7 Processes and systems must be should be availed to restrict access to cardholder data on the basis of need to know and based on the liability in order to ensure that important information are only accessible to authorized persons. “Need to know” is described as a situation where the privilege to access critical information is given to only the least amount of information and privileges required to carry out a given activity (Security Standards Council (SSC), 2016). The reason it is needed to limit access to cardholder information by business need to know is that there is high probability that the account of the user will used undesirably if many people are allowed to access the information. Restricting access to individuals with legitimate intentions helps prevent misuse of private information of the cardholder through malice and inexperience (Security Standards Council (SSC), 2016). Part 8 Every person with access to the system should be assigned a unique identification to ensure that individuals are exclusively responsible for their actions. With that accountability in place, every action taken in the system and on the critical data is done by and can be traced to the known and permitted users and processes (Security Standards Council (SSC), 2016). In particular, the frequency of password attempts by cyber criminals and the security techniques securing the passwords of the user on access during admission and while in storage. Part 9 Any physical access to systems or information that contains private information of a cardholder offers a chance for persons to access information or devices and to remove systems or hardcopies, and must be restricted properly (Security Standards Council (SSC), 2016). When there are not restrictions to physical access, malicious individuals can gain access to the facility to tamper with, destroy, or disrupt important information of the cardholder as well as important systems. For this reason, it is imperative to limit physical access to private information of the cardholder. One way of doing this involves the use of suitable facility entry restrictions to monitor and restrict access to the environment housing the cardholder private details. For instance, locking console login screens stops illegitimate individuals from changing configurations of the system, accessing crucial information, or destroying important information (Security Standards Council (SSC), 2016). Part 10 Logging mechanisms and capacity to track and monitor activities of system users is important in detecting, reducing, and stopping the effect of compromise of data. Existence of logs helps in tracking, alerting, and evaluating security issues that may arise in the system. In systems that do not have security logs, it is not easy and sometimes not possible to establish the cause of the data compromise (Security Standards Council (SSC), 2016). In essence, the key reason it is imperative to trail and scrutinize all access to cardholder data and network facilities is that it helps in detecting, reducing, and stopping the effect of compromise of data. Part 11 Frequent tests should be carried out on the system’s components, processes, and custom software in order to ensure security controls continue to reveal a transforming environment. Processes should also be implemented to test for wireless access points and detect and identify in basis of quarters all the approved and unapproved wireless access points. In a situation, where unauthorized wireless access points are realized, incident response procedures should be implemented (Security Standards Council (SSC), 2016). In addition, an inventory of accepted wireless points should be maintained. Part 12 A proper security policy is a foundation strong security standard for the entire organization and informs personnel what is required of them. Every personnel should be well informed of the sensitivity of information and their responsibilities for its protection. In this particular context, the term personnel refers to part-time and full-time employees, consultant, contractors, as well as temporary employees who are resident on the site of the organization or who have access to the cardholder information environment (Security Standards Council (SSC), 2016). Reference: Security Standards Council (SSC), 2016. Data Security Standards: Requirements and Security Assessment Procedures. Payment Card Industry. Read More