ed hudson, systemwide director, information security gina curry, director, student financial...
TRANSCRIPT
![Page 1: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/1.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Riding the wave from PCI DSS Ver 2.0 to 3.0
Ed Hudson, Systemwide Director, Information Security
Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento
![Page 2: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/2.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Summary Of ChangesEffective January 2014Change Types
ClarificationAdditional GuidanceEvolving Requirement (20)
![Page 3: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/3.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
5 Key Areas Penetration TestingInventorying of System ComponentsVendor RelationshipsAntiMalwarePhysical Access and Point of Sale (POS)
![Page 4: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/4.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Penetration Testing (11.3)Penetration testing must follow “Industry
Accepted Methodology”Best Practice until June 30, 2015Why is this an issue?
![Page 5: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/5.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Inventorying System Components (2.4)
“Maintain an inventory of system components that are in scope for PCI DSS
All hardware (Virtual or Physical)Software (Commercial or custom)Applications (off the shelf, external or
internal)Requires that assessors “verify a list of
hardware and software components including a description of function
Authorized Wireless AP (11.1.1)
![Page 6: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/6.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Vendor Relationships (12.8.5 & 12.9)Requires explicit documentation
Which PCI requirements are managed by you, or by a vendor and which vendors (Matrix)
Matrix Contractual requirements
![Page 7: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/7.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
AntiMalware (5.1.2)Requires campuses to “identify and evaluate
evolving malware threats for systems not commonly affected
Requires specific authorization from management to disable or alter antivirus and that is time limited
![Page 8: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/8.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Physical Access and POS (9.3)Control access for onsite personnel
Access be authorized and based on job functionRevoked immediately upon termination
Protect devices from tampering/substitution (9.9)
Consider non standard POSFood Trucks, carts etc
Inventory and regular checking/inspection and policy
![Page 9: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/9.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Building a planPartner on ownershipEngage senior executivesPlanCommunicate
![Page 10: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/10.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Prioritized Approach
![Page 11: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/11.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
![Page 12: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/12.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
![Page 13: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/13.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento StatePartner – SFSC partnered with the campus ISO
Plan – ISO and SFSC implemented required training, document gathering and periodic review
Developed tracking process
Engaged Administration
Imposed “penalties” for non-compliance (“Shut ‘er Down)
![Page 14: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/14.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
ICSUAM –Section 3102.05 http://www.calstate.edu/icsuam/sections/3000/3102.05.shtml
Write a Campus Policy to support the ICSUAM http://www.csus.edu/umanual/admin/ADM-0117.html
![Page 15: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/15.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
![Page 16: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/16.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
![Page 17: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/17.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
![Page 18: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/18.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
![Page 19: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/19.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
![Page 20: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/20.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
Report goes at least annually to Vice President for Administration and Business Affairs and the Vice President & Chief Information Officer
To date, 3 departments were “shut down” until they could come into reasonable compliance
![Page 21: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/21.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
You are welcome to copy our templates for your use
There is also a sample training presentation available
http://www.csus.edu/irt/is/pci/presentations/index.html
![Page 22: Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649e025503460f94aed408/html5/thumbnails/22.jpg)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e