business people walking

PCI Requirement 9: Restrict Physical Access to Cardholder Data

PCI Requirement 9 evaluates all aspects of physical security controls to cardholder data – updated devices, visitor badges, security cameras, etc. The PCI DSS states, “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.”

There are ten sub-requirements of Requirement 9, all with their own sub-parts. This webinar dives into discussion on all ten sub-requirements, which include:

Requirement 9.1 – Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the CDE. We need to have a way to monitor who goes in and out of the environment, either a video camera or some type of access control mechanism.

Requirement 9.2 – Develop procedures to easily distinguish between onsite personnel and visitors, which includes identifying onsite personnel and visitors, changes to access requirements, revoking or terminating onsite personnel and expired visitor identification.

Requirement 9.3 – Control physical access for onsite personnel to sensitive areas. Access must be authorized and based on individual job function. Access must be revoked immediately upon termination and all physical access mechanisms are returned or disabled when revoked or terminated.

Requirement 9.4 – Implement procedures to identify and authorize visitors – badges, security, etc.

Requirement 9.5 – Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. The location’s security needs to be reviewed at least annually.

Requirement 9.6 –  Maintain strict control over the internal or external distribution of any kind of media; this includes classifying media so that sensitivity can be determined, the way you send media, etc.

Requirement 9.7 – Properly maintain inventory logs of all media and conduct media inventories at least annually.

Requirement 9.8 – Destroy media when it is no longer needed for business or legal reasons; destroy media so that cardholder data cannot be reconstructed.

Requirement 9.9 – Protect devices that capture payment card data via direct physical interaction from tampering and substitution. Updated devices and updated lists of devices are key.

Requirement 9.10 – Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

Building a Comprehensive Penetration Testing Methodology

We often see clients struggling with the new requirements for penetration testing with regard to PCI compliance. The intent behind the new penetration testing methodology is to define the means and the methods by which a penetration test will be executed in your organization’s environment. Your organization’s penetration testing methodology should define the things that a penetration tester needs to do in order for your organization to have a comprehensive PCI assessment.

This webinar will discuss the following PCI requirements:

11.3 – Develop a formal penetration testing methodology; a comprehensive methodology is vital to meeting compliance standards. If you don’t have a penetration testing methodology, start creating one now.

11.3.1 – Execute a formal statement of work that is mapped to your penetration testing methodology. Everything comes back to your methodology, that’s why it’s so important.

11.3.2 – Penetration testing must be executed against statement of work which is developed based on your penetration testing methodology.

11.3.3 – After a penetration test is completed, you must correct items that were exploited. Items that are not exploited must be fed into your Vulnerability Identification and Management Program. In regards to PCI compliance, penetration testing is not considered a pass or fail.

11.3.4 – If you are using segmentation in order to minimize the scope of your PCI compliance obligations, then the penetration tester must test the boundaries of segmentation to validate that the segmentation is effective.

When building your organization’s penetration testing methodology, there are several things to consider. This webinar’s panelist, Jeff Wilder, gives listeners ten  topics to include when putting a penetration testing methodology together, which include:

  • Coverage for the entire CDE
  • Coverage of perimeter of the network
  • Coverage of any critical systems
  • Testing from inside the corporate WAN in an attempt to access cardholder data in an unauthorized way
  • Testing from the Internet in an attempt to access internal systems and systems that reside within the DMZ in an unauthorized way
  • Testing to validate any segmentation in place
  • Testing of any controls that establish scope reduction
  • Tests must be performed against the application layer and include those items in the OWASP and CWE top 25 known vulnerabilities
  • Tests against all network-layer devices and assets
  • Include a review and consideration of threats and vulnerabilities experienced in the last 12 months

There’s a lot to learn about penetration testing, but we’re here to help. To learn more, contact us today or check out additional penetration testing resources:

Penetration Testing for Beginners

3 Reasons You Should be Undergoing Regular Penetration Testing

5 Benefits of Regular Penetration Testing 

5 Tips for a Successful Penetration Test

How Policies and Procedures Can Help You Ace an OCR Audit

This webinar gives insight into the purpose and the concepts of effective policies and procedures and what the Office for Civil Rights (OCR) is looking at when evaluating policies and procedures. Updated, well-documented and implemented policies and procedures are the basics of any regulatory compliance program. Outdated policies and procedures are the most common gap that we see when working with clients. We like to say, “If it’s not written down, it isn’t happening.” So, what should your organization be reviewing?

Review the Difference Between a Policy and a Procedure: A policy is a statement of management intent; in this case, a statement to comply with a specific HIPAA requirement. Policies answer: What? Why? A procedure is a process to fulfill management intent. Procedures answer: How? When? Where?

Review the Lifespan of a Policy or Procedure: When creating new policies and procedures or amending the existing, there should be a process for checking for conflicts with existing documents, checking for legal requirements, and ensuring the document discusses all necessary topics. A formal review process is also necessary to keep all policies and procedures up-to-date; policies and procedures should be reviewed at least annually.

Review Privacy Rule Policies: This review should include defining a record set, accounting for when a patient’s protected health information (PHI) is disclosed, evaluating the content and process of Notice of Privacy Practices, considering what to do when a patient brings their own Authorizations for Disclosure form, processing confidential communications, fees for records, how to deal with record retention, and workers’ compensation claims.

Review Security Rule Policies: These policies should include a required risk analysis and how to maintain reasonable and appropriate physical, technical, and administrative safeguards.

Review the Breach Notification Rule: This review should include internal notification, incident response plans, and mitigation.

Review Business Associate Compliance Management: This review should include Business Associate Agreements, current statuses of relationships, the auditing and monitoring of business associates, corrective actions, and termination of business associates.

Review the Internal Auditing Procedure: This procedure should identify risks, conduct a baseline assessment, plan for ongoing auditing, and plan corrective action plans.

To learn more about how to write effective policies and procedures, check out our Style Guide to Creating Good Policies and our Style Guide to Writing Good Procedures.

This session in our PCI Readiness Series dives into PCI Requirement 8, specifically about identifying and authenticating access to system components. In this webinar, we will cover strong, secure passwords in transmission and storage, disabling accounts for terminated employees and unused accounts, changing default passwords, and disabling generic accounts with shared usernames and passwords.

PCI Requirement 8 establishes non-refutability and authentication security, covers all systems and applications, and has about 21 sub-requirements that will be assessed. There’s an incredible amount of work when establishing your authentication program. PCI Requirement 8 applies to all users and to any place where a password is required.

This webinar also discusses topics such as:

  • Program Management: Policies and procedures regarding authentication must be documented, in use, and effectively communicated to all relevant individuals.
  • Assessment – Documents: In addition to policies and procedures, assessors will look at documents such as: system password configuration standards, a list of terminated employees within the last 6 months, a list of new hires, a list of administrators, and a list of all user accounts from all systems.
  • Assessment – Asset Observation: Assessors will conduct a review of all password settings and a review of how passwords are encrypted during transmission.
  • Best Practices: We believe some basic best practices for complying with Requirement 8 are:
    • No sharing of usernames and passwords (no generic accounts)
    • Passwords must be strong
    • Passwords must be secure in transmission and storage
    • No use of default passwords
    • Must disable accounts for employees who are no longer there
    • Must disable accounts that are not used in 90 days

This webinar also gives an overview of each of these sub-requirements:

Requirement 8.1 – Define and implement policies and procedures

Requirement 8.2 – Everyone gets their username and something to authenticate with (like a password, token, or biometric)

Requirement 8.3 – Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including administrators and vendors)

Requirement 8.4 – Document and communicate authentication policies and procedures to all users

Requirement 8.5 – Do not use group, shared, or generic IDs, passwords, or other authentication methods

Requirement 8.6 – Where other authentication mechanisms are used (security tokens, smart cards, certificates, etc), use of these mechanisms must be assigned

Requirement 8.7 – All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted

Requirement 8.8 – Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

 

What is the Breach Notification Rule?

In this session, we discuss the Breach Notification Rule, define what a data breach is, discuss how long you have to report a breach, who to tell, and what to tell them. We also discuss strategies for reducing the risk of a data breach.

Data Breach FAQs

What is a breach? A breach is the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted (by rule) which compromises the security or privacy of the protected health information.

Did I have a breach? Not everything is a breach; your organization must determine if you’ve had an incident, a violation of the Privacy Rule that doesn’t constitute a reportable breach, or a legitimate breach.

Who do I tell about a breach? It’s important to know if you had a breach and correctly analyze it because you’ll need to know the nature and scope in order to communicate to the correct parties. Covered entities have three parties that they need to notify of a breach: patients, DHHS, and potentially the media. When you have a breach, you will always need to notify affected patients and DHSS – no exceptions. If over 500 individuals have been affected, your covered entity will need to alert the media.

What do I tell them? In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties:

  • What happened
  • What kind of PHI was disclosed in the breach
  • What patients should do to mitigate harm
  • What you’re doing to investigate and mitigate future harm
  • How they can contact you

How long do I have to report a breach? Patients need to be notified within 60 days of discovery, as well as the media if necessary. If less than 500 individuals have been affected, the DHHS should be notified within 60 days of when the breach occurred. If the breach impacts more than 500 individuals, the DHHS should be notified within 60 days of discovery.

What can I do to reduce risk? There are several things your organization can do to reduce risk, including:

  • Establish policies and procedures
  • Thorough, proper training for your employees regarding breach notification
  • Test your policies and procedures and training by performing a mock breach assessment to identify if there are any gaps
  • Implement operational controls
  • Engage third-parties to conduct audits

To learn more about our HIPAA compliance services, contact us today to speak to an expert.