How to Scope a PCI Assessment

Knowing how to scope a PCI assessment is crucial to your organization’s compliance. Defining a correct scope is the first and most important step. Scoping is so vital that assessors should not even begin the assessment until they have fully determined the scope. So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data is considered to be within your cardholder data environment and in scope for your PCI assessment. If your people, processes, or technology has the ability to impact the security of account data and sensitive authentication data, then your organization needs to have the appropriate controls applied in the appropriate places.

This webinar will help you understand why something would be considered out of scope. For an asset to be considered out of scope, there must be absolutely no connectivity to the cardholder data environment; it must have no ability to impact the security of the data.

This webinar will also help you to understand topics such as:

  • Defining the scope and the cardholder data environment
  • Determining what is considered out of scope
  • Identifying what documents an assessor will collect and review during a PCI assessment
  • Discussion on how wireless networks affect scope
  • Discussing on the impact of sampling

Whether it be ePHI, cardholder data, financial information, or any other type of data, you need to understand where your assets reside and what controls you have in place to protect them. If you don’t know where your assets are, how do you expect to them?

To learn more about scoping a PCI assessment, watch the full webinar, watch Establishing Scope, or contact us today.

 

What is PCI Requirement 7?

In this webinar, our PCI expert spotlights PCI Requirement 7, which states, “Restrict access to cardholder data by business need-to-know.” This requirement is focuses on authorization and establishing a program of least privileges. PCI Requirement 7 supports the implementation of many of the controls in PCI Requirement 8.

In this webinar, we’ll discuss several elements of creating a strong access control system, such as maintaining a list that identifies asset owners and users with privileged access, enforcing restrictions that cover all systems, and roles such as call center agencies, network administration, accounting, and front of house/back of house, which may be in scope of a PCI assessment. Our expert panelist will also discuss the following sub-requirements of PCI Requirement 7:

Requirement 7.1 – Limit access to system components and cardholder data to only those individuals who job requires such access.

Your organization needs to maintain a list that identifies asset owners and individuals with privileged access. This list should minimize potential risk by removing any unnecessary access.

Requirement 7.2 – Establish an access control system for system component that restrict access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

Requirement 7.3 – Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.Maintaining effective, actively use policies and procedures is a large part of implementing access control measures. These documents need to define the access required for each role and privileges necessary for each role. They also need to define how access is restricted based on least privileges necessary for the individual job and function. A formal approval process must also be outlined within your policies and procedures. It’s important that these documents are actually usable to your employees and are effectively communicated to all relevant individuals.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

Jeff Wilder, Formerly with PCI Security Standards Council, Joins KirkpatrickPrice as Director of PCI DSS Services

TAMPA, Fla. – March 3, 2016 — KirkpatrickPrice, a licensed CPA firm employing information security specialists to conduct internal control audits and provide information security and compliance consulting, announces the addition of Jeff Wilder as Director of Payment Card Industry (PCI) Services.

Jeff joins KirkpatrickPrice from the PCI Security Standards Council, where he spent over two and a half years teaching hundreds of assessors. Bringing with him almost 10 years of PCI specific experience and over 25 years within the Information Technology industry, his skill sets are specifically attuned for the payments industry. Jeff has attained numerous top industry certifications such as the CISSP, CISA, and QSA, and has assessed hundreds of organizations over the years. Everything from simple mom-and-pop shops to Fortune 100 companies. He has specific experience with the hospitality, food service, manufacturing, shipping, petroleum distribution, and financial services industries. Not only is he well certified, having unprecedented experience within this space, but his business acumen makes him a perfect match for KirkpatrickPrice and their clients.

Jeff Wilder will lead the services and delivery of all things inclusive of the Payment Card Industry. Jeff Wilder stated, “Quality of service is paramount. My goal at KirkpatrickPrice is continuing to develop the industry’s leading, world class practice while not only meeting our partners’ expectations, but exceeding them in everything we do.” Jeff will be responsible for managing the current offerings and also expanding the portfolio into the PCI PA-DSS, P2PE, and PFI space.

In addition to leading PCI Services at KirkpatrickPrice, Jeff will be delivering free educational webinars beginning this month. March 10th at 12pm CST, Jeff will be answering questions during KirkpatrickPrice’s Ask the Auditor: PCI Readiness Series – Requirement 7; understanding and restricting access to cardholder data by business need to know. Register here for this event. On March 24th at 12pm CST, Jeff will join the PCI Readiness Series to talk about Scoping. Register here for this event.

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 400 clients in more than 46 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and compliance controls. KirkpatrickPrice most commonly provides advice on PCI DSS, SOC 2, SSAE 16, HIPAA, FISMA, ISO 27001, and CFPB frameworks.

What is a CMS? Do you have one? If you’re not sure, this session is for you! We will discuss the necessary components including Board of Directors and management oversight, compliance program components, consumer protection, and compliance audit. The webinar will provide guidance on how even small to mid-sized organizations can build a robust CMS on a budget and discuss industry resources available to kick-start your program.

Risk Management for HIPAA Compliance

Continuing down the Road to HIPAA Compliance, we will discuss what a risk assessment is, what that looks like according to HIPAA requirements, and how to analyze and manage risk.

What is a Risk Assessment?

Why should you care about risk assessments? You must protect your assets, and to do that, we believe you need a formalized risk assessment. A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. Our five steps to a risk assessment include:

  1. Conduct Risk Assessment Survey
  2. Identify Risks
  3. Assess Risk Importance and Risk Likelihood
  4. Create Risk Management Action Plan
  5. Implement Risk Management Plan

What is a Risk Analysis?

risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities. Our nine steps to a risk analysis include:

  1. Asset Characterization: Identify and define the asset.
  2. Threat Identification: A threat is an event that can result in non-desirable performance of critical assets. This could be man-made or natural events that take advantage of an asset’s flaw results in loss of asset integrity, availability, and confidentiality.
  3. Vulnerability Identification: A known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality.
  4. Control Analysis: What is being done to mitigate potential threats or vulnerabilities from having a negative effect on the asset? Is a control in place? Is a future control in place?
  5. Likelihood Determination: What is the likelihood of an event having a negative effect on the asset?
  6. Impact Analysis: What is the potential impact on business? Time? Monetary? Intangible?
  7. Risk Determination: Look at current analysis and determine material or non-material risks.
  8. Control Remediation: Document status of the protection of the asset – acceptable or non-acceptable?
  9. Results Documentation: Are there constraints on remediation?

For more resources, check out these common risk management methodologies:

Still have questions about risk management? For more information on how we can help, contact us today.