Randy Bartels, Author at KirkpatrickPrice

Acceptable Products

Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies. The PCI DSS explains that by defining company-approved products, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.7, an assessor will need to examine your usage policies to ensure that they include a list of company-approved products, or they may interview your personnel to see if they know which types of products are approved.

You need to maintain a formal list of the technology that’s actually approved to be used in your environment. Your assessor is likely not only going to look to see what that policy is, but they’re then likely to ask you for that list of approved technologies that can be used within your environment.

Acceptable Network Locations

Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization. The PCI DSS explains that by defining acceptable network locations, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.6, an assessor will need to examine your usage policies to ensure that they define acceptable network locations for the technology at your organization.

PCI Requirement 12.3.6 is an acceptable use requirement that defines acceptable network locations for the technology that you’ve implemented. Think about this: you’ve spent millions of dollars developing a security program, and yet somebody circumvents it by storing credit card data out in your DMZ. From an acceptable use perspective, we look to see that you have network locations and where things can be installed. Ideally, we see this in your classification policy, but if it’s not there, that’s quite all right. As long as it’s defined, we’re going to be okay with this part of the assessment.

Acceptable Use Policies

Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization. Acceptable use policies (AUP) normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. The PCI DSS explains that by defining acceptable uses of the technology, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.5, an assessor will need to examine your usage policies to ensure that they define acceptable uses for the technology at your organization.

One time, I performed an assessment at an organization who had a receptionist that I met at the front desk. She was back there doing her daily job, and we get to talking about the badge access and restricting access to the badging system. The statement that was made to me was, “It’s kept up at the receptionist desk.”

I went up to ask the receptionist about the badging system, and she was using a PC. Well that isn’t so much as a problem, except if she sits all day busy playing Facebook games. Really what PCI Requirement 12.3.5 requires is that you have acceptable use policies and acceptable uses for your technologies in place to define what’s appropriate and what’s not appropriate and how to use these technologies that you’ve implemented within your environment.

Identification System

Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.” This doesn’t mean you need a label on every device defining who the owner is, but you do need to have an identification system. This could be a serial number that traces back to the owner. Without a method to accurately and readily determine the owner and purpose of a device, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not.

Compliance with PCI Requirement 12.3.4 means being able to quickly identify non-approved versus approved devices, their owner, and purpose.

Think about this scenario: you walk into an environment such as your data center and all of the sudden, you see a server there that is smoking or you see a server there that shouldn’t be there. Do you have the means or methods within your organization to identify what the asset is and who owns it? PCI Requirement 12.3.4 establishes the need for being able to do that. We don’t necessarily require that you put a sticker on there with the name and the person. We find that a lot of organizations might have an asset list that’s traceable back to a serial number that they keep somewhere that defines what it is and who it’s for. Your assessor should not only be looking for the policy but looking to see that you’re actually carrying out this activity.

Approved Devices and Personnel with Access

To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access. Lists of approved devices and personnel come up often in the PCI DSS and PCI Requirement 12.3.3. Without this list of all devices and personnel with access, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not. Your personnel could also completely disregard or bypass physical security procedures and install unapproved devices. Compliance with PCI Requirement 12.3.3 means being able to quickly identify non-approved versus approved devices and personnel.

To test compliance with PCI Requirement 12.3.3, an assessor will need to examine your usage policies to ensure that there is a list of all devices and personnel with access.

You need to maintain a list of all the assets that you have in your environment and the individuals that are authorized to use them. This is not only a usage policy. From an assessment perspective, your assessor is likely to ask you for that list, making sure that you’re compliant with your own policies.

Acceptable Products

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

Acceptable Network Locations

Acceptable Use Policies

Identification System

Approved Devices and Personnel with Access

Learn what you need to get started with our Audit Readiness Guide.

Acceptable Products

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start">﻿</span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start">﻿</span>

Acceptable Network Locations

Acceptable Use Policies

Identification System

Approved Devices and Personnel with Access

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>