PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary

by Randy Bartels / December 19, 2022

What is PCI Requirement 7.1.2? Within your organization, you will obviously have personnel who require an elevated level of privilege. You will have some personnel with more responsibility than others, but you still need to limit the ability for someone to impact the security of the cardholder data environment. PCI Requirement 7.1.2 requires you to limit access to privileged user IDs to personnel who truly require it for the function…

PCI Requirement 7.1.1 – Define Access Needs for Each Role

by Randy Bartels / December 19, 2022

How to Define Access Needs for Each Role PCI Requirement 7.1.1 outlines the first step in the process of establishing role-based access controls. PCI Requirement 7.1.1 states, “Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.” The PCI DSS states, “In order to limit access to cardholder data to…

PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data

by Randy Bartels / December 19, 2022

Why Limit Access to System Components and Cardholder Data? We’ve discussed least privileges before (See PCI Requirements 2.2.2 and 3.1) and the concept of, “If you don’t need it, get rid of it.” PCI Requirement 7.1 also follows this idea. PCI Requirement 7.1 states, “Limit access to system components and cardholder data to only those individuals whose job requires such access.” If someone’s job needs access to function, grant it.…

PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know

by Randy Bartels / December 19, 2022

Protecting Cardholder Data PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. There’s nothing wrong with granting someone access to the CDE and the PCI DSS…

Understanding Your SOC 1 Audit Report: What is an Assertion?

by Joseph Kirkpatrick / February 7, 2023

What is an Assertion? One of the things that management must provide to the auditor as part of a SOC 1 engagement is an assertion. What does that mean? What is an assertion? In our everyday life, an assertion is a confident statement of fact or belief. In the world of auditing, assertions are still confident statements of fact or belief, but with a twist. Assertions are claims made by…