



















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Meet PCI DSS requirements;. ▫ Address the quickly and ever-changing data security threat environment;. ▫ Reinforce the organization's business culture.
Typology: Lecture notes
1 / 27
This page cannot be seen from the preview
Don't miss anything!




















ii
The intent of this document is to provide supplemental information. Information provided here does 2
penalties levied against the organization, reputational harm to the organization and employees, and impact to an employee’s job. It is important to put potential organizational harm into perspective for personnel, detailing how such damage to the organization can affect their own roles.
This guidance is intended for any organization required to meet PCI DSS Requirement 12.6 to implement a formal security awareness program within their organization. The guidance is applicable to organizations of all sizes, budgets, and industries.
Data Loss Prevention (DLP) Scanning : A process of monitoring and preventing sensitive data from leaving a company environment.
Phishing : A form of social engineering where an attempt to acquire sensitive information (for example, passwords, usernames, payment card details) from an individual through e-mail, chat, or other means. The perpetrator often pretends to be someone trustworthy or known to the individual.
Privileged Access : Users who generally have elevated rights or access above that of a general user. Typically, privileged access is given to those users who need to perform administrative-level functions or access sensitive data, which may include access to cardholder data (CHD). Privileged Access may encompass physical and/or logical access.
Social Engineering : As defined by (ISC)^2 : An attack based on deceiving users or administrators at the target site—for example, a person who illegally enters computer systems by persuading an authorized person to reveal IDs, passwords, and other confidential information.
The intent of this document is to provide supplemental information. Information provided here does 3
2 Best Practices in Organizational Security Awareness
Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis.
Protecting cardholder data (CHD) should form part of any organization-wide information security awareness program. Ensuring staff is aware of the importance of cardholder data security is important to the success of a security awareness program and will assist in meeting PCI DSS Requirement 12.6.
The first step in the development of a formal security awareness program is assembling a security awareness team. This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization. Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program. The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.
Role-based security awareness provides organizations a reference for training personnel at the appropriate levels based on their job functions. The training can be expanded upon—and subject areas combined or removed—according to the levels of responsibility and roles defined in the organization. The goal is to build a reference catalogue of various types and depths of training to help organizations deliver the right training to the right people at the right time. Doing so will improve an organization’s security as well as help maintain PCI DSS compliance. Whether the focus is a singular, holistic, or a tiered approach, the content can be scoped to meet an organization’s requirements.
All types of roles may not apply to all organizations, and some roles may need to be divided into subsections to align with responsibilities. This can be modified according to the requirements of the organization.
The first task when scoping a role-based security awareness program is to group individuals according to their roles (job functions) within the organization. A simplified concept of this is shown in Figure 1 on the following page.
The intent of this document is to provide supplemental information. Information provided here does 5
should be delivered in a way that fits the overall culture of the organization and has the most impact to personnel. The following diagram depicts how the depth of awareness training should increase as the level of risk associated with different roles.
Training content can be broken down further to map to applicable PCI DSS requirements. Appendix A contains a chart listing the high-level requirements of PCI DSS, with examples of roles listed that may need security awareness training in these control areas. Section 3, Security Awareness Training Content, contains further information related to training content for the different levels within an organization.
The key to an effective security awareness program is in targeting the delivery of relevant material to the appropriate audience in a timely and efficient manner. To be effective, the communication channel should also fit the organization’s culture. By disseminating security awareness training via multiple communication channels, the organization ensures that personnel are exposed to the same information multiple times in different ways. This greatly improves how people remember the information presented to them. Content may need to be adapted depending on the communication channel—for example, the content in an electronic bulletin may be different than content in an instructor-led training seminar, even though both have the same underlying message. The communication channel used should match the audience receiving the training content and the type of content, as well as the content itself.
The intent of this document is to provide supplemental information. Information provided here does 6
Electronic communication methods can include e-mail notifications, eLearning, internal social media, etc. It is important to target electronic security awareness notifications to the appropriate audience to ensure the information is read and understood. It is easier for electronic notifications to go unread or ignored by busy personnel. By targeting the material and communication channel to relevant personnel, the security awareness team can improve adoption of the security awareness program.
Non-electronic notifications may include posters, internal mailers, newsletters, and instructor-led training events. In-person security awareness events that involve active participation by personnel can be extremely effective. Audience size in an instructor-led presentation is important: the larger the group, the greater risk that content may not be communicated effectively, as individuals may lose focus on the material presented if they do not feel engaged. Including activities that engage the audience, such as scenario-based activities, helps ensure the concepts are understood and remembered. For example, a structured social-engineering exercise will teach personnel quickly how to identify a social-engineering attack and react appropriately. Internal seminars, training provided during lunch breaks (commonly called “lunch-and-learns” or “brown bag”), and employee social events are also great opportunities for the security awareness team to interact with personnel and introduce security concepts. Appendix B provides a list of the common methods to communicate security awareness throughout the organization.
It is recommended that communication of security awareness be included in new-hire processes, as well as role changes for existing personnel. Security awareness training may be combined with other organizational requirements, such as confidentiality and ethics agreements. Each job position in the organization should be identified based on level of data access required. See Section 2.2, Determine Roles for Security Awareness, for more information. To ensure that the security awareness team is notified whenever a role identified as needing security awareness is filled, it is recommended this step be included in the process for all new- hire/re-classifications. Inclusion in the new-hire/re-classification process ensures the overall training goals are promoted without reliance on individual organizational units.
Management leadership and support for the security awareness program is crucial to its successful adoption by staff. Managers are encouraged to:
Actively encourage personnel to participate and uphold the security awareness principles.
Model the appropriate security awareness approach to reinforce the learning obtained from the program.
Include security awareness metrics into management and staff performance reviews.
The intent of this document is to provide supplemental information. Information provided here does 8
It is recommended that general security training for all personnel include defining what constitutes cardholder data (CHD) and sensitive authentication data (SAD) and the organization’s responsibility to safeguard both. A high level overview of the importance of the PCI DSS may also be included; to ensure personnel fully understands the purpose behind an organizational policy to safeguard cardholder data. To ensure all personnel are engaged stakeholders in the security awareness program, the roles and responsibilities of all staff to protect CHD and SAD should be outlined during all security awareness training, in accordance with organizational policy.
Because data is at risk both in electronic form and in non-electronic (paper) form, it is recommended that the different ways to safeguard information for different media be covered at a basic level for all personnel. For instance, considerations for protecting data in electronic format may include secure storage, transmission and disposal. Considerations for paper-based formats may also include secure storage and disposal as well as a “clear desk” policy. Without an understanding of how different media types need to be protected, personnel may inadvertently handle data in an insecure manner.
Another important consideration for inclusion in general security training is awareness of social engineering attacks. One way an attacker may use social engineering is to acquire a user’s credentials and work their way through the organization from a low-security area to a high security area. Tailoring this awareness to reflect the types of attacks that the organization may encounter provides the most effective results. Users should be aware of the common methods by which fraudsters, hackers or other malicious individuals might try to obtain credentials, payment card data, and other sensitive data, to minimize the risk of personnel unintentionally disseminating sensitive information to outsiders. Training in organizational policies and procedures that specify proper data handling, including sharing and transmission of sensitive data, is also recommended.
The training program should require personnel to acknowledge they have received and understand the content being delivered. This is crucial to the success of the security awareness program. If content is being delivered and not understood, the employee may still inadvertently put the organization’s information at risk. Feedback on training content and comprehension are key to ensuring personnel understand the content and the organization’s security policies.
Below is an example of content that is commonly included in general security awareness training: Organization’s Security awareness policy Impact of unauthorized access (for example: to systems or facilities) Awareness of CHD security requirements for different payment environments Card present environments Card-not-present environments Phone (individual or call center) Mail Fax Online (eCommerce) Where to get further information on protecting CHD in the organization (for example, security officer, management, etc.)
The intent of this document is to provide supplemental information. Information provided here does 9
Importance of strong passwords and password controls Secure e-mail practices Secure practices for working remotely Avoiding malicious software – viruses, spyware, adware, etc. Secure browsing practices Mobile device security including BYOD Secure use of social media How to report a potential security incident and who to report it to (see PCI DSS Requirement 12.10) Protecting against social engineering attacks In Person – Physical Access Phone – Caller ID Spoofing E-mail – Phishing, Spear Phishing – E-mail Address Spoofing Instant Messaging Physical security Shoulder Surfing Dumpster Diving
NOTE: General security awareness training should be implemented even for organizations that outsource all payment acceptance and processing, to ensure personnel are aware that sensitive information, including CHD, must be protected.
In addition to content for all personnel, management training should include more detailed information regarding the consequences of a breach to management stakeholders. Management should understand not only the monetary penalties of failing to safeguard CHD, but also the lasting harm to the organization due to reputational (brand) damage. This factor is often overlooked when organizations outsource payment processing, but is critically important.
As previously discussed, management will need to understand security requirements enough to discuss and reinforce them, and encourage personnel to follow the requirements. It is recommended that management security awareness training include specific content relevant to the area of responsibility, particularly areas with access to sensitive data.
Management that is security-aware better understands the risk factors to the organization’s information. This knowledge helps them make well-informed decisions related to business operations. Managers who are security-aware can also assist with development of data security policies, secure procedures, and security awareness training.
The categories listed below are examples of some common roles and the training content that may be suitable for those users. Each organization’s specialized roles may differ, and the type of training for each role will need to be carefully considered.
The intent of this document is to provide supplemental information. Information provided here does 11
Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective. The particular metrics used to measure the success of a security awareness program will vary for each organization based on considerations such as size, industry, and type of training. The table below displays some metrics of a successful security awareness program and can be used as a starting point for developing metrics.
Operational Metrics Reduced system downtime and network or application outages
Consistent, approved change-management processes; fewer malware outbreaks; better controls Reduction in malware outbreaks and PC performance issues related to malware
Fewer opened malicious e-mails; increased reports from personnel of malicious e-mails Increase in reports of attempted e-mail or phone scams
Better recognition by personnel of phishing and other social-engineering attempts Increase in reporting of security concerns and unusual access
Increased understanding by personnel of risks
Increase in the number of queries from personnel on how to implement secure procedures
Better awareness by personnel of potential threats
DLP scanning and network traces are active but not detecting cardholder data outside the CDE
Better understanding by personnel of potential threats Vulnerability scans are active and detect high or critical vulnerabilities
Decrease in time between detection and remediation Vulnerabilities are addressed or mitigated in a timely manner
Better understanding by personnel of potential threats and risks to sensitive information Training Program Metrics Increase in number personnel completing training Attendance tracking and performance evaluations Increase in number of employees with privileged access who have received required training
Attendance tracking and performance evaluations
Increase in personnel comprehension of training material
Feedback from personnel; quizzes and training assessments
The intent of this document is to provide supplemental information. Information provided here does 12
4 Security Awareness Program Checklist
Having a checklist may help organizations plan and manage their security awareness training program. The information listed below may be used to assist with security awareness training and education planning. Inclusion and use of this information is not a requirement. Creating the Security Awareness Program Identify compliance or audit standards that your organization must adhere to. Identify security awareness requirements for those standards. Identify organizational goals, risks, and security policy. Identify stakeholders and get their support. Create a baseline of the organization’s security awareness. Create project charter to establish scope for the security awareness training program. Create steering committee to assist in planning, executing and maintaining the awareness program. Identify who you will be targeting—different roles may require different/additional training (employees, IT personnel, developers, senior leadership). Identify what you will communicate to the different groups (goal is shortest training possible that has the greatest impact). Identify how you will communicate the content—three categories of training: new, annual, and ongoing. Implementing Security Awareness Develop and/or purchase training materials and content to meet requirements identified during program creation. Document how and when you intend to measure the success of the program. Identify who to communicate results to, when, and how. Deploy security awareness training utilizing different communication methods identified during program creation. Implement tracking mechanisms to record who completes the training and when. Sustaining Security Awareness Identify when to review your security awareness program each year. Identify new or changing threats or compliance standards and updates needed; include in annual update. Conduct periodic assessments of organization security awareness and compare to baseline. Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility). Maintain management commitment to supporting, endorsing and promoting the program. Documenting the Security Awareness Program Document security awareness program including all previously listed steps within “Creating the Security Awareness Program,” “Implementing Security Awareness,” and “Sustaining Security Awareness.”
The intent of this document is to provide supplemental information. Information provided here does 14
PCI DSS Requirement
Target audience for training^1 Source Content for Training All M C/A PT IT^ Materials^ Metrics
Build and Maintain a Secure Network and Systems 1.x Install and maintain a firewall configuration to protect cardholder data.
practices for network and systems security—e.g., NIST, ISO, CIS, HIPAA. Vendor reference materials and best practice documentation Organization firewall change and approval policy, personal firewall policy, system standard build policy.
Few if any network outages. Changes implemented successfully with minimal disruption. Reductions in standard build deviations.
1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network—e.g., laptops used by employees—and which are also used to access the network.
2.x Do not use vendor-supplied defaults for system passwords and other security parameters.
(^1) A = All; M = Management; C/A = Cashiers/Accounting; PT = Procurement Team; IT = IT Admin & Developers
The intent of this document is to provide supplemental information. Information provided here does 15
PCI DSS Requirement
Target audience for training^1 Source Content for Training All M C/A PT IT^ Materials^ Metrics
Protect Cardholder Data^1 3.x Protect stored cardholder data.
related to the protection of consumers private information— e.g., Gramm-Leach-Bliley Act (GLBA) for protection of consumer’s private information, Sarbanes-Oxley (SOX) for protection of sensitive data related to financial reporting. Vendor reference materials and best-practice documentation Organization data retention and disposal policy, encryption key management policy, secure e-mail policy.
DLP scanning and network traces do not detect PCI data. 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.
4.x Encrypt transmission of cardholder data across open, public networks
4.2 Never send unprotected PANs by end-user messaging technologies—for example, e-mail, instant messaging, chat, etc.
(^1) A = All; M = Management; C/A = Cashiers/Accounting; PT = Procurement Team; IT = IT Admin & Developers
The intent of this document is to provide supplemental information. Information provided here does 17
PCI DSS Requirement
Target audience for training^1 Source Content for Training All M C/A PT IT^ Materials^ Metrics
Implement Strong Access Control Measures^1 7.x Restrict access to cardholder data by business need to know
implementing detailed access controls within authentication/authorization environments. Organization access control policy including information on how business need to know is determined and approved for different roles.
No alerts of unusual access. Regular access reviews show few required changes.
8.x Identify and authenticate access to system components
factor authentication, password management, session controls, and implementing detailed access controls. Organization access control policy, password policy, information security policy.
Reviews of audit logs for failed access attempts show no inconsistencies.
9.x Restrict physical access to cardholder data
requirements. General user awareness. Organization visitor access policy, secure device-handling procedures, data retention and disposal policy.
Monitoring show minimal inconsistent behavior. Surveys of employee understandings of secured areas return high awareness quotient. Reporting of unusual access or behaviors increases.
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
(^1) A = All; M = Management; C/A = Cashiers/Accounting; PT = Procurement Team; IT = IT Admin & Developers
The intent of this document is to provide supplemental information. Information provided here does 18
PCI DSS Requirement
Target audience for training^1 Source Content for Training All M C/A PT IT^ Materials^ Metrics
Regularly Monitor and Test Networks^1 10.x Track and monitor all access to network resources and cardholder data
related to access to sensitive data—e.g., NIST, ISO, GLBA, SOX. Vendor reference materials and best-practice documentation. Organization log-review procedures, change control policy, vulnerability-testing policy, penetration-testing methodology. Common vulnerabilities found in the National Vulnerability Database, SANS CWE Top 25, etc.
Reduced network, system, application outages. Updates and changes implemented successfully with minimal disruption. Monthly reports show consistent, appropriate patching. Regular vulnerability scans show no high or critical vulnerabilities. Vulnerabilities discovered are addressed in a timely manner or mitigated appropriately.
11.x Regularly test security systems and processes
(^1) A = All; M = Management; C/A = Cashiers/Accounting; PT = Procurement Team; IT = IT Admin & Developers