Transcription

PCI DSS Provisioning and HardeningChecklists & Forms1

Table of Contents1.Firewall Provisioning and Hardening Checklists (Overview)32.Cisco PIX Firewall Provisioning and Hardening Checklist43.CISCO PIX Firewall Business Needs Checklist84.CISCO PIX Firewall Review and Audit Checklist95.Cisco ASA Firewall Provisioning and Hardening Checklist106.CISCO ASA Firewall Business Needs Checklist157.CISCO ASA Firewall Review and Audit Checklist168.Juniper Networks NetScreen & SSG Firewall Provisioning and Hardening Checklist179.Juniper Networks NetScreen & SSG Firewall Business Needs Checklist2210. Juniper Networks NetScreen & SSG Firewall Review and Audit Checklist2311. Linux Iptables Firewall Provisioning and Hardening Checklist2412. Linux Iptables Firewall Business Needs Checklist2913. Linux Iptables Firewall Review and Audit Checklist3014. SonicWALL Firewall Provisioning and Hardening Checklist3115. SonicWALL Firewall Business Needs Checklist3616. SonicWALL Firewall Review and Audit Checklist3717. Fortinet FortiGate Firewall Provisioning and Hardening Checklist3818. Fortinet FortiGate Firewall Business Needs Checklist4419. Fortinet FortiGate Firewall Review and Audit Checklist4520. Palo Alto Firewall Provisioning and Hardening Checklist4621. Palo Alto Firewall Business Needs Checklist5322. Palo Alto Firewall Review and Audit Checklist5423. Checkpoint Firewall Provisioning and Hardening Checklist5524. Checkpoint Firewall Business Needs Checklist6225. Checkpoint Firewall Review and Audit Checklist6326. Barracuda Web Filter Firewall Provisioning and Hardening Checklist6427. Barracuda Web Filter Firewall Business Needs Checklist7128. Barracuda Web Filter Firewall Review and Audit Checklist7229. Microsoft Windows Server Provisioning and Hardening Checklists (Overview)7330. Windows Server 2003 (WIN2K3) Provisioning and Hardening Checklist7431. Windows Server 2008 (WIN2K8) Provisioning and Hardening Checklist8332. Windows Server 2008 R2 (WIN2K8 R2) Provisioning and Hardening Checklist9533. UNIX Server Provisioning and Hardening Checklists (Overview)10834. SOLARIS Provisioning and Hardening Checklist10935. HP‐UX 11I Provisioning and Hardening Checklist11636. LINUX Distributions Provisioning and Hardening Checklist12437. Red Hat Enterprise LINUX (RHEL) 5 Provisioning and Hardening Checklist13438. Red Hat Enterprise LINUX (RHEL) 6 Provisioning and Hardening Checklist13939. Web Server Provisioning and Hardening Checklists (Overview)14840. Apache (Version 2.2) LINUX Web Server Provisioning and Hardening Checklist14941. Apache (Version 2.2) Windows Web Server Provisioning and Hardening Checklist154i

42. Microsoft Internet Information Services (IIS) Web Server Provisioning and Hardening Checklist16043. Apache Tomcat Web Server Provisioning and Hardening Checklist16644. Database Provisioning and Hardening Checklists (Overview)17145. Oracle 11 Database Provisioning and Hardening Checklists17246. MySQL 5 Database Provisioning and Hardening Checklists17847. Microsoft (MS) SQL Server 2005 Provisioning and Hardening Checklist18348. Microsoft (MS) SQL Server 2008 Provisioning and Hardening Checklist18949. Microsoft (MS) SQL Server 2008 R2 Provisioning and Hardening Checklist19650. Microsoft (MS) SQL Server 2012 Provisioning and Hardening Checklist203ii

License AgreementThe document you have purchased contains an electronic watermark, which is a unique identifier appliedto every document originating from www.pcipolicyportal.com. The use of this document is limitedexclusively to a one‐time usage license for any individual or organization seeking to comply with thePayment Card Industry Data Security Standards (PCI DSS) requirements. Any redistribution of thisdocument to another individual or organization is strictly prohibited and is punishable by law.Common examples of the redistribution of this document include but are not limited to the following: the sharing of this document to assist other individuals or organizations in PCI DSS compliance orfor any other reasonthe knowing dissemination of this document to another individual or organization without thesaid individual or organization having purchased the one‐time usage license fromwww.pcipolicyportal.comAny attempt to reproduce, publish, license, create derivative works from, transfer, post on any network,broadcast in any media or sell any information, software, products or services obtained from the thisdocument, unless explicitly permitted by www.pcipolicyportal.com, is prohibited and is subject to severelegal ramifications.1

About this DocumentCongratulations, you have just purchased the most in‐depth and comprehensive set of informationsecurity provisioning and hardening documents found anywhere today. Additionally, these helpful formsand checklists can be utilized for any compliance mandate – or best practices – for ensuring all criticalsystem are adequately provisioned, hardened, secured, and locked‐down as needed.2

Firewall Provisioning and Hardening Checklists(Overview)The below referenced documents are an excellent resource for properly provisioning,hardening, securing, and locking‐down all system components in accordance with themandated PCI DSS requirements.3

PCI DSS Requirement 12.1 InformationSecurity Policy Table of Contents OverviewPurposesScopePolicyRoles and Responsibilitieso Chief Technology Officer Chief Information Officero Director of Information Technology Senior Information Security Officero Network Engineer Systems Administratoro Software Developers Coderso Change Management Change Control Personnelo End Userso Vendors, Contractors, Other Third-Party EntitiesInformation Security SolutionsDefense-in-DepthLayered SecurityCyber SecurityCloud ComputingEmail Guidelines, Responsibilities and Acceptable UseThe CAN-SPAM ACTInternet Guidelines, Responsibilities and Acceptable UseNetwork Guidelines, Responsibilities and Acceptable UseSocial Media Guidelines, Responsibilities and Acceptable UseIdentity TheftSecuring Your Home NetworkOnline Security and Mobile ComputingOnline ShoppingOther Important Security ConsiderationsHelpful Security ResourcesSecurity UpdatesWorkstation SecurityLaptop SecuritySoftware Licensing and UsageInternal ThreatsClean Desk PolicyData Security BreachesData and Information ClassificationSecurity CategorizationAsset InventoryPersonally Identifiable Information (PII)Protected Health Information (PHI)Personally Identifiable Financial Information (PIFI)Physical Security and Environmental 363738394041424243444445

PersonnelSecurity Awareness TrainingProvisioning and HardeningReference MaterialTime SynchronizationAccess RightsMethods of AuthenticationPassword ParametersDe-Provisioning Off-boarding ProcessRemote AccessWireless SecurityMalwareChange Control Change ManagementSoftware Development Life Cycle (SDLC)Patch ManagementVulnerability ManagementConfiguration ManagementVendor ManagementBackup and StorageEncryptionEvent MonitoringConfiguration and Change MonitoringPerformance and Utilization MonitoringLogging and ReportingData Retention and DisposalIncident ResponsePerformance and Security TestingDisaster RecoveryAuthorization Form for User Access New EmployeesAuthorization Form for User Access VendorsAuthorization Form for User Access GuestsUser De-provisioning Off-boarding Form All Users (Employee, Guest, Vendor, Other)Employee Separation FormChange Management Request Form (CMRF)Change Management Logging System (CMLS)Remote Access Request FormIncident Response Plan FormSecurity Awareness Training Instructional GuideWireless Security 16162626363646467717579828587889192101PCI DSS Requirement 12.1 InformationSecurity Policy and Procedures1.0 OverviewIn accordance with mandated organizational security requirements set forth and approved by management,[company name] has established a formal set of information security policy and supporting procedures.

This comprehensive policy document is to be implemented immediately along with all relevant andapplicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly]basis for ensuring its adequacy and relevancy regarding [company name]'s needs and goals.1.0 PurposeThis policy and supporting procedures are designed to provide [company name] with a documented andformalized information security policy in accordance with Requirement 12.1 of the PCI DSS standards.Additionally, this policy also serves as the organization’s primary, enterprise-wide information securitymanual. Compliance with the stated policy and supporting procedures helps ensure the safety and securityof all [company name] system components within the cardholder data environment and any otherenvironments deemed applicable.1.0 ScopeThis policy and supporting procedures encompasses all system components within the cardholder dataenvironment that are owned, operated, maintained, and controlled by [company name] and all other systemcomponents, both internally and externally, that interact with these systems, and all other relevant systems. Internal system components are those owned, operated, maintained, and controlled by [companyname] and include all network devices (firewalls, routers, switches, load balancers, other networkdevices), servers (both physical and virtual servers, along with the operating systems andapplications that reside on them) and any other system components deemed in scope. External system components are those owned, operated, maintained, and controlled by any entityother than [company name], but for which these very resources may impact the confidentiality,integrity, and availability (CIA) and overall security of the cardholder data environment and anyother environments deemed applicable. Please note that when referencing the term "system component(s)" or “system resource(s)” itimplies the following: Any network component, server, or application included in or connected tothe cardholder data environment (Source: pcisecuritystandards.org glossary) or any other relevantenvironment deemed in-scope for purposes of information security.1.0 Policy[Company name] is to ensure that the information security policy adheres to the following conditions forpurposes of complying with the mandated organizational security requirements set forth and approved bymanagement:Roles and ResponsibilitiesThe following roles and responsibilities are to be developed and subsequently assigned to authorizedpersonnel within [company name] regarding information security practices: Chief Technology Officer (CTO) Chief Information Officer (CIO): Responsibilities includeproviding overall direction, guidance, leadership and support for the entire information systemsenvironment, while also assisting other applicable personnel in their day-to-day operations. TheCTO CIO is to report to other members of senior management on a regular basis regarding allaspects of the organization’s information systems posture.

Director of Information Technology Senior Information Security Officer: Responsibilitiesinclude also providing overall direction, guidance, leadership and support for the entire informationsystems environment, while also assisting other applicable personnel in their day-to-day operations,along with researching and developing information security standards for the organization as awhole. This will require extensive identification of industry benchmarks, standards, andframeworks that can be effectively utilized by the organization for provisioning, hardening,securing, and locking-down critical system components. Subsequent to the researching of suchstandards, the senior security officer is to then oversee the establishment of a series of baselineconfiguration standards to include, but limited to, the following system components: networkdevices, operating systems, applications, internally developed software and systems, and otherrelevant hardware and software platforms. Because baseline configuration can and will change,this authorized individual is to also update the applicable configurations, documenting allmodifications and enhancements as required. Additional duties of the Director of InformationTechnology Senior Information Security Officer include the following:ooooooo Responsible for all major facets of information technology throughout the organization,such as management, recommendations as necessaryProviding leadership, direction and guidance for current and existing projectsOverseeing the development of all applicable operational, business specific, andinformation security policies, procedures, forms, checklists, templates, provisioning andhardening documents and other necessary material.Overseeing initiative for developing internal Requests for Proposals (RFPs), along withanswering RFP's for services from the organization.Assistance in developing annual information technology budget.Displaying integrity, honesty, and independence at all times.Supporting the Director of Information Technology Senior Information Security Officerand other members of senior management as necessary.Network Engineer Systems Administrator: Responsibilities include actually implementing thebaseline configuration standards for all in-scope system components. This requires obtaining acurrent and accurate asset inventory of all such systems, assessing their initial posture with thestated baseline, and the undertaking the necessary configurations. Because of the complexities anddepth often involved with such activities, numerous personnel designated as Network Engineers System Administrators are often involved in such activities.Furthermore, these individuals are also responsible for monitoring compliance with the statedbaseline configuration standards, reporting to senior management all instances of non-complianceand efforts undertaken to correct such issues. Additionally, due to the fact that these individualsare to undertake the majority of the operational and technical procedures for the organization, it iscritical to highlight other relevant duties, such as the following:ooooAssessing and analyzing baseline configuration standards for ensuring they meet the intentand rigor for the overall safety and security (both logically and physically) of criticalsystem components.Ensuring the asset inventory for all in-scope system components is in fact kept current andaccurate.Ensuring that network topology documents are also kept current and accurate.Facilitating requests for validation of baseline configurations for purposes of regulatorycompliance assessments and audits – such as those for PCI compliance, SSAE 16 reporting,HIPAA, FISMA, GLBA, etc.

Table of ContentsCritical Business Information4Business Continuity and Disaster Recover Planning (BCDRP) Personnel5Additional Personnel6Meeting Information7Potential Hazards8Critical Organizational Assets - Information Systems9Organizational Assets Matrix10Critical Organization Assets – Prioritization of Critical Applications and Data11Critical Organizational Assets – Personnel12Critical Organizational Assets – Facilities13Critical Organizational Assets – Equipment14Critical Organizational Assets – Other15Critical Operations16Critical Third Party Entities19Data Safety and Recovery Initiatives24Alternate Locations28Critical Recovery Location Supplies List30Miscellaneous Recovery Location Supplies List34Employees and Workforce Members Notification Procedures35Testing Procedures36Insurance Information40Appendix A: Emergency Mode Operation Plan43Appendix B: Testing and Revision Procedures46Appendix C: Applications and Data Criticality Analysis49

OverviewBusiness Continuity and Disaster Recovery Planning (BCDRP) refers to an organization’s ability toeffectively plan and recover from a disaster and/or unexpected event, ultimately resuming operations asnecessary. While there are numerous terms and phrases that encompass the broader subject of BCDRP,with countless numbers of organizations, industry associations, and best practices advocated, they allessentially illustrate a consistent theme, which is properly planning for the unexpected and hoping torecover as quickly and comprehensively as possible.A comprehensive BCDRP template should include, at a minimum, the following elements: Critical Business InformationBusiness Continuity and Disaster Recover Planning (BCDRP) PersonnelAdditional PersonnelMeeting InformationPotential HazardsCritical Organizational Assets - Information SystemsOrganizational Assets MatrixCritical Organization Assets – Prioritization of Critical Applications and DataCritical Organizational Assets – PersonnelCritical Organizational Assets – FacilitiesCritical Organizational Assets – EquipmentCritical Organizational Assets – OtherCritical OperationsCritical Third Party EntitiesData Recovery InitiativesAlternate LocationsCritical Recovery Location Supplies ListMiscellaneous Recovery Location Supplies ListEmployees and Workforce Members Notification ProceduresTesting ProceduresInsurance InformationAppendix A: Emergency Mode Operation PlanAppendix B: Testing and Revision ProceduresAppendix C: Applications and Data Criticality Analysis

Critical Business InformationPrimary Business LocationSecondary Business Location(s)Business NameBusiness NameStreet AddressStreet AddressCity, State, Zip CodeCity, State, Zip CodeTelephone NumberTelephone NumberPrimary Point of ContactSecondary Point of ContactPrimary Emergency ContactSecondary Emergency ContactTelephone NumberTelephone NumberAlternate Telephone NumberSecondary Telephone NumberE‐mail AddressE‐mail AddressEmergency Contact InformationNon‐emergency PoliceElectricity ProviderNon‐emergency FireGas ProviderInsurance Providerwater ProviderOther (e.g., equipment manufacturer)Other (e.g., property management)Other (e.g., Spill Clean‐Up)Other (e.g., property security)Other (e.g., IT support contractor)Other (e.g., bank agent)OtherOtherOtherOther

Fraud Policy and Procedure Manual

About this DocumentCongratulations, you have just received the most in-depth and comprehensive Fraud Policy and ProcedureManual available today, compliments of pcipolicyportal.com. Developed by industry leaders in the field offraud detection and prevention, this document provides all the policy, procedural and other supportingdocumentation necessary for developing and implementing a comprehensive fraud program within yourorganization.To enhance user interface, this document has been interconnected between hyperlinked headings in theTable of Contents and their corresponding section in the text. Of course, you can avoid time-consumingreverse scrolling by pressing [ctrl g iii enter] from any point to return to the Table of Contents page.Every table throughout the document is a customizable template intended to be specified to your purposes.Information italicized in red serves as an example to assist and give you ideas on how to successfullycomplete the various tasks.i

TABLE OF CONTENTSINTRODUCTION . 1Overview .1DEFINITION OF FRAUD . 3EXAMPLES OF COMMON FRAUDULENT SCHEMES . 4Pyramid Schemes.4Ponzi Schemes .