Castleforce IT Security Team

Implement Strong Access Control Measures

Requirement 9 Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

  • 9.1.1 Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
  • 9.1.2 Restrict physical access to publicly accessible network jacks.
  • 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.

9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible.

9.3 Make sure all visitors are handled as follows:

  • 9.3.1 Authorized before entering areas where cardholder data is processed or maintained
  • 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees
  • 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration

9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.

9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.

9.6 Physically secure all paper and electronic media that contain cardholder data.

9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data, including the following:

  • 9.7.1 Classify the media so it can be identified as confidential.
  • 9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked.

9.8 Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals).

9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data.

  • 9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.

9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:

  • 9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
  • 9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

Access Control

Wallix AdminBastion and LogBastion  Wallix AdminBastion allows you to control access of your IT service providers, whether internal or external, privilege accounts and high-risk users. You can also record their work sessions and view them as and when needed (audit, incident, etc.). With WAB, you can easily manage IT team turnover, without running the risk of granting acess to your critical servers by individuals who are no longer authorised.

  • Session recording
  • SSH flow analysis
  • Access control
  • Real-time supervision

Single Sign On (SSO)

Imprivata Single Sign-On Onesign appliance  Imprivata OneSign Single Sign-On provides a single action of user authentication permitting users to access all workstations and applications they are authorized to use.  Password-related calls to the IT helpdesk are virtually eliminated by centrally managing each user’s complete collection of application passwords and extending seamless and convenient single sign-on to any enterprise application.

Contact Castleforce for help with PCI DSS

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Wireless LAN (WLAN) Security

Aruba Networks secure wireless LAN products and services   Aruba's integrated policy-enforcement firewall, high-security encryption, standards-based authentication, wireless intrusion detection/prevention, and compliance audit reporting assistance meet or exceed the wireless LAN-specific security requirements in PCI DSS. Merchants using an Aruba solution can cost-effectively implement the security controls required for PCI compliance without compromising the performance of business applications or upgrading legacy networks. 

Extricom Wireless LAN infrastructure  The Extricom WLAN product family is purpose-built to deliver robust, reliable connectivity. Extricom innovation makes the All-Wireless Enterprise possible by delivering voice (VoWLAN), data, video, and location services with an always-on, consistent, and mobile Wi-Fi connection to any client, in any environment. 

9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.

Destroy media

Verity Systems Degaussers & Tape Erasers A degausser is a piece of equipment which uses an electro-magnet to erase or wipe date from magnetic media such as audio & video tape, computer storage tapes and even computer hard drives. Often referred to as a tape eraser and hard drive erasers.

SV91M CESG Security Degausser

If you need to securely erase a range of magnetic media including high density metal tapes, cassettes and hard drive then the SV91M CESG approved security degausser is the choice of organisations around the world to comply with their Data Destruction policies.

SV90 CESG Approved Degausser

The SV90 Security Degausser is able to perform automatic erasure of high-density magnetic media achieved by applying a highly focused magnetic field created by Verity Systems exclusive multi-axis, 'pole tip' design.

Assuria Compliance and Vulnerability assessment, change detection, file integrity monitoring, Server Hardening and Log Management NETASQ-UTM-EAL4-Network-Security-appliances Credant we protect what matters DESlock+ FIPS-140-2 CESG CCTM Full disk Encryption, Removable Media Encryption, Email Encryption, Folder Encryption Stonesoft produce high availability multi link ISP firewalls to help reduce single point of failure Sourcefire-3D System and masters of SNORT and CLAMAV InfoGov helps you to achieve compliance, manage risk and demonstrate good governance now, and into the future. Swivel-PINsafe-CESG-CCTM-the-power-of-knowing Lumension-Security-Patch-Management-and-end-point-protection Imprivata OneSign Single Sign-On (SSO) appliance Check Point firewalls and Pointsec Encryption software Wallix-AdminBastion-and-LogBastion-provide-access-control-and-monitoring-solutions

© Copyright Castleforce 2007-2012. Web design by Theme Group