PCI DSS 32 and SQL Server - By Grant Carter Part 3: Monitor, Test, and Maintain
Terms Used in This Post
· I/O – Input/Output
· MSP – Managed Service Provider
· RCA – Root Cause Analysis
Identify and authenticate access to system components
User activity must be tracked and logged in an effort to prevent or reduce the risk of having PCI data compromised. This section provides guidance about auditing, logging, alerting, and analysis of user activity in a PCI system and identifying unauthorized access to PCI related data and infrastructure.
Requirement 10: Track and monitor all access to network resources and cardholder data
· All access to PCI system components must be audited for each individual user
· Automated audit trails must include the following audit events: https://technet.microsoft.com/en-us/library/cc280386%28v=sql.110%29.aspx?f=255\&MSPPError=-2147217396
o Individual user access to PCI data
o All actions taken by any administrative user
o Any time audit data is accessed
o Failed access attempts
o Any identification or authorization changes
o Any time the audit logs are started, stopped, or paused
o Creation, modification and deletions of system level objects
· Audit trails must include the following data:
o User identification
o Type of event
o Date and time event occurred
o Success or failure of event
o Origination event
o The name of the impacted, system, resource, data, or component
· Time synchronization must synchronize all system clocks to ensure timestamp data is accurate
o Time data must be protected
o Time settings must originate from industry trusted sources
· Audit trails must be secured - https://msdn.microsoft.com/en-us/library/cc280386.aspx
o Audits should only be viewable by those who need to view them as a job function
o Do not allow audit trails to have unauthorized modifications
o Backup audit trails to a central log server or media that is difficult to alter
o Write external facing technologies onto a secure log server or media device
o Use file integrity or change detection software on logs to ensure that log data cannot be changed
o Review logs and security events for all PCI components for suspicious activity.
· Review the following at a minimum daily
o All security events
o Logs of all PCI system components
o Logs of all PCI components that perform security functions
· Audit logs periodically based on the security policies and risk management policies
· Follow up on anomalies identified during the review process
· Retain audit trail history for at least one year with a minimum of three months of that being available for immediate analysis.
· For service providers: failure of any of the following components must have a process for the detection and reporting of those failures. This is required starting January 31, 2018.
o Firewalls
o IDS/IPS
o FIM
o Anti-virus
o Physical access controls
o Logical access controls
o Audit logging mechanisms
o Segmentation controls (if used)
· Starting January 31, 2018, service providers must respond to any failure of security controls in a timely manner. These processes must include:
o Restoring security functions
o Identifying and documenting the duration (date and time start to end) of the security failure
o Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
o Identifying and addressing any security issues that arose during the failure
o Performing a risk assessment to determine whether further actions are required as a result of the security failure
o Implementing controls to prevent cause of failure from reoccurring
o Resuming monitoring of security controls
· Ensure all security policies and operational procedures for monitoring access to PCI data are documented, well known by all individuals working with PCI data, and maintained with changes made to PCI systems.
Requirement 11: Maintain a Vulnerability Management Program
· Implement processes to test for the existence of wireless access points both authorized and unauthorized at a minimum quarterly
o Maintain a fully documented inventory of authorized wireless access points.
o Create operational incident management response procedures for when unauthorized access points are detected.
· Perform network vulnerability scans at a minimum quarterly or after any significant network change is implemented. For Microsoft products, https://technet.microsoft.com/en-us/security/cc184924.aspx. This includes
o Addition of new system components (Additional components such as SSRS or SSAS are enabled on a PCI system or the usages of SQL Server Engine features such as addition of service broker, linked servers, AlwaysOn Availability Groups)
o Changes in the network structure
o Changes to firewalls or firewall rules - https://technet.microsoft.com/en-us/library/cc754274(v=ws.11).aspx
o Software upgrades to existing infrastructure – This includes SQL Server Service Packs and Cumulative Updates
o Quarterly have an approved external vendor perform vulnerability scans. If items are detected, resolve them and rescan until all outstanding issues are fixed.
· Implement penetration testing procedures which:
o Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
o Includes coverage for the entire PCI infrastructure perimeter and critical systems
o Includes testing from both inside and outside the network. Must be performed at a minimum annually or if a significant change is made to the infrastructure or application.
o Includes testing to validate any segmentation and scope-reduction controls
o Defines application-layer penetration tests.
o Defines network-layer penetration tests to include components that support network functions as well as operating systems
o Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
o Specifies retention of penetration testing results and remediation activities results.
o Any vulnerabilities found must be corrected and penetration testing repeated until all identified vulnerabilities are remediated
· Intrusion-detection and prevention processes must be used to prevent unauthorized network access. Monitor for any compromise of the PCI environment and respond in accordance with documented security processes.
o While not called out specifically in the PCI specification, it is best practice to periodically test the procedures for managing encryption. This includes
Performing regular disaster recovery drills to test that the encryption management processes work. Document the name of the individuals performing the test along with any test output as validation that the testing was successful.
· Components that change should be monitored and audit for change. Weekly processes should identify changes made and validate the changes were valid. If not valid, then personnel should be alerted and respond in accordance to documented security processes.
· Ensure all security policies and operational procedures for monitoring access to PCI data are documented, well known by all individuals working with PCI data, and maintained with changes made to PCI systems.
Maintain an Information Security Policy
PCI systems should have strong security policies and procedures in an effort to reduce the risk of the disclosure of data. This section calls out the requirements needed in creating, maintaining, and following these security policies. All personnel who develop for, manage, test, or audit PCI systems should be fully aware of these policies. As security policies and procedures change, any updates should be documented and clearly communicated to all relevant personnel.
Requirement 12: Maintain a policy that addresses information security for all personnel.
· Ensure all security policies and operational procedures for monitoring access to PCI data are documented, well known by all individuals working with PCI data, and maintained with changes made to PCI systems.
o The security policy must be reviewed and updated at a minimum annually.
· Risk assessment processes must be implemented that do the following:
o Performed annually or to significant PCI environment changes
o Identifies critical components, threats, and risks
o For each threat or risk, there must be a formal documented analysis
· Define usage policies that document the proper usages of PCI related resources, data, and infrastructure
o Usage must be formally approved though a documented approval process.
o Authentication for use of the related PCI infrastructure and data.
o A list of all PCI devices and infrastructure with personnel who has access.
o A process for determining the owner, contact information, and purpose for a PCI related device.
o Acceptable usage of PCI infrastructure and data
o A list of approved network locations for PCI infrastructure, PCI data, and access to that data.
o A list of approved products, software, and devices
o Automatic disconnect of remote access sessions after a period of activity.
o Remote access should only be provided to partners or vendors for the period of time in which access is required. The access should be deactivated after the need for access is completed.
o For individuals accessing PCI systems or components, copying, modifying, or storing PCI data on devices or removable media that are not approved must be prohibited.
· For service providers effective January 31, 2018, executive management must create responsibility for the protection of PCI data and compliance that includes:
· Accountability for maintaining PCI compliance
· Create and define a charter for a PCI compliance program with communication to executive management.
· Assign at least one individual or PCI security team responsibilities that include:
o Create, document, distribute, and enforce security policies and processes.
o Monitor and analyze security alerts
o Manage the security incident response process and escalations for all security related situations.
o Administrate user accounts.
o Monitor and control all access to PCI related data.
· Implement security process and procedures training programs to ensure all personnel are aware of the security policies and procedures. Personnel must acknowledge the completion of all training and modifications to security policy and procedure as they occur
· Develop and implement policies that govern managed service providers who have access to or share PCI data
o A list of MSPs that must include a description of the service they provide
o Maintain all written agreements with MSPs. Written agreements must include wording that is clear that the MSP is responsible for the security of PCI data in their possession, under their control, or part of their access.
o All engagements with MSPs must have adequate due diligence prior to entering into the engagement.
o All MSPs compliance must be formally reviewed at a minimum annually.
o Document which PCI requirements are managed by the company and which ones are managed by the MSP.
o If there are additional requirements for an MSP, those requirements must be acknowledged in writing by the MSP.
· Must implement and maintain an incident response plan in the event of a PCI system compromise. This plan must include immediate response processes to prevent further PCI data disclosure once the compromise is identified. The following must be identified
o Roles, responsibilities, contact, and communication strategies in the event of a compromise.
o Specific procedures
o Business recovery and continuity processes
o Data backup and recovery procedures
o Identification of legal requirements for disclosing a PCI data compromise.
o Individuals responsible for coverage for all system components during the implementation of an incident
o Reference or inclusion of incident response procedures from the payment brands.
o Review and test the plan at a minimum annually.
o Identify personnel who are available 24/7/365 to respond to alerts.
o Provide training to staff in the event of an incident
o Include all alerts from PCI monitoring systems
o Create a process to modify and update the incident response plan as business needs evolve and the PCI system changes
o Develop an RCA process that identifies gaps that least to the incident and identifies lessons learned that can be implemented to prevent future incidents.
o Starting January 31, 2018, all service providers must
· Perform daily log reviews.
· Perform regular firewall reviews
· Respond to security alerts in a timely fashion
· Update all management and security processes as needed.
o Starting January 31, 2018, all service providers must
· Maintain documentation of quarterly review process to include:
· Documenting results of the reviews
· Review and sign-off of results by personnel assigned responsibility for the PCI compliance program
Completely Off Topic:
Obscure Item of History
Zanzibar Sultanate were territories ruled by the Sultan of Zanzibar. It existed in now what is modern day Kenya. It was a sovereign nation that existed between 1856 and 1964. The Anglo-Zanzibar War fought between the United Kingdom and Zanzibar Sultanate on August 27, 1896 lasted between 38 and 45 minutes, making it the shortest war to be fought in history. 
Grant Carter is a Senior Premier Field Engineer for Microsoft based in Boise, Idaho.
Email: grant.carter@microsoft.com