cyber security unit 5

8/18/2019 Cyber Security Unit 5

1/12

UNIT5

MATTER MARKED RED IS IMPORTANT

Security Assurance Approaches

Today’s world requires that digital data be accessible, dependable and protected from misuse. Unfortunately,this need for accessible data also exposes organisations to a variety of new threats that can affect their information. Often organisations invest huge resources trying to protect their IT infrastructure withoutassessing the ris s to their critical information. These organisations fail to realise that the primary ob!ective isto protect mission"critical information rather than the IT infrastructure.

Organisations deploy established information security control framewor s as business needs and regulatoryrequirements become imminent. #ost of these framewor s have evolved from industry best practices andrecommend information security ris assessment aligned to the organisation’s ris management framewor asone of the control ob!ectives. The challenge enterprises face today is in adopting a robust, process"orientedinformation security ris assessment framewor to comply with the control ob!ective.

1.The Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

approach is one such framewor that enables organisations to understand, assess and address their informationsecurity ris s from the organisation’s perspective. O$T%&' is not a product, rather it is a process"drivenmethodology to identify, prioritise and manage information security ris s. It is intended to help organisations(

• )evelop qualitative ris evaluation criteria based on operational ris tolerances

• Identify assets that are critical to the mission of the organisation

• Identify vulnerabilities and threats to the critical assets

• )etermine and evaluate potential consequences to the organisation if threats are realised

• Initiate corrective actions to mitigate ris s and create practice"based protection strategy

The O$T%&' approach was developed by the *oftware 'ngineering Institute +*'I at $arnegie #ellonUniversity to address the information security compliance challenges faced by the U* )epartment of )efense+)o) . *'I is a U* federally funded research and development centre sponsored by the )o).

The OCTAVE MethodThe O$T%&' #ethod has been designed for large organisations having multi"layered hierarchy andmaintaining their own computing infrastructure. The organisational, technological and analysis aspects of aninformation security ris evaluation are underta en by a three"phased approach with eight processes + figure 3


2/12

• Phase 1 !ui"d asset#$ased threat %rofi"es &orga'isatio'a" e(a"uatio') -The analysis teamdetermines critical assets and what is currently being done to protect them. The security requirementsfor each critical asset are then identified. inally, the organisational vulnerabilities with the existing

practices and the threat profile for each critical asset are established.

• Phase * Ide'tif+ i'frastru,ture (u"'era$i"ities &te,h'o"ogi,a" e(a"uatio') -The analysis teamidentifies networ access paths and the classes of IT components related to each critical asset. The teamthen determines the extent to which each class of component is resistant to networ attac s and

establishes the technological vulnerabilities that expose the critical assets.• Phase 3 De(e"o% se,urit+ strateg+ a'd -itigatio' %"a's &strateg+ a'd %"a' de(e"o%-e't) -The

analysis team establishes ris s to the organisation’s critical assets based on analysis of the informationgathered and decides what to do about them. The team creates a protection strategy for the organisationand mitigation plans to address identified ris s. The team also determines the /next steps’ required forimplementation and gains senior management’s approval on the outcome of the whole process.


3/12

2.COB T ( Control Objectives for Information and related Technologies )

It is a methodology for evaluating a company0s IT department that was published in 1223 by the ITGovernance Institute and the I*%$% + Information Systems Audit and Control Association represented in

rance by the % %I + rench %ssociation of %udit and IT %dvice .

This approach is based on a process benchmar , ey goal indicators +45Is and ey performance indicators+46Is that are used to monitor the processes in order to collect data that the company can use to reach itsgoals.

The $O7IT approach puts forward 89 processes organi:ed in 9 larger functional areas that cover 81; goals(

• )eliver < *upport• #onitor • 6lanning < Organisation• %cquire < Implement

SECURIT. O/ IT S.STEMS

Used in computer security, intrusion detection refers to the process of monitoring computer and networ

activities and analy:ing those events to loo for signs of intrusion in your system. The point of loo ing for

http://www.isaca.org/http://www.isaca.org/http://www.isaca.org/


4/12

unauthori:ed intrusions is to alert IT professionals and system administrators within your organi:ation to potential system or networ security threats and wea nesses.

IDS — A Passive Security Solution

A' i'trusio' dete,tio' s+ste- &IDS) is designed to monitor all inbound and outbound networ activity and

identify any suspicious patterns that may indicate a networ or system attac from someone attempting to

brea into or compromise a system. I)* is considered to be a passive"monitoring system, since the main

function of an I)* product is to warn you of suspicious activity ta ing place = not prevent them. %n I)*

essentially reviews your networ traffic and data and will identify probes, attac s, exploits and other

vulnerabilities. I)*s can respond to the suspicious event in one of several ways, which includes displaying an

alert, logging the event or even paging an administrator. In some cases the I)* may be prompted to reconfigure

the networ to reduce the effects of the suspicious intrusion.

%n I)* specifically loo s for suspicious activity and events that might be the result of a virus , worm or hac er .

This is done by loo ing for nown intrusion signatures or attac signatures that characteri:e different worms or

viruses and by trac ing general variances which differ from regular system activity. The I)* is able to provide

notification of only nown attac s.

The term I)* actually covers a large variety of products, for which all produce the end result of detecting

intrusions. %n I)* solution can come in the form of cheaper shareware or freely distributed open

source programs, to a much more expensive and secure vendor software solution. %dditionally, some I)*s

consist of both software applications and hardware appliances and sensor devices which are installed at

different points along your networ .

Misuse Detection vs. Anomaly Detection

In misuse detection, the I)* analy:es the information it gathers and compares it to large databases of attac

signatures. 'ssentially, the I)* loo s for a specific attac that has already been documented. >i e a virus

detection system, detection software is only as good as the database of intrusion signatures that it uses to

compare pac ets against. In anomaly detection, the system administrator defines the baseline, or normal, state

of the networ 0s traffic load, brea down, protocol , and typical pac et si:e. The anomaly detector monitors

networ segments to compare their state to the normal baseline and loo for anomalies.

Passive Vs. Reactive Systems

In a passive system, the I)* detects a potential security breach, logs the information and signals an alert. In a

reactive system, the I)* responds to the suspicious activity by logging off a user or by reprogramming the

firewall to bloc networ traffic from the suspected malicious source.

Network-based vs. ost-based IDS

http://www.webopedia.com/TERM/I/intrusion_detection_system.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/S/system.htmlhttp://www.webopedia.com/TERM/T/traffic.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/D/data_logging.htmlhttp://www.webopedia.com/TERM/V/virus.htmlhttp://www.webopedia.com/TERM/W/worm.htmlhttp://www.webopedia.com/TERM/H/hacker.htmlhttp://www.webopedia.com/TERM/I/intrusion_signature.htmlhttp://www.webopedia.com/TERM/S/shareware.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/server_appliance.htmlhttp://www.webopedia.com/TERM/D/database.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/P/protocol.htmlhttp://www.webopedia.com/TERM/I/intrusion_detection_system.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/S/system.htmlhttp://www.webopedia.com/TERM/T/traffic.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/D/data_logging.htmlhttp://www.webopedia.com/TERM/V/virus.htmlhttp://www.webopedia.com/TERM/W/worm.htmlhttp://www.webopedia.com/TERM/H/hacker.htmlhttp://www.webopedia.com/TERM/I/intrusion_signature.htmlhttp://www.webopedia.com/TERM/S/shareware.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/O/open_source.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/server_appliance.htmlhttp://www.webopedia.com/TERM/D/database.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/P/protocol.html


5/12

Intrusion detection systems are networ or host based solutions. ?etwor "based I)* systems + ?I)* are often

standalone hardware appliances that include networ intrusion detection capabilities. It will usually consist of

hardware sensors located at various points along the networ or software that is installed to system computers

connected to your networ , which analy:es data pac ets entering and leaving the networ . @ost"based I)*

systems +@I)* do not offer true real"time detection, but if configured correctly are close to true real"time.

IPS — AN A!"IV# S#!$RI"% S&'$"I&N

IPS or i'trusio' %re(e'tio' s+ste- 0 is definitely the next level of security technology with its capability to

provide security at all system levels from the operating system ernel to networ data pac ets. It provides

policies and rules for networ traffic along with an I)* for alerting system or networ administrators to

suspicious traffic, but allows the administrator to provide the action upon being alerted. Ahere I)* informs of

a potential attac , an I6* ma es attempts to stop it. %nother huge leap over I)*, is that I6* has the capability

of being able to prevent nown intrusion signatures, but also some un nown attac s due to its database of

generic attac behaviors. Thought of as a combination of I)* and an application layer firewall for protection,

I6* is generally considered to be the Bnext generationB of I)*.

$urrently, there are two types of I6*s that are similar in nature to I)*. They consist of host"based intrusion

prevention systems + @I6* products and networ "based intrusion prevention systems + ?I6* .

Network-based vs. Host-based IPS

@ost"based intrusion prevention systems are used to protect both servers and wor stations through software

that runs between your system0s applications and O* ernel. The software is preconfigured to determine the

protection rules based on intrusion and attac signatures. The @I6* will catch suspicious activity on the system

and then, depending on the predefined rules, it will either bloc or allow the event to happen. @I6* monitors

activities such as application or data requests, networ connection attempts, and read or write attempts to name

a few.

?etwor "based intrusion prevention systems +often called inline prevention systems is a solution for networ "

based security. ?I6* will intercept all networ traffic and monitor it for suspicious activity and events, either

bloc ing the requests or passing it along should it be deemed legitimate traffic. ?etwor "based I6*s wor s in

http://www.webopedia.com/TERM/N/NIDS.htmlhttp://www.webopedia.com/TERM/I/IPS.htmlhttp://www.webopedia.com/TERM/k/kernel.htmlhttp://www.webopedia.com/TERM/H/HIPS.htmlhttp://www.webopedia.com/TERM/N/NIPS.htmlhttp://www.webopedia.com/TERM/S/server.htmlhttp://www.webopedia.com/TERM/w/workstation.htmlhttp://www.webopedia.com/TERM/N/NIDS.htmlhttp://www.webopedia.com/TERM/I/IPS.htmlhttp://www.webopedia.com/TERM/k/kernel.htmlhttp://www.webopedia.com/TERM/H/HIPS.htmlhttp://www.webopedia.com/TERM/N/NIPS.htmlhttp://www.webopedia.com/TERM/S/server.htmlhttp://www.webopedia.com/TERM/w/workstation.html


6/12

several ways. Usually pac age" or software"specific features determine how a specific ?I6* solution wor s,

but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect

commands not normally executed on the networ and more.

/IRE A22S

% firewall is a system designed to prevent unauthori:ed access to or from a private networ . irewalls can be

implemented in both hardware and software , or a combination of both.

ow are (irewalls $sed)

irewalls are frequently used to prevent unauthori:ed Internet users from accessing private networ s connected

to the Internet, especially intranets . %ll messages entering or leaving the intranet pass through the firewall,

which examines each message and bloc s those that do not meet the specified security criteria.

ardware and So*tware (irewalls

irewalls can be either hardware or software but the ideal firewall configuration will consist of both. In

addition to limiting access to your computer and networ , a firewall is also useful for allowing remote access

to a private networ through secure authentication certificates and logins.

@ardware firewalls can be purchased as a stand"alone product but are also typically found in broadband

routers, and should be considered an important part of your system and networ set"up. #ost hardware

firewalls will have a minimum of four networ ports to connect other computers, but for larger networ s,

business networ ing firewall solutions are available.

*oftware firewalls are installed on your computer +li e any software and you can customi:e itC allowing you

some control over its function and protection features. % software firewall will protect your computer from

outside attempts to control or gain access your computer.

!&MM&N (IR#+A'' "#! NI,$#S

irewalls are used to protect both home and corporate networ s. % typical firewall program or hardware device

filters all information coming through the Internet to your networ or computer system. There are several types

of firewall techniques that will prevent potentially harmful information from getting through(

Pa, et /i"ter

>oo s at each pac et entering or leaving the networ and accepts or re!ects it based on user"defined rules.

6ac et filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is

susceptible to I6 spoofing .

http://www.webopedia.com/TERM/A/access.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/I/intranet.htmlhttp://www.webopedia.com/TERM/S/security.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/I/IP_spoofing.htmlhttp://www.webopedia.com/TERM/A/access.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/H/hardware.htmlhttp://www.webopedia.com/TERM/S/software.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/I/intranet.htmlhttp://www.webopedia.com/TERM/S/security.htmlhttp://www.webopedia.com/TERM/P/packet.htmlhttp://www.webopedia.com/TERM/I/IP_spoofing.html


7/12

A%%"i,atio' 4ate a+

%pplies security mechanisms to specific applications, such as T6 and Telnet servers. This is very effective,

but can impose a performance degradation.

Cir,uit#"e(e" 4ate a+

%pplies security mechanisms when a T$6 or U)6 connection is established. Once the connection has beenmade, pac ets can flow between the hosts without further chec ing.

Pro6+ Ser(er

Intercepts all messages entering and leaving the networ . The proxy server effectively hides the true networ

addresses.

In practice, many firewalls use two or more of these techniques in concert. % firewall is considered a first line

of defense in protecting private information. or greater security, data can be encrypted .

OR2D# IDE# E! SECURIT.

There are many security issues related to the AAA. Aithin the scope of this paper, we will only discuss thecommunications security aspect, both at the networ and the application level, and the payment security aspect.

17COMMUNICATIONS SECURIT.

The communication between a web browser and a web server is secured by the **>DT>* protocol.@istorically, *ecure *oc ets >ayer +**> was an initiative of ?etscape $ommunications. **> E.F contains anumber of security flaws which are solved in **> 8.F. **> 8.F was adopted by the I'T Transport >ayer *ecurity +T>* wor ing group, which made some small improvements and published the T>* 1.F G2H standard.

**>DT>*J is used in this paper, as **>J is an acronym everyone is quite familiar withC however, the use of T>* in applications is certainly preferred to the use of the **> protocols. Aithin the protocol stac , **>DT>*is situated underneath the application layer. It can in principle be used to secure the communication of anyapplication, and not only between a web browser and server. **>DT>* provides entity authentication, dataauthentication, and data confidentiality. In short, **>DT>* wor s as follows( public" ey cryptography is usedto authenticate the participating entities, and to establish cryptographic eysC symmetric ey cryptography is

used for encrypting the communication and adding #essage %uthentication $odes +#%$s , to provide dataconfidentiality and data authentication respectively. Thus, **>DT>* depends on a 6ublic 4ey Infrastructure.6articipating entities +usually only the server should have a publicDprivate ey pair and a certificate. Kootcertificates +the certification authorities’ certificates that are needed to verify the entities’ certificates should besecurely distributed in advance +e.g., they are shipped with the browsers . 6rivate eys should be properly

protected. ?ote that these two elements, i.e., distribution of root certificates in browsers and the protection of private eys, is actually one of the wea and exploited points with respect to AAA security . #ore detailedinformation on **>DT>*, the security flaws in **> E.F, and the differences between **> 8.F and T>* 1.F, can

be found in Kescorla .

2.PAYMENT SECURITY

http://www.webopedia.com/TERM/F/FTP.htmlhttp://www.webopedia.com/TERM/T/Telnet.htmlhttp://www.webopedia.com/TERM/T/TCP.htmlhttp://www.webopedia.com/TERM/U/UDP.htmlhttp://www.webopedia.com/TERM/P/proxy_server.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/E/encryption.htmlhttp://www.webopedia.com/TERM/F/FTP.htmlhttp://www.webopedia.com/TERM/T/Telnet.htmlhttp://www.webopedia.com/TERM/T/TCP.htmlhttp://www.webopedia.com/TERM/U/UDP.htmlhttp://www.webopedia.com/TERM/P/proxy_server.htmlhttp://www.webopedia.com/TERM/D/data.htmlhttp://www.webopedia.com/TERM/E/encryption.html


8/12

%lthough numerous different electronic payment systems have been proposed that can be or are used on theAAA, including micro"payment systems and cash"li e systems, most transactions on the web are paid usingcredit cards. #ostly, customers !ust have to send their credit card number to the merchant’s web server. This isnormally done /securely’ over **>DT>*, but some serious problems can still be identified. Users have todisclose their credit card number to each merchant. This is quite contradictory to the fact that the credit cardnumber is actually the secret on which the whole payment system is based +note that there is no electronicequivalent of the additional security mechanisms present in real world credit card transactions, such as face"to"face interaction, physical cards and handwritten signatures . 'ven if the merchant is trusted and honest this isris y, as one can obtain huge lists of credit card numbers by hac ing into +trustworthy, but less protectedmerchants’ web servers. #oreover, it is possible to generate fa e but valid credit card numbers, which is of great concern for the on"line merchants. Thus, merchants bear ris in card"not"present transactions

IRE2ESS SECURIT.

5*# and A%6 are currently probably the two most popular and widely used wireless technologies. They are briefly presented in the following paragraphs. Thereafter, some other systems and initiatives in the wirelessworld are discussed.

4SM

5*#, 5lobal *ystem for #obile communications, is the currently very popular digital cellular telecommunications system specified by the 'uropean Telecommunications *tandards Institute +'T*I . Inshort, 5*# intends to provide three security services temporary identities, for the confidentiality of the user identityC entity authentication, that is, to verify the identity of the userC and encryption, for the confidentiality

of user"related data +note that data can be contained in a traffic channel, e.g., voice, or signaling channel, e.g.,*#* messages .

AP

The Aireless %pplication 6rotocol +A%6 is a protocol stac for wireless communication networ s. A%6 is bearer independentC the most common bearer is currently 5*#

INFORMATION SECURITY AUDIT

%n i'for-atio' te,h'o"og+ audit , or i'for-atio' s+ste-s audit , is an examination of the managementcontrols within an Information technology +IT infrastructure . The evaluation of obtained evidence determinesif the information systems are safeguarding assets, maintaining data integrity , and operating effectively toachieve the organi:ation0s goals or ob!ectives. These reviews may be performed in con!unction with a financialstatement audit , internal audit , or other form of attestation engagement.

IT audits are also nown as Bautomated data processing +%)6 auditsB and Bcomputer auditsB. They wereformerly called B electronic data processing +')6 auditsB.

https://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processinghttps://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processing


9/12

%n IT audit is different from a financial statement audit . Ahile a financial audit0s purpose is to evaluatewhether an organi:ation is adhering to standard accounting practices , the purposes of an IT audit are toevaluate the system0s internal control design and effectiveness. This includes, but is not limited to, efficiencyand security protocols, development processes, and IT governance or oversight. Installing controls arenecessary but not sufficient to provide adequate security. 6eople responsible for security must consider if thecontrols are installed as intended, if they are effective if any breach in security has occurred and if so, whatactions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased

observers. These observers are performing the tas of information systems auditing. In an Information *ystems+I* environment, an audit is an examination of information systems, their inputs, outputs, and processing.

The primary functions of an IT audit are to evaluate the systems that are in place to guard an organi:ation0sinformation. *pecifically, information technology audits are used to evaluate the organi:ation0s ability to

protect its information assets and to properly dispense information to authori:ed parties. The IT audit aims toevaluate the following(

Types of IT audits&arious authorities have created differing taxonomies to distinguish the various types of IT audits. 5oodman <>awless state that there are three specific systematic approaches to carry out an IT audit(

• Te,h'o"ogi,a" i''o(atio' %ro,ess audit . This audit constructs a ris profile for existing and new

pro!ects. The audit will assess the length and depth of the company0s experience in its chosentechnologies, as well as its presence in relevant mar ets, the organi:ation of each pro!ect, and thestructure of the portion of the industry that deals with this pro!ect or product, organi:ation and

industry structure.

• I''o(ati(e ,o-%ariso' audit . This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company0s researchand development facilities, as well as its trac record in actually producing new products.

• Te,h'o"ogi,a" %ositio' audit ( This audit reviews the technologies that the business currently has

and that it needs to add. Technologies are characteri:ed as being either BbaseB, B eyB, BpacingB orBemerging

IT AUDIT PROCESSThe following are basic steps in performing the Information Technology %udit 6rocess( G9H

1. 6lanning

E. *tudying and 'valuating $ontrols

8. Testing and 'valuating $ontrols

9. Keporting

https://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/School_(discipline)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Information_technology_audit#cite_note-4https://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Standard_accounting_practiceshttps://en.wikipedia.org/wiki/School_(discipline)https://en.wikipedia.org/wiki/Taxonomy_(general)https://en.wikipedia.org/wiki/Information_technology_audit#cite_note-4


10/12

L. ollow"up

3. reports

OVERVIE O/ SECURIT. STANDARDS ISO #18899 STANDARD

I*ODI'$ 1MM22(EFFL establishes guidelines and general principles for initiating, implementing, maintaining,

and improving information security management in an organi:ation. The ob!ectives outlined provide general

guidance on the commonly accepted goals of information security management. I*ODI'$ 1MM22(EFFL contains

best practices of control ob!ectives and controls in the following areas of information security management(

security policyC

organi:ation of information securityC

asset managementC

human resources securityC

physical and environmental securityC

communications and operations managementC

access controlC

information systems acquisition, development and maintenanceC

information security incident managementC

business continuity managementC

compliance.

The control ob!ectives and controls in I*ODI'$ 1MM22(EFFL are intended to be implemented to meet the

requirements identified by a ris assessment. I*ODI'$ 1MM22(EFFL is intended as a common basis and practical

guideline for developing organi:ational security standards and effective security management practices, and to

help build confidence in inter"organi:ational activities.

The standard contains 1E sections( ris assessment and treatmentC security policyC organi:ation of information

securityC asset managementC access controlC information security incident managementC human resources

securityC physical and environmental securityC communications and operations managementC information

systems acquisition, development and maintenanceC business continuity managementC and compliance.


11/12

Aithin each section, information security control ob!ectives are specified and a range of controls are outlined

that are generally regarded as best practices. or each control, implementation guidance is provided. 'ach

organi:ation is expected to perform an information security ris assessment prior to implementing controls.

ntroduction and !C "ata #ecurity #tandard Overvie$The 6ayment $ard Industry +6$I )ata *ecurity *tandard +)** was developed to encourage and enhancecardholder data security and facilitate the broad adoption of consistent data security measures globally. 6$I)** provides a baseline of technical and operational requirements designed to protect cardholder data. 6$I)** applies to all entities involved in payment card processing N including merchants, processors, acquirers,issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. 6$I)** comprises a minimum set of requirements for protecting cardholder data, and may be enhanced byadditional controls and practices to further mitigate ris s. 7elow is a high"level overview of the 1E 6$I )**requirements.

6$I )** originally began as five different programs( &isa0s $ardholder Information *ecurity6rogram , #aster$ard 0s *ite )ata 6rotection, %merican 'xpress 0 )ata *ecurity Operating 6olicy, )iscover 0sInformation *ecurity and $ompliance, and the $7 0s )ata *ecurity 6rogram. 'ach company0s intentions were

roughly similar( to create an additional level of protection for card issuers by ensuring that merchants meetminimum levels of security when they store, process and transmit cardholder data. The 6ayment $ard Industry*ecurity *tandards $ouncil +6$I **$ was formed, and on )ecember 1L, EFF9, these companies aligned their individual policies and released version 1.F of the 6ayment $ard Industry )ata *ecurity *tandard +6$I )** .

In *eptember EFF3, the 6$I standard was updated to version 1.1 to provide clarification and minor revisions toversion 1.F.

&ersion 1.E was released on October 1, EFF;. &ersion 1.1 BsunsettedB on )ecember 81, EFF;. &ersion 1.E didnot change requirements, only enhanced clarity, improved flexibility, and addressed evolving ris s and threats.In %ugust EFF2 the 6$I **$ announced the move from version 1.E to version 1.E.1 for the purpose of ma ing

https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttp://pcidsscompliance.net/https://en.wikipedia.org/wiki/Visa_(company)https://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/Cardholder_Information_Security_Programhttps://en.wikipedia.org/wiki/MasterCardhttps://en.wikipedia.org/wiki/American_Expresshttps://en.wikipedia.org/wiki/Discover_Cardhttps://en.wikipedia.org/wiki/Japan_Credit_Bureauhttp://pcidsscompliance.net/


12/12

minor corrections designed to create more clarity and consistency among the standards and supportingdocuments.

&ersion E.F was released in October EF1F and is active for merchants and service providers from anuary 1,EF11 to )ecember 81, EF19.

&ersion 8.F was released in ?ovember EF18 and is active from anuary 1, EF19 to )ecember 81, EF1M.

&ersion 8.1 was released in %pril EF1L

cyber security unit 5

Documents