ROC Assessment Overview
Download
Report
Transcript ROC Assessment Overview
PCI DSS v3.0
Report on Compliance (ROC)
Assessment Overview
Jeff Messer
Director, TAAS
01/08/2015
1
Agenda
2
What / Why / Who
ROC Schedule
Request for Information (RFI) Process Overview
Onsite Assessment
Remote Assessment and Remediation Activities
Draft ROC Report
Quality Assurance and Draft Review
Final Report
Challenges from Experience
Questions
What / Why / Who
What is a ROC?
o Report on Compliance
Why do we need to do a ROC?
o Because you’re a Level 2 merchant you are required to have an onsite
assessment performed on an annual basis.
Who is involved?
o Business
o IT
3
ROC Schedule
Period 1 - Pre-Assessment
o Documentation and Preparation
o Cardholder Data Environment (CDE) Review
• All the People, Processes and Technologies, involved in Storing,
Transmitting or Processing cardholder data (CHD).
Period 2 – Assessment
o ROC Process - Report on Compliance validation
4
ROC Process Flowchart
5
RFI Process - Overview
The Coalfire RFI Process is intended to prepare for and
facilitate a smooth PCI DSS assessment project.
Successful completion of each RFI Phase is critical for
meeting timeline expectations for the ROC.
6
RFI Phase 1
Phase 1 Documents
o
o
o
o
o
7
Exec 1 – Business Description
Exec 2 – Department Scope Identification Process
Exec 3 – Dataflow Diagram(s) / Campus Scope Narrative
Exec 4 – Network Diagram(s)
Exec 5 – CDE Inventory
Exec 1 – Business Description
Non-marketing explanation of:
o
o
o
o
o
o
8
Lines of business (e.g. retail, ecommerce, brick-n-mortar, etc.)
Operating locations
Revenues
Number of employees
Number of IT employees
Major IT contract providers.
Exec 2 –Scope Identification Process
Covers all of the methods and processes used to identify and
document all instances of cardholder data (electronic /
paper)
Include any data discovery tools, manual or automated
processes used to ensure that no cardholder data exists
outside of the CDE.
9
Exec 3 – Dataflow Diagram(s) / Dept. Scope
Narrative
Describe all manners in which you accept and
process payment card transactions from card data
capture through settlement.
Descriptions need to be accompanied with data
flow diagrams that highlight the flow of CHD
o Into the CDE
o Throughout the CDE
o Out of the CDE
10
Exec 4 – Network Diagram(s)
Depicting the CDE
All of the CDE boundaries
How it is connected to (and/or segmented from)
other networks.
The diagrams should be both high-level and
detailed.
11
Exec 5 – CDE Inventory
CDE Inventory spreadsheet documents all in-scope systems
that make up the CDE.
The invent must be align with all information previously
provided.
Completion of this inventory is critical for scheduling and
sampling purposes.
12
RFI Phase 2
Phase 2 Documents
o Provide a complete “RFI Phase 2” document
• Mapping your documentation to all applicable PCI DSS requirements
• Identifying the Owner(s) for each and the Owner Contact(s) for each
requirement.
o Provide the documentation to Coalfire.
o Onsite scheduling:
• Interviews (Interview Schedule)
• Assessments
• Evident Collection
13
RFI Phase 2 Spreadsheet
14
Onsite Assessment
Assess all in-scope facilities
Conduct interview sessions with key personnel
Perform all necessary technical validation
15
Remote Assessment & Remediation
Remote Assessment
o This time period is to complete any review activity that was not
completed during the onsite assessments.
Remediation
o This time period is to validate that any issues identified during
the assessment, have been addressed (i.e. remediated).
16
Draft ROC Report
We begin writing the ROC report as soon as the Phase 1
documentation is collection and is complete.
After all review and remediation activities have completed,
the draft report will be issued.
17
Quality Assurance and Draft Review
The draft report will be reviewed both by the Campus and by
Coalfire’s QA process.
The draft will go through iterations until it successfully
completes both reviews.
18
Final Report
Campus approves the content of the draft report.
Final Report on Compliance (ROC) and the associated
Attestation of Compliance (AOC) will be signed and issued.
19
Challenges from Experience
Take this seriously, you don’t want to be a headline.
Most merchants overestimate their level of control and
underestimate the scope of their environment.
Read the PCI DSS v3.0 to ensure you understand the
requirements.
Think out of the box, don’t assume you know your scope,
take time to validate it.
Surprises found during the penetration testing and
vulnerability scanning
Remediation always takes longer than you think.
20
Questions?
21