Information Security Policy and PCI DSS Quiz

Study Notes

Information Security Policy Document Control

The document outlines high-level policy objectives for information security and applies to people, processes, and IT systems within the organization.
The policy emphasizes the protection of information assets, outlining potential consequences of breaches in information security.
It delineates roles and responsibilities for personnel, line management, and senior management, emphasizing the importance of personnel education and awareness.
Network security measures include firewall management, documentation, architecture, and configuration, as well as regulations for wireless networks.
System builds are required to adhere to configuration build standards and system management services, with a focus on removing default settings and using strong encryption.
Data security measures cover data storage, transmission, and specific requirements for handling cardholder data, including encryption and authorization protocols.
The policy outlines requirements for anti-virus deployment, patching, and vulnerability management, including the application of critical security updates and vulnerability tracking.
It defines standards for software development, change management, and access control, emphasizing the need to follow specific procedures for system access.
Physical security policies cover site access and media security, while system logging requirements include configurations, time settings, and audit trail security.
Network testing protocols encompass wireless testing, vulnerability scanning, and penetration testing, with specific requirements for intrusion detection and prevention systems and file integrity monitoring.
The document includes a user declaration and outlines PCI requirements, including the installation and maintenance of firewall configurations, encryption of cardholder data, and other security measures.
It also contains an annex with a glossary of terms and references to industry standards such as the Payment Card Industry Data Security Standard (PCI DSS).PCI DSS and Security Requirements Summary
PCI DSS is the standard developed by PCI Security Standards Council for entities that store, process, or transmit cardholder data.
Requirement 9 mandates assigning a unique ID to each person with computer access.
Requirement 10 involves restricting physical access to cardholder data.
Requirement 11 necessitates tracking and monitoring all access to network resources and cardholder data.
Requirement 12 mandates regularly testing security systems and processes.
Annex A provides a glossary of terms, including definitions for PCI DSS and insecure service.
Insecure service refers to any service that transmits data in an unencrypted format or is susceptible to well-known attacks or vulnerabilities.
A public network is any network not managed by the organization and can be monitored or intercepted by other entities.
DMZ (Demilitarized Zone) is a subnet that contains an organization's external-facing services and is exposed to a larger, untrusted network.
Inbound traffic refers to traffic coming from outside the organization flowing into the organization via routers or firewalls.
Outbound traffic refers to traffic coming from inside the organization flowing out via routers or firewalls.
Sensitive Authentication Data (SAD) includes full magnetic stripe data, PINs, PIN blocks, and the primary account number (PAN).

Description

This quiz covers topics related to information security policies, network security measures, data security, system builds, PCI DSS standards, network testing protocols, and more. It includes key concepts such as document control, roles and responsibilities, physical security policies, and requirements for anti-virus deployment and vulnerability management.