Information Security Policy and PCI DSS Quiz

Study Notes

Information Security Policy Document Control

The document outlines information security policy for data, including cardholder data, based on the Payment Card Industry Data Security Standard (PCI DSS).
The policy sets high-level objectives for systems and behaviors, with detailed responsibilities for personnel, line management, and senior management.
It covers network security, system builds, data security, anti-virus measures, patching and vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.
Specific requirements are detailed for firewall management, firewall documentation, firewall architecture and configuration, wireless networks, system builds, configuration build standards, system management services, data storage and transmission, anti-virus configuration, patch management, vulnerability management, software development, access control policy, physical site access and security policy, media security, system log configurations, audit trail security, network testing, penetration testing, and monitoring tools.
It emphasizes the importance of personnel education and awareness in protecting information assets and the serious consequences of information security breaches.
It requires all firewalls to be managed with documented roles and responsibilities, with regular review of firewall and router rules.
It mandates that all systems must have vendor default settings removed or changed, and be built to documented configuration standards aligned with external standards.
It requires encryption of cardholder data across public networks and deployment of anti-virus on all systems commonly affected by malware.
It specifies the need for regular patching and vulnerability management, as well as secure software development practices and access control policies.
It mandates physical site access and security policies, media security, system log configurations, time settings, access control policies, and comprehensive network testing and monitoring tools.
It outlines specific PCI high-level requirements related to firewall configuration, system passwords, stored cardholder data, encryption of data transmission, anti-virus software, secure systems and applications, access restriction, and regular security testing.
It requires a user declaration stating compliance with the Information Security Policy.PCI DSS and Network Security Requirements Summary
PCI DSS is a standard for entities that store, process, or transmit cardholder data
Requirements 9-12 include unique IDs for computer access, physical access restrictions, network access monitoring, and security system testing
Annex A provides a glossary of terms, including definitions for terms like "insecure service" and "public network"
DMZ refers to a subnet that exposes an organization's external-facing services to an untrusted network
Inbound traffic flows into the organization, while outbound traffic flows out of the organization
Sensitive Authentication Data (SAD) includes magnetic stripe data, PINs, and other payment card information
Cardholder data (CHD) includes the primary account number, cardholder name, and expiration date

Description

Test your knowledge on information security policies and the Payment Card Industry Data Security Standard (PCI DSS) requirements. Explore topics such as network security, data encryption, access control policies, physical security, and system logging.