All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

CISSP All-in-One Exam Guide

80
Payment Card Industry Data Security Standard (PCI DSS)
Identity theft and credit card fraud are increasingly more common. Not that these things
did not occur before, but the advent of the Internet and computer technology have com-
bined to create a scenario where attackers can steal millions of identities at a time.
The credit card industry took proactive steps to curb the problem and stabilize
customer trust in credit cards as a safe method of conducting transactions. Each of the
four major credit card vendors in the United States developed its own program that its
customers had to comply with:

• Visa Cardholder Information Security Protection (CISP)

• MasterCard Site Data Protection (SDP)
• Discover Discover Information Security and Compliance (DISC)
• American Express Data Security Operating Policy (DSOP)

Eventually, the credit card companies joined forces and devised the Payment Card
Industry Data Security Standard (PCI DSS). The PCI Security Standards Council was
created as a separate entity to maintain and enforce the PCI DSS.
The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit
card data. Varying levels of compliance and penalties exist and depend on the size of
the customer and the volume of transactions. However, credit cards are used by tens
of millions of people and are accepted almost anywhere, which means just about every
business in the world is affected by the PCI DSS.
The PCI DSS is made up of 12 main requirements broken down into six major
categories. The six categories of PCI DSS are Build and Maintain a Secure Network
and Systems, Protect Cardholder Data, Maintain a Vulnerability Management Program,
Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and
Maintain an Information Security Policy.

NOTE According to PCI DSS 3.1, Secure Sockets Layer (SSL) and early
Transport Layer Security (TLS) are not considered secure. New systems
should not use them, and existing systems can only use them until June
2016 provided they incorporate risk mitigations.

The control objectives are implemented via 12 requirements, as stated at https://www

.pcisecuritystandards.org/security_standards/pci_dss.shtml:

• Install and maintain a firewall configuration to protect cardholder data.

• Do not use vendor-supplied defaults for system passwords and other security
parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Protect all systems against malware and regularly update antivirus software
or programs.

此资料仅供个人学习，需要各种网络信息安全学习和考试相关资料以及交流讨论，可加入QQ群: 173456730

01-ch01.indd 80 14/04/16 11:42 AM

 All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

Chapter 1: Security and Risk Management

81
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need to know.
• Identify and authenticate access to system components.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain a policy that addresses information security for all personnel.

The PCI DSS is a private-sector industry initiative. It is not a law. Noncompliance

or violations of the PCI DSS may result in financial penalties or possible revocation of
merchant status within the credit card industry, but not jail time. However, Minnesota
became the first state to mandate PCI compliance as a law, and other states, as well as the
U.S. federal government, are implementing similar measures.

NOTE As mentioned before, privacy is being dealt with through laws,

regulations, self-regulations, and individual protection. The PCI DSS is an
example of a self-regulation approach. It is not a regulation that came down
from a government agency. It is an attempt by the credit card companies
to reduce fraud and govern themselves so the government does not have
to get involved. While the CISSP exam will not ask you specific questions on
specific laws, in reality you should know this list of regulations and laws (at
the minimum) if you are serious about being a security professional. Each
one of these directly relates to information security. You will find that most
of the security efforts going on within companies and organizations today
are regulatory driven. You need to understand the laws and regulations to
know what controls should be implemented to ensure compliancy.

Many security professionals are not well versed in the necessary laws and regulations.
One person may know a lot about HIPAA, another person might know some about
GLBA, but most organizations do not have people who understand all the necessary
legislation that directly affects them. You can stand head and shoulders above the rest by
understanding cyberlaw and how it affects various organizations.

Employee Privacy Issues

Within a corporation, several employee privacy issues must be thought through and
addressed if the company wants to be properly protected against employee claims of inva-
sion of privacy. An understanding that each state and country may have different privacy
laws should prompt the company to investigate exactly what it can and cannot monitor
before it does so.
If a company has a facility located in a state that permits keyboard, e-mail, and
surveillance camera monitoring, for example, the company must take the proper steps to
ensure that the employees of that facility know that these types of monitoring may be put

此资料仅供个人学习，需要各种网络信息安全学习和考试相关资料以及交流讨论，可加入QQ群: 173456730

01-ch01.indd 81 14/04/16 11:42 AM

 All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

CISSP All-in-One Exam Guide

82
into place. This is the best way for a company to protect itself legally, if necessary, and to
avoid presenting the employees with any surprises.
The monitoring must be work related, meaning that a manager may have the right to
listen in on his employees’ conversations with customers, but he does not have the right
to listen in on personal conversations that are not work related. Monitoring also must
happen in a consistent way, such that all employees are subjected to monitoring, not just
one or two people.
If a company feels it may be necessary to monitor e-mail messages and usage, this
must be explained to the employees, first through a security policy and then through
a constant reminder such as a computer banner or regular training. It is best to have
employees read a document describing what type of monitoring they could be subjected
to, what is considered acceptable behavior, and what the consequences of not meeting
those expectations are. The employees should be asked to sign this document, which can
later be treated as a legally admissible document if necessary. This document is referred to
as a waiver of reasonable expectation of privacy (REP). By signing the waiver, employees
waive their expectation to privacy.

CAUTION It is important to deal with the issue of reasonable expectation

of privacy (REP) when it comes to employee monitoring. In the U.S. legal
system, the REP standard is used when defining the scope of the privacy
protections provided by the Fourth Amendment of the Constitution. If
employees are not specifically informed that work-related monitoring is
possible and/or probable, when the monitoring takes place, employees
could claim that their privacy rights have been violated and launch a civil
suit against your company.

Prescreening Personnel
It is important to properly screen individuals before hiring them into a corpora-
tion. These steps are necessary to help the company protect itself and to ensure
it is getting the type of employee required for the job. This chapter looks at some
of the issues from the other side of the table, which deals with that individual’s
privacy rights.
Limitations exist regarding the type and amount of information that an
organization can obtain on a potential employee. The limitations and regulations
for background checks vary from jurisdiction to jurisdiction, so the hiring manager
needs to consult the legal department. Usually human resources has an outline for
hiring managers to follow when it comes to interviews and background checks.

A company that intends to monitor e-mail should address this point in its security
policy and standards. The company should outline who can and cannot read employee
messages, describe the circumstances under which e-mail monitoring may be acceptable,

此资料仅供个人学习，需要各种网络信息安全学习和考试相关资料以及交流讨论，可加入QQ群: 173456730

01-ch01.indd 82 14/04/16 11:42 AM

 All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

Chapter 1: Security and Risk Management

83
and specify where the e-mail can be accessed. Some companies indicate that they will
only monitor e-mail that resides on the mail server, whereas other companies declare
the right to read employee messages if they reside on the mail server or the employee’s
computer. A company must not promise privacy to employees that it does not then
provide, because that could result in a lawsuit. Although IT and security professionals
have access to many parts of computer systems and the network, this does not mean it is
ethical and right to overstep the bounds in a way that could threaten a user’s privacy and
put the company at risk of legal action. Only the tasks necessary to enforce the security
policy should take place and nothing further that could compromise another’s privacy.
Many lawsuits have arisen where an employee was fired for doing something wrong
(downloading pornographic material, using the company’s e-mail system to send out
confidential information to competitors, and so on), and the employee sued the company
for improper termination. If the company has not stated in its policy that these types
of activities are prohibited and has not made reasonable effort to inform the employee
(through security awareness, computer banners, the employee handbook, and so on)
of what is considered acceptable and not acceptable and the resulting repercussions for
noncompliance, then the employee could win the lawsuit and receive a large chunk of
money from the company. So policies, standards, and security-awareness activities need
to spell out these issues; otherwise, the employee’s lawyer will claim the employee had an
assumed right to privacy.

Personal Privacy Protection

End users are also responsible for their own privacy, especially as it relates to protect-
ing the data that is on their own systems. End users should be encouraged to use
common sense and best practices. This includes the use of encryption to protect
sensitive personal information, as well as firewalls, antivirus software, and patches to
protect computers from becoming infected with malware. Documents containing
personal information, such as credit card statements, should also be shredded. Also,
it’s important for end users to understand that when data is given to a third party, it
is no longer under their control.

Review of Ways to Deal with Privacy

Current methods of privacy protection and examples are as follows:

• Laws on government FPA, VA ISA, USA PATRIOT

• Laws on corporations HIPAA, HITECH, GLBA, PIDEDA
• Self-regulation PCI DSS
• Individual user Passwords, encryption, awareness

此资料仅供个人学习，需要各种网络信息安全学习和考试相关资料以及交流讨论，可加入QQ群: 173456730

01-ch01.indd 83 14/04/16 11:42 AM