Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento.

Published byCynthia Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento."— Presentation transcript:

1 Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento

2 Summary Of Changes Effective January 2014 Change Types Clarification Additional Guidance Evolving Requirement (20)

3 5 Key Areas Penetration Testing Inventorying of System Components Vendor Relationships AntiMalware Physical Access and Point of Sale (POS)

4 Penetration Testing (11.3) Penetration testing must follow “Industry Accepted Methodology” Best Practice until June 30, 2015 Why is this an issue?

5 Inventorying System Components (2.4) “Maintain an inventory of system components that are in scope for PCI DSS All hardware (Virtual or Physical) Software (Commercial or custom) Applications (off the shelf, external or internal) Requires that assessors “verify a list of hardware and software components including a description of function Authorized Wireless AP (11.1.1)

6 Vendor Relationships (12.8.5 & 12.9) Requires explicit documentation Which PCI requirements are managed by you, or by a vendor and which vendors (Matrix) Matrix Contractual requirements

7 AntiMalware (5.1.2) Requires campuses to “identify and evaluate evolving malware threats for systems not commonly affected Requires specific authorization from management to disable or alter antivirus and that is time limited

8 Physical Access and POS (9.3) Control access for onsite personnel Access be authorized and based on job function Revoked immediately upon termination Protect devices from tampering/substitution (9.9) Consider non standard POS Food Trucks, carts etc Inventory and regular checking/inspection and policy

9 Building a plan Partner on ownership Engage senior executives Plan Communicate

10 Prioritized Approach

11

12

13 Case Study: Sacramento State Partner – SFSC partnered with the campus ISO Plan – ISO and SFSC implemented required training, document gathering and periodic review Developed tracking process Engaged Administration Imposed “penalties” for non-compliance (“Shut ‘er Down)

14 Case Study: Sacramento State ICSUAM –Section 3102.05 http://www.calstate.edu/icsuam/sections/3000/3102.0 5.shtml http://www.calstate.edu/icsuam/sections/3000/3102.0 5.shtml Write a Campus Policy to support the ICSUAM http://www.csus.edu/umanual/admin/ADM-0117.html http://www.csus.edu/umanual/admin/ADM-0117.html

15 Case Study: Sacramento State

16

17

18

19

20 Report goes at least annually to Vice President for Administration and Business Affairs and the Vice President & Chief Information Officer To date, 3 departments were “shut down” until they could come into reasonable compliance

21 Case Study: Sacramento State You are welcome to copy our templates for your use There is also a sample training presentation available http://www.csus.edu/irt/is/pci/presentations/index.html

22

Download ppt "Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento."

Similar presentations

PCI DSS for Retail Industry

PCI DSS for Retail Industry
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Transition from Q1- 8th to Q1- 9th edition

Transition from Q1- 8th to Q1- 9th edition
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.

G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.
Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.

Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Establishing an Existing and Emerging Technologies Committee on your Campus AHEAD 2014 Presented by UAB Disability Support Services and UAB Legal Counsel:

Establishing an Existing and Emerging Technologies Committee on your Campus AHEAD 2014 Presented by UAB Disability Support Services and UAB Legal Counsel:
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.

Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works

Security Controls – What Works
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google